Direct audio/video communication has become an important part of modern collaboration.
In order to be able to implement this efficiently from a technical point of view while at the same time keeping internal networks secure, framework conditions must be observed that at first glance make it difficult to establish direct communication across network boundaries.
A NAT router is often used in private IPv4 networks to increase security, making it difficult or impossible for an external computer to contact an internal client without being requested to do so.
Unfortunately, this also blocks the connections necessary for efficient audio/video communication.
In order to still be able to establish these and similar connections, techniques have been developed that allow audio/video communication to take place without any reduction in security. These techniques include STUN and TURN.
This documentation describes how to commission a STUN (RFC5398)/TURN (RFC5766) server on the internet that is interoperable with estos products.
The basis for this is the well-known TURN server "coTurn": https://github.com/coturn/coturn
We have compiled the requirements and the options for checking here for the simplest possible commissioning.
The procedure described here requires detailed IT expertise in configuration and administration.
The requirements are oriented towards the simplest possible setup and maintenance. You can also commission this STUN/TURN server with other requirements.
Linux machine with Docker installed and hosted directly on the internet (not on the company LAN/DMZ).
min. 2 vCPU, 4GB RAM and 20GB Disk
public IP address assigned directly to the machine or a 1:1 NAT with public IP address.
Ports published in the firewall/NAT or forwarded to the machine.
3478/TCP (may vary depending on settings during installation)
3478/UDP (may vary depending on settings during installation)
behind NAT: 1:1 portmapping
For this "external" IP, the NAT must forward the ports directly (the forwarded port 54321 must always be mapped to the same "external" port 54321)
Please ensure that the network of the hosted machine provides the following:
high PPS (packet-per-second performance)
low network jitter (<= 30ms)
low latency (<= 150ms)
Bandwidth: Other network requirements
for audio calls (AudioChat or softphone calls) via the TURN server:
Opus Codec, „Fullband Speech“ at (useful) bit rates between 28 – 40 Kbit/s, pTime 20ms
total typical 45 Kbit/s per direction, total 90 Kbit/s
for video calls via the TURN server
Video Codec VP8 with 640x480, 30 f/s, Audio Codec Opus, 50 f/s.
300kbit/s to 2.3 MBit/s per direction
total 600 Kbit/s up to 4.6 MBit/s max.
When calculating the required bandwidth, only calls that are actually forwarded via the TURN server must be taken into account.
Examples of known hosting services
When selecting the service provider for hosting Linux machines, the above-mentioned requirements should be taken into account. Since the network line in particular has a decisive influence on the behavior of the TURN component in terms of forwarding (relaying) the media streams, it is important to investigate whether the provider has special features for this. Furthermore, you should also pay attention to the costs incurred by the consumption of bandwidth.
AWS Amazon Web Services
If you deploy the TURN server in an AWS instance, for example, Enhanced Networking is available only on instances launched with HVM AMIs. Preferably, use C3/C4/R3 instances. For details about AWS EC2 instance types, click here.
The Accelerated Networking feature can be used to improve the network performance in Microsoft Azure environments. Please refer to the notes in the documentation: https://docs.microsoft.com/en-us/azure/virtual-network/create-vm-accelerated-networking-powershell
You should search for similar keywords when choosing a provider.
As a basis, a Linux machine is available directly on the internet (public IP address) and Docker is installed on it.
Please familiarize yourself in advance with the common commands of your Linux and Docker installation. An overview of Docker can be found here: https://docs.docker.com/engine/install/
Quick start Docker installation
curl -sSL https://get.docker.com | sudo bash -
Normally, Docker commands must always be executed with "root" or "sudo" privileges. For details, see the Docker installation guide appropriate for your Linux distribution.
For example for Ubuntu: https://docs.docker.com/engine/install/ubuntu/
"You need to use
sudo to run Docker commands"
coTurn with a Docker image from estos (quick start without options).
This command is used to work with the default values (see the table below):
sudo docker run -d --name stunturn --network host --restart always estos/stunturn
Optional: coTurn with a Docker image from estos (with all options)
If you do not want to use the default values, adjust the following command to your needs:
sudo docker run -d --name stunturn --network host --restart always \ -e EXTERNAL_IP_ADDRESS=YourExternalIPAddress \ -e LISTENING_IP_ADDRESS=YourLocalIPAddress \ -e TURN_PORT=3478 \ -e TURN_USERNAME=YourTurnUsername \ -e TURN_PASSWORD=YourTurnPassword \ -e LOG_LEVEL=moderate \ estos/stunturn
|LISTENING_IP_ADDRESS||no||all local network interfaces||Local IP network interface. If not set, all local network interfaces are monitored.|
|EXTERNAL_IP_ADDDRESS||no||automatically recognized||Public IP address that STUN/TURN will use as a relay address. |
Useful in scenarios with NAT. Automatically detected if not set.
|TURN_PORT||no||3478||TCP port (for TURN) and UDP port (for STUN) that the STUN/TURN server responds to.|
|TURN_USERNAME||no||stunturn||Username for TURN authentication|
|TURN_PASSWORD||no||random password||Password for TURN authentication|
|LOG_LEVEL||no||normal||Allowed values: 'normal', 'moderate', 'debug'|
Checking the condition of the containers
sudo docker container list
Checking the logs for the configuration of the UCServer
sudo docker logs stunturn
No TURN_PORT env variable set. Default 3478 UDP and TCP will be used No TURN_USERNAME env variable set, user will be set to 'stunturn' and password will be randomly generated Created TURN user 'stunturn' with password 'RLYmta9lTFQM0ClqECWq'. Please use said credentials into your estos application Executing TURN service... Your STUN and TURN server is now running Please configure your estos UCServer own STUN and TURN servers according to the following template: STUN Server --> stun:1.123.456.254:3478 TURN Server --> turn:1.123.456.254:3478 TURN username: stunturn TURN password: RLYmta9lTFQM0ClqECWq
Configuration in the UCServer administration
STUN/TURN – use custom servers – configure server
In the UCServer administration, configure the created STUN/TURN server in the item "STUN/TURN" → "Use custom servers" → "Configure server..."
In the item "Checking the logs", a log output was displayed after starting the Docker container. This also contains the data necessary for configuration:
Example screenshot: UCServer Administration – Configure custom servers – Specify URI for STUN/TURN
Confirm the data with OK and Apply.
Then run a test via the "Run Diagnostics" button.
If both tests are successful with "OK", the UCServer can use the STUN/TURN server.
Please note that this test was performed from the "point of view" of the UCServer and therefore also from the "point of view" of the Kurento Media Server shipped locally with it.
If you use other clients, such as a mobile app in the LTE network or a ProCall client for Windows at home, then a successful test on the UCServer does not mean that the ProCall client at home has also been tested successfully. In this case, a test should be performed locally, e.g. with https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
If the executed test failed in UCServer administration, then you can view details about the test and the result using the "Open log file" button.
These provide clues as to where to look for the error.
Verification of possible sources of error
- Authentication → Verify the created username and password.
- Timeout → Check the entire network path between UCServer and the coTurn server running in the Docker container.
Can the UCServer reach the Linux machine on the internet at all?
Are the required ports released outbound from the UCServer and released and/or forwarded inbound to the Linux machine, etc.?
- Topology error → Is the Linux machine really connected to the internet and not to the LAN of the UCServer installation?
Is an incorrect public IP address set up?
Logs for diagnostics of the STUN/TURN server
The logs are stored in a local file inside the container in the following name format: /var/tmp/stunturn_DD_MM_YYYY.log
To list all logs, execute:
sudo docker exec stunturn ls /var/tmp/
To output a specific log (e.g. from 26/4/2022):
sudo docker exec stunturn cat /var/tmp/stunturn_26_04_2022.log
More useful Docker commands
Display running containers
sudo docker container list
Stop container stunturn and then delete
sudo docker container stop stunturn sudo docker rm stunturn
Further information on the ICE, STUN, TURN mode of operation
If you are interested in further information regarding STUN/TURN or if you are looking for more details about further functions of coTurn, you will find some hints here:
- Useful information about STUN/TURN for the use of audio/video and softphone with ProCall Enterprise