Skip to content

Instantly share code, notes, and snippets.

@cupuyc

cupuyc/Blocking UDP to check WebRTC connectivity.md

Last active May 3, 2023 09:20
Show Gist options
  • Save cupuyc/811d5fb8918164ac610516c2223ab920 to your computer and use it in GitHub Desktop.
Save cupuyc/811d5fb8918164ac610516c2223ab920 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Blocking UDP to check WebRTC connectivity.md

Testing on Mac

Add to /etc/pf.conf

block out proto udp from any to any
block in proto udp from any to any
pass out proto udp from any to any port 53
pass in proto udp from any to any port 53

To apply:

sudo pfctl -f /etc/pf.conf
sudo pfctl -e

Testing on Linux

# Generated by iptables-save v1.8.7 on Mon Apr 25 06:01:03 2022
*filter
:INPUT ACCEPT [332:51864]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [308:400554]
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p udp -j DROP
-A OUTPUT -p udp -m udp --sport 53 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -p udp -j DROP
COMMIT
# Completed on Mon Apr 25 06:01:03 2022

Proper app configuration

Best practices for TURN configuration for Janus. On frontend app need to configure 2 ice servers:

  1. STUN any or google one. Sample: stun:stun1.l.google.com:19302.
  2. TURN with TCP port and marker in URL. Sample: turn:coturn.trembit.com:443?transport=tcp. Note: ?transport=tcp.

On TURN need to enable TLS on 443 port. Sample: https://nextcloud-talk.readthedocs.io/en/turn_doc/TURN/#31-dtls-configuration

Raw
coturn-install.sh
#!/bin/bash
set -e
export HOSTNAME="coturn.video.live"
export EMAIL="mail@video.live"
export USERNAME=coturn
export PASSWORD=coturn123456
export REALM=realm
export MIN_PORT=20000
export MAX_PORT=40000
sudo add-apt-repository -y universe && \
sudo add-apt-repository -y ppa:certbot/certbot && \
sudo apt-get -y update && \
sudo apt-get -y install certbot
sudo apt-get -y update && apt-get install -y \
dnsutils \
coturn \
mcedit htop software-properties-common \
&& rm -rf /var/lib/apt/lists/*
# generate the certificate
sudo certbot certonly --standalone --preferred-challenges http \
--deploy-hook "systemctl restart coturn" \
--email $EMAIL \
-d $HOSTNAME
# Debug
echo $EMAIL >> /debug.txt
echo $HOSTNAME >> /debug.txt
cat /etc/resolv.conf >> /debug.txt
whoami >> /debug.txt
cat /etc/hosts >> /debug.txt
echo "USERNAME: $USERNAME"
echo "PASSWORD: $PASSWORD"
echo "REALM: $REALM"
echo "PORT RANGE: $MIN_PORT-$MAX_PORT"
internalIp="$(ip a | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1')"
externalIp="116.202.184.57"
sudo ls /etc/ssl/
echo "listening-port=3478
tls-listening-port=443
min-port=$MIN_PORT
max-port=$MAX_PORT
listening-ip="$internalIp"
relay-ip="$internalIp"
external-ip="$externalIp"
realm=$REALM
server-name=$HOSTNAME
lt-cred-mech
userdb=/var/lib/turn/turndb
# use real-valid certificate/privatekey files
cert=/etc/letsencrypt/live/$HOSTNAME/cert.pem
pkey=/etc/letsencrypt/live/$HOSTNAME/privkey.pem
user=$USERNAME:$PASSWORD
log-file=/var/log/turnserver.log
no-stdout-log" | tee /etc/turnserver.conf
echo "TURNSERVER_ENABLED=1" | sudo tee /etc/default/coturn
turnadmin -a -u $USERNAME -p $PASSWORD -r $REALM
echo "Start TURN server..."
sudo service coturn restart
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment