-
-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TURN DTLS returns no ICE candidates while TURN UDP works fine #167
Comments
Operator logs[Output of
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
Hello, I'm testing out a PoC of STUNner as TURN server using DTLS. Planning on using it for our media backend in the same cluster.
UDP listener works just fine right out of the box but I cannot figure out issue with DTLS - I don't even see the handshake when I try gathering candidates.
Steps to Reproduce
Setup a cluster in a HyperV VM (I've faces some issues with UDP and WSL so using VM here) and configure STUNner to use NodePorts:
Configuring Env
Host machine:
stunnerctl
andturncat
versions v0.21.0 downloaded from releases.HyperV VM:
curl -sfL https://get.k3s.io | sh -s - --disable traefik
Also grab IP of the VM and add it to the hosts file of Host machine like
1.2.3.4 aaa.local.com
Configuring cluster with STUNner
helm upgrade -i stunner-gateway-operator stunner/stunner-gateway-operator -n t --create-namespace --version 0.21.0 -f ./stunner.yaml
Where
stunner.yaml
is:The secret public part:
The secret private part:
I've waited until everyhting is up and running, here are services for example:
stunner-auth-*
pod:udp-gateway-*
pod:stunnerctl
:stunerctl -v auth
:stunnerctl -va config
:stunnerctl -va status
:turncat
targeting DTLS portturncat -v - --insecure turn://media:[email protected]:30349?transport=dtls udp://10.42.0.42:8189
It seems to work correctly:
I get some new logs from
udp-gateway-*
pod:And I can see some the handshake + some data in Wireshark:
This looks GOOD
openssl s_client -debug -dtls -showcerts aaa.local.com:30349
- okI see similar DTLS handshare in Wireshark as with
turncat
from previous step - also look good.relay
one.For this I'm using Trickle ICE website. I've downloaded their sources from here - https://github.com/webrtc/samples/tree/gh-pages/src/content/peerconnection/trickle-ice
Then I run
index.html
locally and here are my findings (note all the below tests have correct creds specified, the difference is basically in TURN server url\port\transport:8.1. Using regular UDP listener:
turn:aaa.local.com:30478?transport=udp
- works as expected:I also see new logs on
udp-gateway
:8.2. Issue is with DTLS listener:
turn:aaa.local.com:30349?transport=dtls
- the JS doesn't like this one, sayingError creating offer: SyntaxError: Failed to construct 'RTCPeerConnection': ICE server parsing failed: Transport parameter should always be udp or tcp.
turns:aaa.local.com:30349?transport=udp
- somehow gets rewritten totcp
and if I filter the Wireshark capture I do see TCP traffic.turn:aaa.local.com:30349?transport=udp
- this seems to do smth but I end up receiving timeouts. There are NO new logs neither instunner-auth-*
not inudp-gateway-*
pods.The Wireshark capture shows me the following:
So it seems it keeps retrying but finally times out.
Expected behavior:
Given that:
relay
one (8.1)turncat
andopenssl
show connectivity to the DTLS listener and I observe DTLS handshake with my certificate in the Wireshark (6) and (7)I expect that:
relay
one. (8.2)Actual behavior:
I cannot retrieve a list of candidates from DTLS listener.
What else I've tried?
cert-manager
to generate a cert, tried with different self-signed CA and using RSA algorithm instead - no differenceIs there anything else I can try out in order to troubleshoot this?
Versions
yaml
files provided.Configuring Env
section aboveInfo
[Please copy-paste the output of the below commands and make sure to remove all sensitive information, like usernames, passwords, IP addresses, etc.]
Gateway API status
[Output of
kubectl get gateways,gatewayconfigs,gatewayclasses,udproutes.stunner.l7mp.io --all-namespaces -o yaml
]Operator logs
NOTE: will post separatelly due to size limit
The text was updated successfully, but these errors were encountered: