Sunday, April 15, 2018

amazon web services - Coturn server behind AWS application load balancer



I'm trying to make coturn server work behind an AWS application load balancer. I'm using icetrickle to test it and the coturn seems that works as expected if I skip the load balancer and I hit directly the instance. The security group for the instance allows TCP and UDP traffic on every port (0 - 65535) for all the IPs (0.0.0.0/0::/0)



This is the configuration that I have on the turn server:



vim /etc/default/coturn:



TURNSERVER_ENABLED=1



vim /etc/turnserver.conf:



external-ip={aws_public_ip}
fingerprint
user={turn_user}:{turn_password}
lt-cred-mech
realm=realm
simple-log



then I start the server and I check it with icetrickle.



Icetrickle response - stun:{aws_public_ip}:3478



Time    Component   Type    Foundation  Protocol    Address Port    Priority
0.002   1   host    430735571   udp 192.168.1.102   64841   126 | 30 | 255
0.100   1   srflx   842163049   udp 109.242.109.35  64841   100 | 30 | 255
0.104   Done

0.106


turn server log - tail -f /var/log/turn_15892_:



3983: session 001000000000000146: TCP socket closed remotely 172.31.18.64:4630
3983: session 001000000000000146: closed (2nd stage), user <> realm  origin <>, local 172.31.13.20:3478, remote 172.31.18.64:4630, reason: TCP connection closed by client (callback)
3986: handle_udp_packet: New UDP endpoint: local addr 172.31.13.20:3478, remote addr 109.242.109.35:57844
3986: session 001000000000000147: realm  user <>: incoming packet BINDING processed, success



Wireshark log



96848   2875.279343 192.168.1.102   3.8.87.160  STUN    62  Binding Request
96851   2875.373118 3.8.87.160  192.168.1.102   STUN    114 Binding Success Response XOR-MAPPED-ADDRESS: 109.242.109.35:57844 MAPPED-ADDRESS: 109.242.109.35:57844 RESPONSE-ORIGIN: {aws_public_ip}:3478


Then I've configured the application load balancer. It accepts traffic at port 3478 (HTTP protocol) and forwards the traffic to the instance at port 3478. Here are the results:



Icetrickle response - stun:{aws_lb_url}:3478




Time    Component   Type    Foundation  Protocol    Address Port    Priority
0.001   1   host    430735571   udp 192.168.1.102   54374   126 | 30 | 255
39.861  Done
39.864


turn server log - tail -f /var/log/turn_15892_:



No new logs (only healthchecks)



Wireshark log



110396  3769.417283 192.168.1.102   52.56.189.26    STUN    62  Binding Request
110403  3769.511074 52.56.189.26    192.168.1.102   ICMP    90  Destination unreachable (Port unreachable)
An array of similar logs as it retries


As I see it is trying to connect to random ports that are configurable and the default config can span from ports 49152 to 65535 which I suspect this is the issue because the only port that we forward the traffic from load balancer to the instance is on port 3478. I wonder if there coturn config should be finetuned now that the server is behind load balancer.




Any advice/help will be much appreciated.


Answer



You should forward coturn UDP and TCP ports,
but I am not sure if Application can do this.



For me it is unclear according the following if it is possible to forward udp ports.
https://aws.amazon.com/elasticloadbalancing/features/#Product_comparisons
If I understand it correctly, it says that Application Loadbalancer is only for http/https..


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...