I'm trying to make coturn server work behind an AWS application load balancer. I'm using icetrickle to test it and the coturn seems that works as expected if I skip the load balancer and I hit directly the instance. The security group for the instance allows TCP and UDP traffic on every port (0 – 65535) for all the IPs (0.0.0.0/0::/0)
This is the configuration that I have on the turn server:
vim /etc/default/coturn:
TURNSERVER_ENABLED=1
vim /etc/turnserver.conf:
external-ip={aws_public_ip}
fingerprint
user={turn_user}:{turn_password}
lt-cred-mech
realm=realm
simple-log
then I start the server and I check it with icetrickle.
Icetrickle response – stun:{aws_public_ip}:3478
Time Component Type Foundation Protocol Address Port Priority
0.002 1 host 430735571 udp 192.168.1.102 64841 126 | 30 | 255
0.100 1 srflx 842163049 udp 109.242.109.35 64841 100 | 30 | 255
0.104 Done
0.106
turn server log – tail -f /var/log/turn_15892_:
3983: session 001000000000000146: TCP socket closed remotely 172.31.18.64:4630
3983: session 001000000000000146: closed (2nd stage), user <> realm <realm> origin <>, local 172.31.13.20:3478, remote 172.31.18.64:4630, reason: TCP connection closed by client (callback)
3986: handle_udp_packet: New UDP endpoint: local addr 172.31.13.20:3478, remote addr 109.242.109.35:57844
3986: session 001000000000000147: realm <realm> user <>: incoming packet BINDING processed, success
Wireshark log
96848 2875.279343 192.168.1.102 3.8.87.160 STUN 62 Binding Request
96851 2875.373118 3.8.87.160 192.168.1.102 STUN 114 Binding Success Response XOR-MAPPED-ADDRESS: 109.242.109.35:57844 MAPPED-ADDRESS: 109.242.109.35:57844 RESPONSE-ORIGIN: {aws_public_ip}:3478
Then I've configured the application load balancer. It accepts traffic at port 3478 (HTTP protocol) and forwards the traffic to the instance at port 3478. Here are the results:
Icetrickle response – stun:{aws_lb_url}:3478
Time Component Type Foundation Protocol Address Port Priority
0.001 1 host 430735571 udp 192.168.1.102 54374 126 | 30 | 255
39.861 Done
39.864
turn server log – tail -f /var/log/turn_15892_:
No new logs (only healthchecks)
Wireshark log
110396 3769.417283 192.168.1.102 52.56.189.26 STUN 62 Binding Request
110403 3769.511074 52.56.189.26 192.168.1.102 ICMP 90 Destination unreachable (Port unreachable)
An array of similar logs as it retries
As I see it is trying to connect to random ports that are configurable and the default config can span from ports 49152 to 65535 which I suspect this is the issue because the only port that we forward the traffic from load balancer to the instance is on port 3478. I wonder if there coturn config should be finetuned now that the server is behind load balancer.
Any advice/help will be much appreciated.
Best Answer
You should forward coturn UDP and TCP ports, but I am not sure if Application can do this.
For me it is unclear according the following if it is possible to forward udp ports. https://aws.amazon.com/elasticloadbalancing/features/#Product_comparisons If I understand it correctly, it says that Application Loadbalancer is only for http/https..