4

I have installed the TURN server everything in the server code is working fine. no error in the log file. only a warning stating

 0: WARNING: I cannot support STUN CHANGE_REQUEST functionality because only one IP address is provided

but the TURN server running on the server.

here is what shows when I check lsof -i :3478

turnserve 999 root   15u  IPv4 446811411      0t0  TCP domain.com:stun (LISTEN)
turnserve 999 root   23u  IPv4 446811417      0t0  TCP domain:stun (LISTEN)
turnserve 999 root   24u  IPv4 446810998      0t0  UDP domain.com:stun
turnserve 999 root   25u  IPv4 446810999      0t0  UDP domain.com:stun

when I check STUN in Trickle ICE it throws an errors

The server stun:xxx.xxx.xxx.xxx:3478 returned an error with code=701:
STUN server address is incompatible.
The server stun:xxx.xxx.xxx.xxx:3478 returned an error with code=701:
STUN allocate request timed out.

what's going wrong in this.

Thank you

asimdev
  • 705
  • 1
  • 8
  • 22

2 Answers2

11

I think that 701 error is a more generic connectivity error that Trickle ICE uses to indicate it didn't get a binding response back. Run stunclient your.stun.ip.address with the command line tools at www.stunprotocol.org to see if your STUN service is accessible from the outside world.

STUN technically requires being hosted on a device with two IP addresses and two ports. It's typically a command line parameter to specify which IP addresses the server should listen on. But most server implementations can operate on a host with a single IP address.

The second IP address and port on the server is used for STUN client filtering tests to detect what type of NAT is in effect. The client sends a binding request on the server's primary ip and port, but with a change request attribute to have the server respond from the alternate IP address or port. More often than not, this binding request with a change-request attribute fails since NATs will not forward traffic from the other IP/port.

The filtering test is useful for logging what type of NAT the client is on. So that failed connections can be debugged and that success/failure metrics can be correlated to NAT type.

Since most ICE implementations will exchange all available address candidates (local, mapped, and relay), the filtering test isn't very or useful to connectivity establishment.

I'm surprised Trickle ICE is giving you an error. I didn't think WebRTC ever used the changer-request attribute. I just did a Wireshark trace of a Trickle ICE session to stunserver.stunprotocol.org. I don't see the webrtc client setting the change-request attribute in either of the two binding requests it makes.

More details in RFC 5780 Section 3.2

selbie
  • 100,020
  • 15
  • 103
  • 173
  • so can I use sturn server...? trickle ICE throws error in only chrome not in firefox. even i am not able to login into TURN either using Trickle ice and snippet provided in this https://stackoverflow.com/questions/28772212/stun-turn-server-connectivity-test – asimdev Jun 21 '20 at 09:16
  • 1
    can you please explain me how can I run `stunclient stun.ip.address`, do i need to downlaod anything from site or something else. – asimdev Jun 21 '20 at 09:27
  • Download the command line tools (or code to compile) from www.stunprotocol.org. The stunclient tool comes bundled with the server code. Then run `stunclient --help` from the command line. – selbie Jun 21 '20 at 09:40
  • I tried... it's not running on windows. when i open stunserver.exe or stunclient.exe it gets closed immediately. – asimdev Jun 21 '20 at 10:07
  • What's not running on Windows? The code is available for Windows, Mac, and all flavors of Unix including Linux. – selbie Jun 21 '20 at 10:08
  • Type `stunclient.exe --help` at a command prompt. (Don't double-click on it from Explorer). – selbie Jun 21 '20 at 11:40
  • it shows Binding test: fail when I use `stunclient my.ip.address 3478` when I use `stunclient stun.l.google.com 19302` it shows binding test success – asimdev Jun 21 '20 at 12:05
  • what could be the solution for it..? – asimdev Jun 21 '20 at 15:49
  • It means your STUN service isn't available at that IP address. Either you aren't running a STUN server on port 3478, got the wrong IP address, or most likely, forgot to open the port on your provider's firewall setting. – selbie Jun 21 '20 at 18:28
  • STUN server runs on port 3478 with PID 999 I attached in question. ports are allowed in the firewall and are accessible I checked it in Nmap and is says `3478/udp open|filtered stun` – asimdev Jun 22 '20 at 06:33
  • 1
    Run stunclient on the server itself. If you can't connect to your own service while on the same device, then it's a configuration issue. If you can connect locally, but not externally, then it's a network configuration issue. – selbie Jun 22 '20 at 08:29
  • could you please point me installing stunclinet in centos 7. I have uploaded **stunserver-1.2.16.tgz** from http://www.stunprotocol.org/ but can't able to find documentation how to run – asimdev Jun 22 '20 at 11:44
  • https://github.com/jselbie/stunserver/blob/master/README - follow the instructions for installing prerequisite packages for Fedora – selbie Jun 22 '20 at 17:12
  • I have performed the stunclient test. `./stunclient xxx.xxx.xxx.xxx 3478 Binding test: success Local address: xxx.xxx.xxx.xxx:37713 Mapped address: xxx.xxx.xxx.xxx:37713` now as you said earlier the STUN server is connecting locally. then it might be a network configuration issue. can you tell me what might be the issue. I enable port in firewall. do i need to something more? – asimdev Jun 23 '20 at 05:25
  • 1
    Your server might have a local firewall, but your hosting provider has an external firewall you might need to open that port for. This is the case for AWS and probably other servers as well. Email me the ip address of your server and more details and I'll see if I can help. You can find me off the stunprotocol.org web page. – selbie Jun 23 '20 at 05:38
2

In macOS, I just do so:

> brew install stuntman

when it done

> stunclient stunserver.stunprotocol.org
Binding test: success
Local address: 198.18.0.1:54898
Mapped address: 210.0.158.130:56750

To specify port, just like this:

> stunclient stunserver.stunprotocol.org 3478
Binding test: success
Local address: 198.18.0.1:63061
Mapped address: 210.0.158.130:37126

Have fun!

selbie
  • 100,020
  • 15
  • 103
  • 173
A.Chan
  • 620
  • 6
  • 7