Conclusion: By mapping the TURN Service port on the Intranet, devices in two symmetric NAtes can communicate with each other. It is feasible to use the TURN Server through the firewall.
First, the problem phenomenon
In the process of using WebRTC, a customer in Chengdu needs to interact through the public network. The customer has a public IP address and the device is deployed on the internal network. The server port can be mapped out through a Huawei router. It is temporarily used through VPN.
Second, reason analysis
By learning the type of NAT and the holing principle, we know that if the network is symmetric, using STUN to hole is unable to succeed.
In the process of learning, I saw a blog that said that by deploying the TURN Server in the symmetric NAT and exposing the listening port of the TURN Server through port mapping, the holes in the symmetric NAT can be solved, and the Server of the public network is not required, but it just mentioned. The specific implementation cannot be found, and the specific blog cannot be found at the moment.
Later, when I studied authoritative Guide of WebRTC, I saw the following diagram, which further proved the feasibility of this scheme. Later, I learned that the TURN Server was designed as a Client/Server, which could also work in theory, so I started to build an environment for confirmation.
Third, verify the feasibility
1. Use the NC to test port listening
Use the NC tool to listen for UDP port 20000 on the device in the customer environment, configure port mapping on the firewall, and map the port 20000 on the device to the public network. Then use the NC tool at home to connect the mapped public IP address and port, and check whether the device in the customer environment can receive the data sent.
# NC monitor nC-UL 20000 portCopy the code
# nc -u xxx.XXX.XXx. XXX 20000Copy the code
After a successful connection, enter characters on the console and press Enter. The same output is synchronized to the devices in the customer environment, proving that the Client/Server mode can communicate using port mapping.
2. Build the TURN Server
Use coturn to build the TURN Server. The setup steps are recorded separately. The test configuration is as follows:
# TURN server name and realm realm=192.168.100.221 server-name= turnServer # Use fingerprint in TURN message fingerprint Listens of the TURN server listens - IP =192.168.10.221 # External IP Address of the TURN server listens #external-ip=121.199.22.135 # Main Listening port Listening-port =3478 # Further ports that are open for communication min-port=20000 max-port=22000 # Enable verbose logging verbose # Specify the user for the TURN authentification user=test:123456 # Enable long-term credential mechanism lt-cred-mechCopy the code
TURN server startup after using webrtc. Making. IO/samples/SRC… Test the
3. Network environment
Two networks, respectively using mobile phone 4G as the hotspot, one simulating the customer’s Intranet, the other simulating the access of public network devices.
Network 1: Simulates the Intranet of the customer
Open telecom 4G hotspot, use JCG router to do wifi relay, NATTypeTester test results:
- NAT type: Symmetric
- The Local end: 0.0.0.0:59524
- Public end: 36.17.176.200:26597
Network 2: The analog device accesses the network
Open the hotspot of mobile 4G, connect the hotspot of mobile phone with the laptop, and test results of NATTypeTester:
- NAT type: Symmetric
- The Local end: 0.0.0.0:56586
- Public end: 223.104.244.91:3235
4. Device connection
Device list in Network 1:
- Janus server: 192.168.100.221
- TURN the server: 192.168.100.221
- Add interactive computer: 192.168.100.108
Devices in Network 2:
- Laptop, IP address not recorded
5. Intranet penetration
Using sunflower Intranet through interactive Janus server Web server port mapping (TCP: / / 192.168.100.221:443), to provide public device access, After mapping access address to https://39263k5f22.zicp.vip:43540.
Using flying pigeon Intranet through will TURN server port (udp: / / 192.168.100.221:3478) mapping, mapping the address and port for free. The svipss. Top: 51351.
6. Modify the web code and set TURN Server
const pc = new RTCPeerConnection({
iceServers: [
// { urls: 'stun:stun.opensight.cn' },
{
urls: ['turn:free.svipss.top:51351'],
username: 'test',
credential: '123456',
credentialType: 'password',
},
],
iceTransportPolicy: 'all',
iceCandidatePoolSize: '0',
bundlePolicy: 'max-bundle',
rtcpMuxPolicy: 'require',
tcpCandidatePolicy: 'disable',
IceTransportsType: 'nohost',
});
Copy the code
7. Start interacting
The computer in network 1 accesses the Intranet address https://192.168.100.221 and starts to interact with the interactive classroom.
Internet in notebook open public access to address https://39263k5f22.zicp.vip:43540 to join two interaction.
Verify the conclusion, the interaction is successful, and the scheme is feasible
The actual test shows that the two computers can interact successfully and see each other, which proves that the communication between the devices in the two symmetric NAT can be realized through the TURN Service port mapping, and the use of the TURN Server through the firewall is feasible.