coturn + webrtc：NAT后面的主机无法连接到服务器答案

【问题标题】：coturn + webrtc: host behind NAT couldn't connect to turn servercoturn + webrtc：NAT后面的主机无法连接到服务器
【发布时间】：2020-11-27 13:25:44
【问题描述】：

我正在尝试在我的网站上将屏幕共享与 WebRTC 集成。如果我尝试在同一设备（正常和隐身）上的两个 chrome 浏览器之间建立连接，一切都很好。当我尝试在我的浏览器和来自不同网络的另一台计算机之间建立连接时，它失败了。因此，我正在尝试配置 TURN 服务器。

集成了 WebRTC 功能和 TURN 服务器的两个系统都托管在我没有 root 权限的 DomainFactory 上。由于这个原因，我无法通过apt get 安装coturn。我不得不从 github 手动安装它。

coturn配置：

external-ip=[public ip of turn-server]
fingerprint
lt-cred-mech
user=[user]:[password]
realm=[turn-server url]
total-quota=100
bps-capacity=0
stale-nonce=600
cert=[path to certificate file]
pkey=[path to private key file]
log=[path to log file]
no-multicast-peers

我的问题是：如果屏幕共享的主机在 NAT 之后，那么它的 IP 仍然是本地 IP，并且似乎没有连接到 TURN 服务器。

这些是来自https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/ 对 NAT 后面的主机的结果：

Time    Component   Type    Foundation  Protocol    Address Port    Priority
0.003   rtp host    2448344806  udp 63e84acb-f85e-4ba8-b012-595df04e86ec.local  52272   126 | 30 | 255
39.823  Done
39.825

如果我尝试使用相同的 WebRTC 示例应用程序从没有 NAT 的其他网络检查 TURN 连接，结果如下：

Time    Component   Type    Foundation  Protocol    Address Port    Priority
0.005   rtp host    3661447420  udp 192.168.0.70    51584   126 | 32542 | 255
0.006   rtp host    4036240074  udp 192.168.178.30  51585   126 | 32286 | 255
0.105   rtp host    2495527948  tcp 192.168.0.70    9   90 | 32542 | 255
0.105   rtp host    3189235258  tcp 192.168.178.30  9   90 | 32286 | 255
0.122   rtp relay   1181488584  udp 176.221.47.80   51563   1 | 32286 | 255
0.122   Done
0.123

coturn 日志：

0: log file opened: [path to log]
0:
RFC 3489/5389/5766/5780/6062/6156 STUN/TURN Server
Version Coturn-4.5.1.3 'dan Eider'
0:
Max number of open files/sockets allowed for this process: 4096
0:
Due to the open files/sockets limitation,
max supported number of TURN Sessions possible is: 2000 (approximately)
0:

==== Show him the instruments, Practical Frost: ====

0: TLS supported
0: DTLS supported
0: DTLS 1.2 supported
0: TURN/STUN ALPN supported
0: Third-party authorization (oAuth) supported
0: GCM (AEAD) supported
0: OpenSSL compile-time version: OpenSSL 1.0.2l  25 May 2017 (0x100020cf)
0:
0: SQLite supported, default database location is [path to turndb]
0: Redis is not supported
0: PostgreSQL supported
0: MySQL is not supported
0: MongoDB is not supported
0:
0: Default Net Engine version: 3 (UDP thread per CPU core)

=====================================================

0: Domain name:
0: Default realm: [realm]
0:
CONFIG ERROR: Empty cli-password, and so telnet cli interface is disabled! Please set a non empty cli-password!
0: SSL23: Certificate file found: [path to certificate file]
0: SSL23: Private key file found: [path to private key file]
0: TLS1.0: Certificate file found: [path to certificate file]
0: TLS1.0: Private key file found: [path to private key file]
0: TLS1.1: Certificate file found: [path to certificate file]
0: TLS1.1: Private key file found: [path to private key file]
0: TLS1.2: Certificate file found: [path to certificate file]
0: TLS1.2: Private key file found: [path to private key file]
0: TLS cipher suite: DEFAULT
0: DTLS: Certificate file found: [path to certificate file]
0: DTLS: Private key file found: [path to private key file]
0: DTLS1.2: Certificate file found: [path to certificate file]
0: DTLS1.2: Private key file found: [path to private key file]
0: DTLS cipher suite: DEFAULT
0: NO EXPLICIT LISTENER ADDRESS(ES) ARE CONFIGURED
0: ===========Discovering listener addresses: =========
0: Listener address to use: [localhost]
0: Listener address to use: [public ip1]
0: Listener address to use: [public ip2]
0: Listener address to use: [public ip3]
0: Listener address to use: [ipv6 localhost]
0: Listener address to use: [ipv6 public]
0: =====================================================
0: Total: 4 'real' addresses discovered
0: =====================================================
0: NO EXPLICIT RELAY ADDRESS(ES) ARE CONFIGURED
0: ===========Discovering relay addresses: =============
0: Relay address to use: [public ip1]
0: Relay address to use: [public ip2]
0: Relay address to use: [public ip3]
0: Relay address to use: [ipv6 public]
0: =====================================================
0: Total: 4 relay addresses discovered
0: =====================================================
0: Cannot create pid file: /var/run/turnserver.pid
0: pid file created: /var/tmp/turnserver.pid
0: IO method (main listener thread): epoll (with changelist)
0: WARNING: I cannot support STUN CHANGE_REQUEST functionality because only one IP address is provided
0: Wait for relay ports initialization...
0:   relay [public ip1] initialization...
0:   relay [public ip1] initialization done
0:   relay [public ip2] initialization...
0:   relay [public ip2] initialization done
0:   relay [public ip3] initialization...
0:   relay [public ip3] initialization done
0:   relay [ipv6 public] initialization...
0:   relay [ipv6 public] initialization done
0: Relay ports initialization done
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=0 created
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=1 created
0: IPv4. TLS/TCP listener opened on : [localhost]:3478
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=2 created
0: IPv4. TLS/TCP listener opened on : [localhost]:3478
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=3 created
0: IPv4. DTLS/UDP listener opened on: [localhost]:3478
0: IPv4. DTLS/UDP listener opened on: [localhost]:5349
0: IPv4. DTLS/UDP listener opened on: [public ip1]:3478
0: IPv4. DTLS/UDP listener opened on: [public ip1]:5349
0: IPv4. DTLS/UDP listener opened on: [public ip2]:3478
0: IPv4. DTLS/UDP listener opened on: [public ip2]:5349
0: IPv4. DTLS/UDP listener opened on: [public ip3]:3478
0: IPv4. DTLS/UDP listener opened on: [public ip3]:5349
0: IPv6. DTLS/UDP listener opened on: [ipv6 localhost]:3478
0: IPv6. DTLS/UDP listener opened on: [ipv6 localhost]:5349
0: IPv6. DTLS/UDP listener opened on: [ipv6 public]:3478
0: IPv6. DTLS/UDP listener opened on: [ipv6 public]:5349
0: Total General servers: 4
0: IPv4. TLS/TCP listener opened on : [localhost]:5349
0: IO method (auth thread): epoll (with changelist)
0: IO method (auth thread): epoll (with changelist)
0: SQLite DB connection success: [path to turndb]
0: IPv4. TLS/TCP listener opened on : [localhost]:3478
0: IO method (admin thread): epoll (with changelist)
0: IPv4. TLS/TCP listener opened on : [public ip1]:3478
0: IPv4. TLS/TCP listener opened on : [localhost]:5349
0: IPv4. TLS/TCP listener opened on : [localhost]:3478
0: IPv4. TLS/TCP listener opened on : [public ip1]:3478
0: IPv4. TLS/TCP listener opened on : [localhost]:5349
0: IPv4. TLS/TCP listener opened on : [public ip1]:5349
0: IPv4. TLS/TCP listener opened on : [public ip1]:3478
0: IPv4. TLS/TCP listener opened on : [public ip2]:3478
0: IPv4. TLS/TCP listener opened on : [public ip1]:5349
0: IPv4. TLS/TCP listener opened on : [public ip1]:5349
0: IPv4. TLS/TCP listener opened on : [public ip2]:3478
0: IPv4. TLS/TCP listener opened on : [public ip2]:5349
0: IPv4. TLS/TCP listener opened on : [public ip2]:5349
0: IPv4. TLS/TCP listener opened on : [public ip2]:3478
0: IPv4. TLS/TCP listener opened on : [public ip3]:3478
0: IPv4. TLS/TCP listener opened on : [localhost]:5349
0: IPv4. TLS/TCP listener opened on : [public ip3]:3478
0: IPv4. TLS/TCP listener opened on : [public ip2]:5349
0: IPv4. TLS/TCP listener opened on : [public ip3]:5349
0: IPv4. TLS/TCP listener opened on : [public ip1]:3478
0: IPv4. TLS/TCP listener opened on : [public ip3]:3478
0: IPv4. TLS/TCP listener opened on : [public ip3]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 localhost]:3478
0: IPv4. TLS/TCP listener opened on : [public ip1]:5349
0: IPv4. TLS/TCP listener opened on : [public ip3]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 localhost]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 localhost]:3478
0: IPv4. TLS/TCP listener opened on : [public ip2]:3478
0: IPv6. TLS/TCP listener opened on : [ipv6 localhost]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 public]:3478
0: IPv6. TLS/TCP listener opened on : [ipv6 public]:3478
0: IPv6. TLS/TCP listener opened on : [ipv6 localhost]:3478
0: IPv6. TLS/TCP listener opened on : [ipv6 public]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 public]:5349
0: IPv4. TLS/TCP listener opened on : [public ip2]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 localhost]:5349
0: IPv4. TLS/TCP listener opened on : [public ip3]:3478
0: IPv6. TLS/TCP listener opened on : [ipv6 public]:3478
0: IPv4. TLS/TCP listener opened on : [public ip3]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 public]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 localhost]:3478
0: IPv6. TLS/TCP listener opened on : [ipv6 localhost]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 public]:3478
0: IPv6. TLS/TCP listener opened on : [ipv6 public]:5349
269933: handle_udp_packet: New UDP endpoint: local addr [public ip1]:5349, remote addr [ip without NAT]:49333
269933: session 003000000000000012: realm <[realm]> user <>: incoming packet BINDING processed, success
269933: session 003000000000000012: realm <[realm]> user <>: incoming packet message processed, error 401: Unauthorized
269933: IPv4. Local relay addr: [public ip1]:52030
269933: session 003000000000000012: new, realm=<[realm]>, username=<[user]>, lifetime=600
269933: session 003000000000000012: realm <[realm]> user <[user]>: incoming packet ALLOCATE processed, success
269943: session 003000000000000012: realm <[realm]> user <[user]>: incoming packet BINDING processed, success
269953: session 003000000000000012: realm <[realm]> user <[user]>: incoming packet BINDING processed, success
269963: session 003000000000000012: realm <[realm]> user <[user]>: incoming packet BINDING processed, success
269970: session 003000000000000012: refreshed, realm=<[realm]>, username=<[user]>, lifetime=0
269970: session 003000000000000012: realm <[realm]> user <[user]>: incoming packet REFRESH processed, success
269971: session 003000000000000012: usage: realm=<[realm]>, username=<[user]>, rp=7, rb=332, sp=7, sb=720
269971: session 003000000000000012: peer usage: realm=<[realm]>, username=<[user]>, rp=0, rb=0, sp=0, sb=0
269971: session 003000000000000012: closed (2nd stage), user <[user]> realm <[realm]> origin <>, local [public ip1]:5349, remote [ip without NAT]:49333, reason: allocation timeout
269971: session 003000000000000012: delete: realm=<[realm]>, username=<[user]>
269996: IPv4. tcp or tls connected to: [ip without NAT]:59678
269996: session 000000000000000016: realm <[realm]> user <>: incoming packet message processed, error 401: Unauthorized
269996: IPv4. Local relay addr: [public ip1]:64039
269996: session 000000000000000016: new, realm=<[realm]>, username=<[user]>, lifetime=600
269996: session 000000000000000016: realm <[realm]> user <[user]>: incoming packet ALLOCATE processed, success

我对 TURN 和 WebRTC 还很陌生，所以能提供一些帮助会很好:)

【问题讨论】：

您好，stackoverflow.com/questions/59906509/… 可以帮助您吗？

标签： javascript webrtc coturn rfc5766turnserver

【解决方案1】：

使用 WebRTC 示例应用程序收集 ICE 候选者的第一次尝试表明，只发现了主机候选者。

这主要意味着 TURN 设置错误（错误的 URL 或错误的凭据），或者计算机无法访问给定端口上的 TURN 服务器。

有些 NAT 条件禁止访问不同于给定预设的外部端口，例如端口 443 TCP（HTTPS 的默认端口）。

作为实验，您可以尝试设置coturn 以侦听 TCP 端口 443，然后重试 ICE 收集应用程序。

一般来说，像 Wireshark 这样的应用程序允许您捕获计算机上的网络流量并验证请求的去向以及是否有来自 TURN 服务器的任何响应（您可以使用stun 过滤器）。

【讨论】：