Asterisk 12.6 // TURN // WebRTC // No audio

3
votes

The WebRTC setup is working on local network. It has been moved to hosting and it doesn't work anymore. I'm looking into SDP but my knowledge of networks and SIP is not useful enough to perfectly understand what's going on wrongly.

Logs :

  1. Complete Asterisk log : http://tny.cz/5ace73e9 (sip and rtp debug on)
  2. reTURNServer.log : http://tny.cz/3b75ae45

Architecture :

  • Asterisk PBX 12.6.
    • Public IP : 213.xxx.xxx.178
    • Private IP : 192.168.xxx.99
    • Not behind NAT. SIP is at 5060. It is Realtime enabled, WebRTC configured, WebSockets on :8088/ws, TLS and SRTP enabled and configured. RTP from 49152 to 65535.
    • reTURNServer installed on the same Debian instance, TURN on :3478, TLS on :5349, STUN on :5355.
  • HMP 3 from Dialogic working perfectly fine.
    • Not behind NAT. On the same network than Asterisk.
    • Public IP : not relevant to communicate here as it communicates to Asterisk using internal network.
    • Private IP : 192.168.xxx.100
    • SIP is at 5060. RTP from 49152 to 65535.
    • I make successfull calls from a whole lot of SIP phones using this PBX.
  • WebRTC Client is sipML5, from their demo site.
    • Behind NAT. Not on the same network than Asterisk or HMP.
    • Public IP : 213.xxx.xxx.210
    • Private IP : 10.xxx.xxx.118
    • User is "mySIPUser", successfully registers at ws://213.xxx.xxx.178:8088/ws.
    • Browser is the lastest Chrome (38).

reTURNServer.config :

TurnPort = 3478
TlsTurnPort = 5349
AltStunPort = 5355
TurnAddress = 213.xxx.xxx.178
AltStunAddress = 213.xxx.xxx.178
AuthenticationMode = 2
AuthenticationRealm = AsteriskREALM
NonceLifetime = 3600
AllocationPortRangeMin = 49152
AllocationPortRangeMax = 65535
DefaultAllocationLifetime = 600
MaxAllocationLifetime = 3600
MaxAllocationsPerUser = 0
TlsServerCertificateFilename = /etc/asterisk/keys/asterisk.pem
TlsTempDhFilename =
# leave blank if key is not encrypted
TlsPrivateKeyPassword = ********
# Logging Type: syslog|cerr|cout|file
LoggingType = file
# Logging level: NONE|CRIT|ERR|WARNING|INFO|DEBUG|STACK
LoggingLevel = DEBUG
LogFilename = /var/log/reTurnServer.log
LogFileMaxLines = 50000
# It is highly recommended that these values are NOT left at their
# default setting
LongTermAuthUsername = MyTURNLogin
LongTermAuthPassword = MyTURNPassword
# Must be true or false, default = false, not supported on Windows
Daemonize = true
# On UNIX it is normal to create a PID file
# if unspecified, no attempt will be made to create a PID file
#PidFile = /var/run/reTurnServer/reTurnServer.pid

Firewall : 

*sudo iptables -L*

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:sip
ACCEPT     udp  --  anywhere             anywhere             udp dpt:sip
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:sip-tls
ACCEPT     udp  --  anywhere             anywhere             udp dpt:sip-tls
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:omniorb
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:3478
ACCEPT     udp  --  anywhere             anywhere             udp dpt:3478
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:5349
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:hostmon
ACCEPT     udp  --  anywhere             anywhere             udp dpt:hostmon
ACCEPT     tcp  --  anywhere             anywhere             multiport dports webmin:20000
ACCEPT     udp  --  anywhere             anywhere             multiport dports 10000:20000
ACCEPT     udp  --  anywhere             anywhere             multiport dports 49152:65535

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Any help will be much appreciated !

2
networkingwebrtcasteriskrtp

2 Answers

1
votes

The SDP Section of the 200 OK on the and you will see a bunch of candidates. Now involves the STUN / ICE negotiation where each of these paths are tested by each side of the call. The path where both parties are able to talk to each other is what makes sure that RTP can flow through.

Somewhere in the networking path the packets are not being mapped appropriately. You need to grab the network traffic and check the STUN packets to identify the packet flow.

Check on the enterprise firewall whats their firewall rules. Usually the enterprise needs to open up to accept traffic from the TURN. Try using some public google TURN servers for WebRTC and try to see if it makes things better.

0
votes

So I finally solved this. The TURN server needs to have 2 public IP. TurnAddress and AltStunAddress must be 2 different IP. So the correct configuration of reTURNServer.config is :

TurnAddress = 213.xxx.xxx.178
AltStunAddress = 213.xxx.xxx.179

Of course the client side script must reflect those changes, via sip_servers ("turn:turnuser@turnip", credentials:"turnpassword") if you use JsSIP or Sipml5.