Fixed external media address for webrtc clients

edvinv · June 17, 2021, 8:00am

Hi,
we have asterisk server behind NAT using PJSIP. Some clients are connected with transport protocol wss (webrtc) and some are on UDP. Yesterday all webrtc clients stop working, without any software upgrade/change. The problem was that asterisk starts to send SDP without external address and webrtc clients were not able to connect. UDP clients work OK, because they are using external_media_address, local_net…

1.) It looks like that wss protocol is not using transport options local_net, external_media_address? Is it possible to used fixed external media address also when wss protocol is used?

2.) The problem in the first place was because stun.l.google.com:19302 (configured in rtp.conf) stop working, it hasn’t return any external address? But when I change to stun1.l.google.com:19302 all starts to work. I found that (protocols - Why a STUN Server Needs Two Different Public IP addresses - Stack Overflow) on rare cases one stun server is not enough. So, is it possible (if there is no way to set fixed address) to configure two stun servers in rtp.conf. I tried this in rtp.conf:

stunaddr:19302=stun.l.google.com
stunaddr:19302=stun1.l.google.com

but only the first stun server is used.

Best regards
edvin

jcolp · June 17, 2021, 8:31am

It is not possible to configure multiple STUN servers. As well if Asterisk is on a fixed IP address you should use the ice_host_candidates functionality of rtp.conf to put the external IP address in as a host candidate, and not use STUN at all.

edvinv · June 17, 2021, 10:26am

Hi,
thanks for your response. I have tried your suggestion but it didn’t work for me.

This is my changed rtp.conf:

[general]
rtpstart=10000
rtpend=20000
icesupport=false

[ice_host_candidates]
10.1.1.5 => 193.x.x.x,include_local_address

There is not a lot of documentation regarding ice_host_candidates, but as I understand correctly this configuration should map my local ip 10.1.1.5 to external 193.x.x.x and also include other local ip-s. (I need this, because I have some clients also on 10.1.x.x network.)

But this SDP I get on client.

v=0 (6 more lines)
o=- 3136501614 4 IN IP4 10.1.1.5
s=Asterisk
c=IN IP4 10.1.1.5
t=0 0
a=msid-semantic:WMS *
a=group:BUNDLE 0 1
m=audio 13020 UDP/TLS/RTP/SAVPF 8 (14 more lines)
a=connection:new
a=setup:active
a=fingerprint:SHA-256 4E:C5:09:6F:68:0D:DE:3B:D1:F6:5E:BA:C0:A3:82:57:39:CB:A2:C0:CA:0E:2F:5B:52:47:81:83:7A:7A:00:C2
a=ice-ufrag:52008de80c3de954607767723049420a
a=ice-pwd:5df5580a6baeb98d0c45ab876b6cd76f
a=rtpmap:8 PCMA/8000
a=ptime:20
a=maxptime:150
a=sendrecv
a=rtcp-mux
a=ssrc:76558848 cname:538232ea-377a-4580-bbbf-b628179978fe
a=msid:d878b6d8-74b4-40e7-8221-4ebd9a62e25b 0a3ca578-c92b-445a-94fd-3f1d9234eebc
a=rtcp-fb:* transport-cc
a=mid:0

As you can see, in SPD there is no address 193.x.x.x present (no a=candidate lines), as there are if I enable icesupport.

Thanks for any suggestion
edvin

jcolp · June 17, 2021, 10:27am

ICE support is required for WebRTC. You can’t disable it. The option changes the ICE host candidate lines, or adds additional ones.

edvinv · June 17, 2021, 10:37am

Hi,
great, enabling icesupport solved the issue.

have a nice day
edvin

edvinv · June 18, 2021, 7:58am

just a note for previous discussion…

With ice_host_candidates mapping there is no way to set fixed external addresses, what is IMO most common scenario. For example, I was not able to set that only external 193.x.x.x and single local 10.1.1.5 will be included as candidates in SDP.

Maybe something like this:
any => 193.x.x.x
any => 10.1.1.5

So that in any situation ONLY those two addresses will be included and also any change in server network configuration (like adding vpn connection, docker network) will not reveal new candidate in SDP or remove fixed one.

best regards
edvin

jcolp · June 18, 2021, 8:18am

I don’t quite understand what you mean, but you can prevent candidates from appearing in the SDP by using the “ice_deny” and “ice_permit” functionality.

edvinv · June 18, 2021, 10:03am

I missed ice_permit options! I would like to achive that only 10.1.1.5 and 193.1.2.3 are used as candidates in SDP. (no other internal networks)

I tried this:

[general]
rtpstart=10000
rtpend=20000
icesupport=true
ice_permit = 10.1.1.5/32
ice_permit = 193.1.2.3/32
[ice_host_candidates]
10.1.1.5 => 193.1.2.3,include_local_address

I would expect only 2 candidates in client SDP (10.1.1.5 and 193.1.2.3), but I got three, there is additional internal VPN network.

jcolp · June 18, 2021, 10:09am

You have to have an ice_deny first, to start with blocking everything. It works the same as ACLs in other places.

system · July 18, 2021, 10:10am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
WebRTC behind NAT Asterisk WebRTC	6	2155	May 15, 2020
IP traffic routes Asterisk WebRTC	10	1806	March 4, 2019
Using STUN to fill in media IP address in SIP SDP Asterisk SIP	2	735	May 24, 2019
STUN/ICE not working Asterisk SIP	7	6833	July 23, 2019
Error sending stun request for calls (WebRTC) Asterisk General	1	2381	December 9, 2017

Fixed external media address for webrtc clients

Related topics