WebRTC - WSS - Asterisk 13.7.0 - anybody has both audio and video working?

Hi all!

My first post on here. As per subject, I am trying to mix Asterisk 13.7.0 and WebRTC over WSS and having huge problems. For web browser I use Chrome 48.0.2564.116 m (incognito mode if matters).

It took me a lot of time to get to a point where I can just make calls between 2 WebRTC enabled extensions. Found my way around FreePBX automatically generated configuration files to enable WSS as transport and tweak few settings for extensions. Signaling-wise calls can be established and disconnected. At the moment I am using sipML5 for WebRTC clients. My findings are as follows:

1. The most I can get from this setup is a one-way speech path and event that is not 100% consistent. Some times works, sometimes not. To clarify more, if I make only an audio call and one way speech path exists (calee can hear caller). If I make a video call, then I do not have any speech path at all. 100% reproducible. Video does not work at all and all I get is a black screen. However, local cameras are activated and small local video is available on the screen.

2. I can only use chan_SIP but not chan_PJSIP for WebRTC. Can chan_PJSIP be configured to work well and to provide both video and audio? If possible how to set things up? I tried few things and discovered that if I pipe all the signalling through https://IP_address:8089/ws it appears that chan_SIP intercepts the messages and they never make it to the chan_PJSIP. Where do messages have to go if chan_PJSIP is used?

3. Only guides, text, web pages on the Internet that talk about WebRTC refer to Asterisk 11 and 12, but no mention of 13. Is this really the case? I can’t believe no one got it working on Asterisk 13.

4. One peculiar finding. If I enable WSS for an extension, from time to time Asterisk will keep rejecting secure web socket connections from this extension (running on a laptop) until I actually from a web browser directly visit https://IP_address:8089/ws page (by this I mean I have to enter that address under URL within Chrome browser)!? After that sipML5 is able to establish WSS connection. This sounds like a bug to me. Anyone else witnessed the same?

5. If anybody is interested in helping me out or to share frustration fighting the same issues, be my guest and reply back : The concept to have a VoIP client within a browser is super powerful and cool. To get there is not cool at all. I will be willing to provide any required logs including configuration files.

I noticed ‘navaismo’ is the master in this domain and his input is more than welcome. Since he explicitly stated people not to bug him I hope he comes across this post on his own

Thanks in advance for any help or suggestion.

Regards,
Zarko

Video seems not to work as expected in the recent version of asterisk but there is a lot people working on it in the Asterisk JIRA page you may wnat to take a look there. People is sharing their findings and possible workarounds to WebRTC and asterisk.

In my case I drop the test with PJSIP since the developers of asterisk decided to not give much atention to WebRTC since is not a completed RFC(but they still help people on JIRA). I use chan_sip and only in earlier versions. Maybe is time to take a look with 13 and PJSIP.

Many people works with 13 and webRTC but there are few that share the experience or best practices.

This is caused because you are using self signed certificates. If you switch to valid certificates, I mean, one from an authority you don’t need to go and allow that exception. Comodo can give you Trial certificates or you can use Let’s Encrypt too.

Finally I´m not a master in this, I’m only spent like two years or more dealing with webrtc and asterisk, later I just shared my findings to make the path painless. And usually there are many common errors, thats all.

You can share your configs, debugs, and errors and the community will help you.

OK, here is one example of what’s happening on my system and how I got to the current state.

1. Created self signed Certificate Authority and self signed certificate for my PBX

2. Using chan_sip configured 2 SIP extensions 111 and 112 through FreePBX (no extra settings for them)

3. Then I enabled WebRTC phone for the new created extensions: Admin/User Management. By this step PBX already had 4 extensions: 111 and 112 and their WebRTC counterparts 99111 and 99112. FreePBX at this point did mappings (111<–>99111, and 112<—>99112) which are utilized in step 6

4. Now I had to add ‘wss’ protocol for extensions 99111 and 99112. This is done my manually editing sip_custom_post.conf and the content was like this:

[99111](+)
transport=wss,ws,udp,tcp
secret=pass99111

[99112](+)
transport=wss,ws,udp,tcp
secret=pass99112

5. Used sipML5 on 2 different PCs residing on the same LAN with PBX and one registered and acted as 99111 and the other as 99112. Web browser is Chrome

6. Made a video enabled call from 99112 by calling ‘111’. This rang web client on another PC and call is answered. In Asterisk log I see 2 errors which could shed more light but I can’t explain what they really mean except maybe inability to properly encrypt/decrypt media. Errors as as follows:

[2016-02-24 13:28:52] WARNING[19694][C-00000007] res_srtp.c: SRTP unprotect failed with: authentication failure 10
...
[2016-02-24 13:28:53] WARNING[19692][C-00000007] res_srtp.c: SRTP unprotect failed with: authentication failure 10

Anyone knows what these really mean and how to fix the issue?

Full logs of the call along with SIP messages are uploaded here.

My Asterisk configuration files look like following:
Content of sip_general_additional.conf

;--------------------------------------------------------------------------------;
;          Do NOT edit this file as it is auto-generated by FreePBX.             ;
;--------------------------------------------------------------------------------;
; For information on adding additional paramaters to this file, please visit the ;
; FreePBX.org wiki page, or ask on IRC. This file was created by the new FreePBX ;
; BMO - Big Module Object. Any similarity in naming with BMO from Adventure Time ;
; is totally deliberate.                                                         ;
;--------------------------------------------------------------------------------;
vmexten=*97
context=from-sip-external
callerid=Unknown
notifyringing=yes
notifyhold=yes
tos_sip=cs3
tos_audio=ef
tos_video=af41
alwaysauthreject=yes
useragent=FPBX-12.0.76.2(13.7.0)
disallow=all
allow=ulaw
allow=vp8
tlsenable=yes
tlsbindaddr=192.168.1.40:12000
tlscertfile=/etc/asterisk/keys/MyRaspbxCrt.pem
tlsclientmethod=tlsv1
tcpenable=yes
tcpbindaddr=192.168.1.40:11000
transport=ws,wss,tls
tlsprivatekey=/etc/asterisk/keys/MyRaspbxCrt.key
tlscipher=ALL
rtpend=20000
rtpstart=10000
callevents=no
bindport=5060
jbenable=no
rtpholdtimeout=300
registertimeout=20
registerattempts=0
videosupport=yes
rtpkeepalive=0
rtptimeout=30
srvlookup=no
notifyringing=yes
notifyhold=yes
checkmwi=10
allowguest=yes
canreinvite=no
defaultexpiry=120
g726nonstandard=no
maxcallbitrate=384
maxexpiry=3600
minexpiry=60
nat=yes
ALLOW_SIP_ANON=no
externip=104.251.107.96
localnet=192.168.1.1/24
localnet=192.168.1.0/24

Content of sip_general_custom.conf:

tlsenable=yes
tlsbindaddr=192.168.1.40
tlscertfile=/etc/asterisk/keys/MyRaspbxCrt.pem
tlsdontverifyserver=yes
;tlscipher=DES-CBC3-SHA
tlsclientmethod=sslv23
tlscafile=/etc/asterisk/keys/ca.crt
rtcachefriends=yes

And content of sip_additional.conf:

;--------------------------------------------------------------------------------;
;          Do NOT edit this file as it is auto-generated by FreePBX.             ;
;--------------------------------------------------------------------------------;
; For information on adding additional paramaters to this file, please visit the ;
; FreePBX.org wiki page, or ask on IRC. This file was created by the new FreePBX ;
; BMO - Big Module Object. Any similarity in naming with BMO from Adventure Time ;
; is totally deliberate.                                                         ;
;--------------------------------------------------------------------------------;
[111]
deny=0.0.0.0/0.0.0.0
secret=pass111
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
trustrpid=yes
mediaencryption=no
sendrpid=no
type=friend
nat=force_rport,comedia
port=5060
qualify=yes
qualifyfreq=60
transport=udp,tcp,tls
avpf=no
force_avp=no
icesupport=no
encryption=no
callgroup=
pickupgroup=
dial=SIP/111
permit=0.0.0.0/0.0.0.0
callerid=zar ko - 111 <111>
callcounter=yes
faxdetect=no
dtlsenable=yes
dtlsverify=fingerprint
dtlscertfile=/etc/asterisk/keys/MyRaspbxCrt.pem
dtlscafile=/etc/asterisk/keys/ca.crt
dtlssetup=actpass
dtlsrekey=0

[112]
deny=0.0.0.0/0.0.0.0
secret=pass112
dtmfmode=rfc2833
canreinvite=no
context=from-internal
host=dynamic
trustrpid=yes
mediaencryption=no
sendrpid=no
type=friend
nat=force_rport,comedia
port=5060
qualify=yes
qualifyfreq=60
transport=udp,tcp,tls
avpf=no
force_avp=no
icesupport=no
encryption=no
callgroup=
pickupgroup=
dial=SIP/112
permit=0.0.0.0/0.0.0.0
callerid=tim - 112 <112>
callcounter=yes
faxdetect=no
dtlsenable=yes
dtlsverify=fingerprint
dtlscertfile=/etc/asterisk/keys/MyRaspbxCrt.pem
dtlscafile=/etc/asterisk/keys/ca.crt
dtlssetup=actpass
dtlsrekey=0

[99111]
deny=0.0.0.0/0.0.0.0
dtmfmode=rfc2833
canreinvite=no
host=dynamic
trustpid=yes
sendpid=no
type=friend
nat=no
port=5060
qualify=yes
qualifyfreq=60
transport=ws
avpf=yes
force_avp=yes
icesupport=yes
encryption=yes
callgroup=
pickupgroup=
permit=0.0.0.0/0.0.0.0
dial=SIP/99111
secret=6f290ad09c19441c44bb1e9e6305b43b
context=from-internal
mailbox=99111@device
callerid=zar ko - 111 <99111>
callcounter=yes
faxdetect=no
dtlsenable=yes
dtlsverify=fingerprint
dtlscertfile=/etc/asterisk/keys/MyRaspbxCrt.pem
dtlscafile=/etc/asterisk/keys/ca.crt
dtlssetup=actpass
dtlsrekey=0

[99112]
deny=0.0.0.0/0.0.0.0
dtmfmode=rfc2833
canreinvite=no
host=dynamic
trustpid=yes
sendpid=no
type=friend
nat=no
port=5060
qualify=yes
qualifyfreq=60
transport=ws
avpf=yes
force_avp=yes
icesupport=yes
encryption=yes
callgroup=
pickupgroup=
permit=0.0.0.0/0.0.0.0
dial=SIP/99112
secret=431cad4fcda97a5e578b6be5a6a41db2
context=from-internal
mailbox=99112@device
callerid=tim - 112 <99112>
callcounter=yes
faxdetect=no
dtlsenable=yes
dtlsverify=fingerprint
dtlscertfile=/etc/asterisk/keys/MyRaspbxCrt.pem
dtlscafile=/etc/asterisk/keys/ca.crt
dtlssetup=actpass
dtlsrekey=0

And finally sip_custom_post.conf:

[99111](+)
transport=wss,ws,udp,tcp
secret=pass99111
[99112](+)
transport=wss,ws,udp,tcp
secret=pass99112

Ok, ignoring that you are using FreePBX and it is out of the scope of the Asterisks forums I have another doubt which is: You made a video call between webrtc device 99112 and 99111 right?
So basically you are trying to send a VP8 codec to chrome to chrome isn’t?

At work I can’t see the full logs.

About the SRTP failure there is the following information:
https://code.google.com/archive/p/sipml5/issues/44
https://issues.asterisk.org/jira/browse/ASTERISK-24735

So as mentioned earlier Video using webrtc and asterisk is stil experimental you can try to patch your system to use VP8 and give a quick look.

So far to use WebRTC with Asterisk these days I’ll recommend a gateway in front of it. Also take a look to the Kurento project at http://www.kurento.org/

I not made a deeper search in the JIRA page but maybe it worth that you can go and dive there to find a solution.