search

netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
10.04k stars 441 forks source link

stun server with tcp #2032

Closed H777K closed 4 weeks ago

H777K commented 2 months ago

Describe the problem

Hi i am currently setting up a netbird self-hosted setup. I use coturn as stun/turn server. Coturn is exposed with port 80/tcp and internally forwarded to port 3478/tcp. In the management.json I have specified the tcp protocol for both the stun and the turn server. The turn server works perfectly, but the stun server does not:

netbird status -d output:

Relays: 
  [stun:<dns_name_placeholder>:80] is Unavailable, reason: stun request: context deadline exceeded
  [turn:<dns_name_placeholder>:80?transport=tcp] is Available

content of management.json:

{
    "Stuns": [
    {
            "Proto": "tcp",
            "URI": "stun:<dns_name_placeholder>:80",
            "Username": "",
            "Password": ""
        }
    ],
    "TURNConfig": {
        "TimeBasedCredentials": false,
        "CredentialsTTL": "0s",
        "Secret": "",
        "Turns": [
            {
                "Proto": "tcp",
                "URI": "turn:<dns_name_placeholder>:80?transport=tcp",
                "Username": "myuser",
                "Password": "mypassword"
            },
        ]
    },

If i set stun:<dns_name_placeholder>:80?transport=tcp in the management.json, the stun server no longer appears when i execute netbird status -d. If i remove the stun server completely from the management.json, everything still works. This leads to some questions for me:

  1. How can i use the stun server with tcp, is something missing in my configuration?
  2. Is a stun server mandatory or is it sufficient to use just a turn server?
  3. What are the disadvantages of using the stun/turn server with tcp instead of udp?

Expected behavior

I would expect the stun server to also work via tcp, like the turn server

Are you using NetBird Cloud?

no (self-hosted NetBird's control plane)

NetBird version

0.27.7

lixmal commented 2 months ago

How can i use the stun server with tcp, is something missing in my configuration?

You will have to forward the UDP port instead of TCP. STUN is a UDP protocol.

Is a stun server mandatory or is it sufficient to use just a turn server?

It can be the same endpoint, but you will at minimum need STUN, unless there are no peers behind NAT.

What are the disadvantages of using the stun/turn server with tcp instead of udp?

TURN via TCP (e.g. on port 443) has a higher chance to be allowed in restricted client environments, otherwise UDP is preferable for performance for relayed connections

H777K commented 4 weeks ago

@lixmal Thank you for the explanation