DTLS with webRTC.

[Tanmay49]

Your environment.

—> Certificates

• We tried using certificates generated using a Certificate Authority, as well as self signed certificates.

—> Auth:

• We are using separate listeners for devices and clients. Clients connect to port udp 3478, whereas the devices connect to port dtls 3456. The devices are to be verified based on X.509 certificates whereas the clients are supposed to be verified using Bearer Token Authentication.

—> Business Logic:

• The devices generate the offer which is transferred to the client (here Web Browser- Chrome). the client accepts and generates answer which is transferred to the device. For this SDP transfer we are using MQTT.

• Device (here: Raspberry Pi with a camera)

  configs := webrtc.Configuration{
      ICEServers: []webrtc.ICEServer{
          {
              // URLs: []string{"stun:stun.l.google.com:19302", "stun:stun2.l.google.com:19302"},
              URLs: []string{"turns:x.x.x.x:3456?transport=udp"},
              Username:   "Device xyz",
              Credential: "xyz",
          },
      },
      ICETransportPolicy:   webrtc.ICETransportPolicyRelay,
      ICECandidatePoolSize: 10,
      Certificates:         []webrtc.Certificate{Certificate},
  }
  codecSelector := getCodecSelector(1000000)
  
  mediaEngine := webrtc.MediaEngine{}
  codecSelector.Populate(&mediaEngine)
  
  settingEngine := webrtc.SettingEngine{}
  
  settingEngine.SetDTLSClientAuth(dtls.RequireAndVerifyClientCert)
  settingEngine.SetDTLSClientCAs(certPool)
  settingEngine.SetDTLSExtendedMasterSecret(dtls.RequireExtendedMasterSecret)
  settingEngine.SetAnsweringDTLSRole(webrtc.DTLSRoleClient)
  
  mediaStream, err := mediadevices.GetUserMedia(mediadevices.MediaStreamConstraints{
      Video: func(c *mediadevices.MediaTrackConstraints) {
          // c.FrameFormat = prop.FrameFormat("RGBA")
          // c.Width = prop.Int(800)
          // c.FrameRate = prop.Float(30)
      },
      Codec: codecSelector,
  })
  if err != nil {
      panic(err)
  }
  
  x := webrtc.NewAPI(webrtc.WithMediaEngine(&mediaEngine), webrtc.WithSettingEngine(settingEngine))
  peerConnection, err := x.NewPeerConnection(configs)

• Client(Web Browser:Chrome)

import './style.css';
import mqtt from 'mqtt';
const servers = {
  iceServers: [  {
    urls: ['turns:192.168.1.66:3478?transport=udp'],
    username:'Bearer vPomRCrXuKxCbXQ6lDJ_sRPnH37wqc_SC0SZfse4w_Oq3bB25MrlPspbHHCTUlaBHkySIjo',
    credential: 'golain',
  },
  ],  iceCandidatePoolSize: 10,
};
// Global State
const pc = new RTCPeerConnection(servers);

let remoteStream = null;

// HTML elements
const webcamButton = document.getElementById('webcamButton');
const remoteVideo = document.getElementById('remoteVideo');

// 1. Setup media sources

const client = mqtt.connect('mqtt://173.249.7.183:1882');

webcamButton.onclick = async () => {
  remoteStream = new MediaStream();

  // Pull tracks from remote stream, add to video stream
  pc.ontrack = (event) => {
    event.streams[0].getTracks().forEach((track) => {
      remoteStream.addTrack(track);
    });
  };

  remoteVideo.srcObject = remoteStream;
    client.subscribe('offer', (err) => {
      if (err) {
        console.error(err);
        return;
      }

      console.log('Subscribed to topic');
    });

};

client.on('message', async (topic, message) => {
  var answerCandidates=[]
  pc.onicecandidate = (event) => {
    event.candidate && answerCandidates.push(event.candidate.toJSON());
    console.log(answerCandidates);
  };

  // Parse the message to get the offer and the candidates
  const data = JSON.parse(message.toString());
  const {offer, candidates} = data;

  console.log(offer, candidates);
  const offers = new RTCSessionDescription(offer);

  // Set the remote description using the offer
  await pc.setRemoteDescription(new RTCSessionDescription(offers));

  // Create an answer and set the local description
  const answerDescription = await pc.createAnswer();
  await pc.setLocalDescription(answerDescription);

  // Add each candidate to the RTCPeerConnection and wait for all to complete
  await Promise.all(candidates.map(candidate => pc.addIceCandidate(new RTCIceCandidate(candidate))));

  // Publish the answer

  pc.onicegatheringstatechange = () => {
  if (pc.iceGatheringState === 'complete') {
    console.log('ICE gathering complete');
    const answer = {
      type: answerDescription.type,
      sdp: answerDescription.sdp,
      answerCandidates: answerCandidates
    };
    console.log(JSON.stringify({ AnswerData: answer  }));
  client.publish('answer', JSON.stringify({ AnswerData: answer  }));
  }
}
});

• TURN Server

  dtlsListener, err := dtls.Listen("udp", &net.UDPAddr{IP: net.ParseIP("0.0.0.0"), Port: C.Conf.TCPPort}, &dtls.Config{
      Certificates:         []tls.Certificate{serverKeyPair},
      ClientAuth:           dtls.RequireAndVerifyClientCert,
      ClientCAs:            certPool,
      RootCAs:              certPool,
      ExtendedMasterSecret: dtls.RequireExtendedMasterSecret,
      ConnectContextMaker: func() (context.Context, func()) {
          return context.WithTimeout(ctx, 30*time.Second)
      },
  s, err := turn.NewServer(turn.ServerConfig{
      Realm: C.Conf.Realm,
      AuthHandler: func(username string, realm string, srcAddr net.Addr) ([]byte, bool) { // nolint: revive
          fmt.Println(username, realm, srcAddr)
  
          if strings.Split(username, " ")[0] == "Bearer" {
              if auth.IntrospectAuthTokenZitadel(username, context.Background()) {
                  return turn.GenerateAuthKey(username, realm, C.Conf.Password), true
              } else {
                  return nil, false
              }
          } else {
              // NO NEED TO DO DEVICE AUTH -> Already done using X.509 Certificates
              return turn.GenerateAuthKey(username, realm, C.Conf.Password), true
          }
      },
      // PacketConnConfigs is a list of UDP Listeners and the configuration around them
      PacketConnConfigs: []turn.PacketConnConfig{
          {
              PacketConn: udpListener,
              RelayAddressGenerator: &turn.RelayAddressGeneratorStatic{
                  RelayAddress: net.ParseIP(C.Conf.PublicIP),
                  Address:      "0.0.0.0",
              },
          },
      },
      // ListenerConfigs is a list of TCP Listeners and the configuration around them
      ListenerConfigs: []turn.ListenerConfig{
          {
              Listener: dtlsListener,
              RelayAddressGenerator: &turn.RelayAddressGeneratorStatic{
                  RelayAddress: net.ParseIP(C.Conf.PublicIP),
                  Address:      "0.0.0.0",
              },
          },
      },
  })

What did we try?

https://github.com/pion/dtls/blob/master/examples/listen/selfsign/main.go

• DTLS using self signed certificates: —> Client Side

config := &dtls.Config{
        Certificates:         []tls.Certificate{cert},
        ClientAuth:           dtls.RequireAnyClientCert,
        ClientCAs:            certPool,
        InsecureSkipVerify:   true,
        ExtendedMasterSecret: dtls.RequireExtendedMasterSecret,
    }
        addr := &net.UDPAddr{IP: net.ParseIP("173.249.7.183"), Port: 3456}
    ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
    defer cancel()

    dtlsConn, err := dtls.DialWithContext(ctx, "udp", addr, config)
    util.Check(err)
    defer func() {
        util.Check(dtlsConn.Close())
    }()

This creates a successful connection and there is a successful handshake.The problem here is that we cannot create a webrtc Peer connection on top of this.

• What else did we try:
• We modified the Agent in pion/ice/gather.go to start sending certificates on dtls which initially just sent InsecureSkipVerify= true.

            ------------------ORIGINAL CODE------------------

udpAddr, connectErr := a.net.ResolveUDPAddr(network, turnServerAddr)
                if connectErr != nil {
                    a.log.Warnf("Failed to resolve UDP address %s: %v", turnServerAddr, connectErr)
                    return
                }

                udpConn, dialErr := a.net.DialUDP("udp", nil, udpAddr)
                if dialErr != nil {
                    a.log.Warnf("Failed to dial DTLS address %s: %v", turnServerAddr, dialErr)
                    return
                }

                conn, connectErr := dtls.ClientWithContext(ctx, udpConn, &dtls.Config{
                    ServerName:         url.Host,
                    InsecureSkipVerify: a.insecureSkipVerify, //nolint:gosec
                })
            -----------------------------------------------------

            --------------MODIFIED CODE-------------------------
            case url.Proto == stun.ProtoTypeUDP && url.Scheme == stun.SchemeTypeTURNS:
                udpAddr, connectErr := a.net.ResolveUDPAddr(network, turnServerAddr)
                if connectErr != nil {
                    a.log.Warnf("Failed to resolve UDP address %s: %v", turnServerAddr, connectErr)
                    return
                }

                udpConn, dialErr := a.net.DialUDP("udp", nil, udpAddr)
                if dialErr != nil {
                    a.log.Warnf("Failed to dial DTLS address %s: %v", turnServerAddr, dialErr)
                    return
                }
                cert, err := tls.LoadX509KeyPair("Device1.pub.pem", "Device1.pem")
                if err != nil {
                    panic(err)
                }

                conn, connectErr := dtls.ClientWithContext(ctx, udpConn, &dtls.Config{
                    ServerName:         url.Host,
                    InsecureSkipVerify: a.insecureSkipVerify, //nolint:gosec
                    Certificates:       []tls.Certificate{cert},
                    ClientAuth:        dtls.RequireAndVerifyClientCert,
                    ClientCAs: ,
                })
                if connectErr != nil {
                    a.log.Warnf("Failed to create DTLS client: %v", turnServerAddr, connectErr)
                    return
                }

                relAddr = conn.LocalAddr().(*net.UDPAddr).IP.String() //nolint:forcetypeassert
                relPort = conn.LocalAddr().(*net.UDPAddr).Port        //nolint:forcetypeassert
                relayProtocol = "dtls"
                locConn = &fakenet.PacketConn{Conn: conn}

This creates a successful DTLS connection with the server. This also fails and throws error Bad Certificates when wrong certificates are provided which is the expected behaviour.

• What does this do to the TURN server

dtls DEBUG: 14:28:31.389291 conn.go:755: CipherSuite not initialized, queuing packet
dtls DEBUG: 14:28:31.390055 conn.go:678: received packet of next epoch, queuing packet
turn DEBUG: 14:28:31.518817 server.go:38: Received 36 bytes of udp from 103.157.123.186:37058 on [::]:3456
turn DEBUG: 14:28:31.519568 server.go:63: Handling TURN packet
turn DEBUG: 14:28:31.519828 turn.go:21: Received AllocateRequest from 103.157.123.186:37058
turn DEBUG: 14:28:31.646542 server.go:38: Received 176 bytes of udp from 103.157.123.186:37058 on [::]:3456
turn DEBUG: 14:28:31.646589 server.go:63: Handling TURN packet
turn DEBUG: 14:28:31.646616 turn.go:21: Received AllocateRequest from 103.157.123.186:37058
Device 1 dev.golain.io 103.157.123.186:37058
turn DEBUG: 14:28:31.646836 allocation_manager.go:116: Listening on relay address: 173.249.7.183:34044
turn DEBUG: 14:28:31.914046 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:31 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:31.976767 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:31 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:32.036830 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:32 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:32.099533 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:32 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:32.162344 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:32 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:32.190550 server.go:38: Received 180 bytes of udp from 103.157.123.186:37058 on [::]:3456
turn DEBUG: 14:28:32.190639 server.go:63: Handling TURN packet
turn DEBUG: 14:28:32.190658 turn.go:220: Received CreatePermission from 103.157.123.186:37058
Device 1 dev.golain.io 103.157.123.186:37058
turn DEBUG: 14:28:32.190723 turn.go:250: Adding permission for 192.168.1.66:49671
turn DEBUG: 14:28:32.225874 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:32 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:32.286379 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:32 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:32.316566 server.go:38: Received 144 bytes of udp from 103.157.123.186:37058 on [::]:3456
turn DEBUG: 14:28:32.316617 server.go:63: Handling TURN packet
turn DEBUG: 14:28:32.316631 turn.go:275: Received SendIndication from 103.157.123.186:37058
turn DEBUG: 14:28:32.317461 server.go:38: Received 188 bytes of udp from 103.157.123.186:37058 on [::]:3456
turn DEBUG: 14:28:32.317486 server.go:63: Handling TURN packet
turn DEBUG: 14:28:32.317501 turn.go:308: Received ChannelBindRequest from 103.157.123.186:37058
Device 1 dev.golain.io 103.157.123.186:37058
turn DEBUG: 14:28:32.317598 turn.go:346: Binding channel 16384 to 192.168.1.66:49671
turn DEBUG: 14:28:32.349460 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:32 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:32.412439 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:32 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:32.474458 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:32 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:32.517953 server.go:38: Received 104 bytes of udp from 103.157.123.186:37058 on [::]:3456
turn DEBUG: 14:28:32.518012 server.go:48: Received DataPacket from 103.157.123.186:37058
turn DEBUG: 14:28:32.518028 turn.go:362: Received ChannelData from 103.157.123.186:37058
turn DEBUG: 14:28:32.536921 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:32 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:32.599522 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:32 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:32.661949 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:32 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:32.718505 server.go:38: Received 104 bytes of udp from 103.157.123.186:37058 on [::]:3456
turn DEBUG: 14:28:32.718648 server.go:48: Received DataPacket from 103.157.123.186:37058
turn DEBUG: 14:28:32.718666 turn.go:362: Received ChannelData from 103.157.123.186:37058
turn DEBUG: 14:28:32.724339 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:32 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:32.786786 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:32 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:32.851744 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:32 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:32.913685 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:32 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:32.920312 server.go:38: Received 104 bytes of udp from 103.157.123.186:37058 on [::]:3456
turn DEBUG: 14:28:32.920364 server.go:48: Received DataPacket from 103.157.123.186:37058
turn DEBUG: 14:28:32.920373 turn.go:362: Received ChannelData from 103.157.123.186:37058
turn DEBUG: 14:28:32.974925 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:32 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:33.036948 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:33 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:33.101108 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:33 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:33.120217 server.go:38: Received 104 bytes of udp from 103.157.123.186:37058 on [::]:3456
turn DEBUG: 14:28:33.120298 server.go:48: Received DataPacket from 103.157.123.186:37058
turn DEBUG: 14:28:33.120312 turn.go:362: Received ChannelData from 103.157.123.186:37058
turn DEBUG: 14:28:33.162646 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:33 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:33.225575 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:33 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:33.287036 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:33 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:33.321045 server.go:38: Received 104 bytes of udp from 103.157.123.186:37058 on [::]:3456
turn DEBUG: 14:28:33.321109 server.go:48: Received DataPacket from 103.157.123.186:37058
turn DEBUG: 14:28:33.321134 turn.go:362: Received ChannelData from 103.157.123.186:37058
turn DEBUG: 14:28:33.350038 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:33 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:33.411987 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:33 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:33.474377 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:33 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:33.521546 server.go:38: Received 104 bytes of udp from 103.157.123.186:37058 on [::]:3456
turn DEBUG: 14:28:33.521603 server.go:48: Received DataPacket from 103.157.123.186:37058
turn DEBUG: 14:28:33.521618 turn.go:362: Received ChannelData from 103.157.123.186:37058
turn DEBUG: 14:28:33.537050 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:33 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:33.599417 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:33 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:33.661927 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:33 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:33.722146 server.go:38: Received 104 bytes of udp from 103.157.123.186:37058 on [::]:3456
turn DEBUG: 14:28:33.722202 server.go:48: Received DataPacket from 103.157.123.186:37058
turn DEBUG: 14:28:33.722244 turn.go:362: Received ChannelData from 103.157.123.186:37058
turn DEBUG: 14:28:33.724800 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:33 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:33.788307 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:33 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:33.849916 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:33 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:33.911912 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:33 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:33.974385 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:33 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:34.036846 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:34 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:34.099552 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:34 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:34.161925 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:34 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:34.224924 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:34 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:34.286985 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:34 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:34.350392 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:34 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044
turn DEBUG: 14:28:34.411921 allocation.go:246: Relay socket 173.249.7.183:34044 received 108 bytes from 103.157.123.186:49671
turn INFO: 2024/05/02 14:28:34 No Permission or Channel exists for 103.157.123.186:49671 on allocation 173.249.7.183:34044

• What does this do to the client:

  pc INFO: 2024/05/02 17:50:44 signaling state changed to have-local-offer
  Press ctrl + c to stop the server
  turnc DEBUG: 17:50:44.869922 client.go:119: Resolved TURN server 173.249.7.183:3456 to 173.249.7.183:3456
  turnc DEBUG: 17:50:45.129198 udp_conn.go:66: Initial lifetime: 600 seconds
  turnc DEBUG: 17:50:45.129311 udp_conn.go:81: Started refresh allocation timer
  turnc DEBUG: 17:50:45.129372 udp_conn.go:84: Started refresh permission timer
  2024/05/02 17:50:45 OnICECandidate bot: udp4 relay 173.249.7.183:56041 related 192.168.1.66:41657
  ICE Gathering State is complete
  Offer: &{Candidates:[{Candidate:candidate:1391433031 1 udp 16777215 173.249.7.183 56041 typ relay raddr 192.168.1.66 rport 41657 SDPMid:0xc000280280 SDPMLineIndex:0xc000388340 UsernameFragment:<nil>}] OfferData:{SDP:v=0
  o=- 995806348864408624 1714652444 IN IP4 0.0.0.0
  s=-
  t=0 0
  a=msid-semantic:WMS*
  a=fingerprint:sha-256 3B:B8:D3:26:8E:9B:7C:2C:2E:71:93:75:6C:9F:67:07:FE:D3:29:E0:11:9E:44:6F:3A:06:74:60:0D:2A:33:A1
  a=extmap-allow-mixed
  a=group:BUNDLE 0
  m=video 9 UDP/TLS/RTP/SAVPF 96
  c=IN IP4 0.0.0.0
  a=setup:actpass
  a=mid:0
  a=ice-ufrag:SSaaxqZPOAPPwPNc
  a=ice-pwd:WITRDRNeZJJMhcDFsKLskkPGXuKQxmXm
  a=rtcp-mux
  a=rtcp-rsize
  a=rtpmap:96 VP8/90000
  a=ssrc:739467870 cname:6e49052f-09f8-467c-98de-49bae051feef
  a=ssrc:739467870 msid:61673f2f-3a66-45ff-8f30-e2909b3dcae0 b234a0bf-51fd-48e4-85a4-68045c6879c7
  a=ssrc:739467870 mslabel:61673f2f-3a66-45ff-8f30-e2909b3dcae0
  a=ssrc:739467870 label:b234a0bf-51fd-48e4-85a4-68045c6879c7
  a=msid:9b7806d1-8293-4ce9-8c50-9dfbf61cbedc b234a0bf-51fd-48e4-85a4-68045c6879c7
  a=sendrecv
  Type:offer}}
  2024/05/02 17:50:45 OnICECandidate bot: <nil>
  pc INFO: 2024/05/02 17:50:45 signaling state changed to stable
  mediadevices DEBUG: 17:50:45.517820 track.go:173: trying to build video/VP8 rtp reader
  Answer: &{AnswerData:{Type:answer SDP:v=0
  o=- 3932943357730492538 2 IN IP4 127.0.0.1
  s=-
  t=0 0
  a=group:BUNDLE 0
  a=extmap-allow-mixed
  a=msid-semantic: WMS
  m=video 9 UDP/TLS/RTP/SAVPF 96
  c=IN IP4 0.0.0.0
  a=rtcp:9 IN IP4 0.0.0.0
  a=ice-ufrag:7Gm3
  a=ice-pwd:I5ZfKI/kCPj8RIZJEMkrLDXh
  a=ice-options:trickle
  a=fingerprint:sha-256 F9:D0:77:CD:57:EE:28:50:2C:8A:3D:E8:5D:F0:03:05:32:FB:AF:EE:09:8F:2B:B9:7F:BB:DF:FD:B8:67:B1:DF
  a=setup:active
  a=mid:0
  a=recvonly
  a=rtcp-mux
  a=rtcp-rsize
  a=rtpmap:96 VP8/90000
  Candidates:[{Candidate:candidate:2887153850 1 udp 2122260223 192.168.1.66 44470 typ host generation 0 ufrag 7Gm3 network-id 1 network-cost 10 SDPMid:0xc0002805d0 SDPMLineIndex:0xc0003888e0 UsernameFragment:0xc0002805e0} {Candidate:candidate:1388096558 1 tcp 1518280447 192.168.1.66 9 typ host tcptype active generation 0 ufrag 7Gm3 network-id 1 network-cost 10 SDPMid:0xc0002805f0 SDPMLineIndex:0xc0003888e8 UsernameFragment:0xc000280600}]}}
  Adding ICE candidate: {Candidate:candidate:2887153850 1 udp 2122260223 192.168.1.66 44470 typ host generation 0 ufrag 7Gm3 network-id 1 network-cost 10 SDPMid:0xc0002805d0 SDPMLineIndex:0xc0003888e0 UsernameFragment:0xc0002805e0}
  Adding ICE candidate: {Candidate:candidate:1388096558 1 tcp 1518280447 192.168.1.66 9 typ host tcptype active generation 0 ufrag 7Gm3 network-id 1 network-cost 10 SDPMid:0xc0002805f0 SDPMLineIndex:0xc0003888e8 UsernameFragment:0xc000280600}
  ice INFO: 2024/05/02 17:50:45 Ignoring remote candidate with tcpType active: tcp4 host 192.168.1.66:9
  ice DEBUG: 17:50:45.558323 agent.go:404: Started agent: isControlling? true, remoteUfrag: "7Gm3", remotePwd: "I5ZfKI/kCPj8RIZJEMkrLDXh"
  ice INFO: 2024/05/02 17:50:45 Setting new connection state: Checking
  pc INFO: 2024/05/02 17:50:45 ICE connection state changed: checking
  2024/05/02 17:50:45 ICE Connection State has changed: checking
  pc INFO: 2024/05/02 17:50:45 peer connection state changed: connecting
  turnc DEBUG: 17:50:45.820153 udp_conn.go:438: Channel binding successful: 192.168.1.66:44470 16384
  mdns WARNING: 2024/05/02 17:50:46 Failed to parse mDNS packet parsing/packing of this type isn't available yet
  mdns WARNING: 2024/05/02 17:50:50 Failed to parse mDNS packet parsing/packing of this type isn't available yet
  mdns WARNING: 2024/05/02 17:51:10 Failed to parse mDNS packet parsing/packing of this type isn't available yet
  turnc DEBUG: 17:51:15.753999 allocation.go:77: Send refresh request (dontWait=true)
  ice WARNING: 2024/05/02 17:51:15 Failed to read from candidate udp4 relay 173.249.7.183:56041 related 192.168.1.66:41657: read udp 173.249.7.183:56041: use of closed network connection
  turnc DEBUG: 17:51:15.754163 allocation.go:84: Refresh request sent
  ice INFO: 2024/05/02 17:51:15 Setting new connection state: Failed
  turnc DEBUG: 17:51:15.754264 client.go:177: Failed to read: EOF. Exiting loop
  pc INFO: 2024/05/02 17:51:15 ICE connection state changed: failed
  2024/05/02 17:51:15 ICE Connection State has changed: failed
  pc INFO: 2024/05/02 17:51:15 peer connection state changed: failed
  mdns WARNING: 2024/05/02 17:51:17 Failed to parse mDNS packet parsing/packing of this type isn't available yet
  mdns WARNING: 2024/05/02 17:51:17 Failed to parse mDNS packet parsing/packing of this type isn't available yet
  mdns WARNING: 2024/05/02 17:51:18 Failed to parse mDNS packet parsing/packing of this type isn't available yet
  mdns WARNING: 2024/05/02 17:51:21 Failed to parse mDNS packet parsing/packing of this type isn't available yet
  mdns WARNING: 2024/05/02 17:51:30 Failed to parse mDNS packet parsing/packing of this type isn't available yet
  mdns WARNING: 2024/05/02 17:51:30 Failed to parse mDNS packet parsing/packing of this type isn't available yet
  mdns WARNING: 2024/05/02 17:51:50 Failed to parse mDNS packet parsing/packing of this type isn't available yet

What should we expect?

• Is this not the correct way to use DTLS with webRTC? If no what is the correct way to use it. We want X.509 Authentication for devices.
• Why is the gatherCandidatesRelay not sending certificates when doing a DTLS Dial? Is it suppose be like that? Are we missing something here? Is it intended to be used some other way?
• On the TURN server the AuthHandler function of the turn.NewServer is called multiple times for the same client (browser as well as device). Is this expected behaviour or are we missing something in the config?

[Tanmay49]

We were able to figure out the problem with our implementation. --> Firstly, the allocation problem was that we were making a tcp connection from the web client(here:chrome browser) but the web client was generating udp ice candidates. So we had to change the tcp listener to an udp listener on the TURN server. --> Secondly, there is an issue with the way CA certs work. The current webRTC library does not use the provided support for custom CA cert in the certpool hence it was giving us BadCertificate error on the TURN server and signed by unknown authority on the device (here:Raspberry PI). We added the certificate to the OS and then it was working as the DTLS connection does not support using the certificate programatically. @Sean-Der can we make a PR for this ? We were thinking of adding it to the settings engine and then to the agent so it will be accessible in the gatherCandidateRelay method.