[Question] Stunner Gateway Operator replacing Coturn

[sdaberdaku]

Hello @marcportabellaclotet-mt,

I am trying to setup NetBird on EKS and I came across your response. I was wondering if you could provide me with some more details regarding how to setup Stunner to replace Coturn. In particular, I was wondering how I should handle the relay UDP ports (49152-65535).

Thank you in advance!

Sebastian

[marcportabellaclotet-mt]

You will need to deploy the stunner gateway operator from here.

Then you will need to add an udp gateway like this:

apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: stunner-gatewayclass
spec:
  controllerName: "stunner.l7mp.io/gateway-operator"
  parametersRef:
    group: "stunner.l7mp.io"
    kind: GatewayConfig
    name: stunner-gatewayconfig
    namespace: stunner-system
  description: "STUNner is a WebRTC ingress gateway for Kubernetes"

---
apiVersion: stunner.l7mp.io/v1
kind: GatewayConfig
metadata:
  name: stunner-gatewayconfig
  namespace: stunner-system
spec:
  realm: stunner.l7mp.io
  authRef:
    name: stunner-auth-secret
    namespace: stunner-system
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: udp-gateway
  namespace: stunner-system
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
    service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
    service.beta.kubernetes.io/aws-load-balancer-subnets: "subnet-xxx,subnet-yyyy,subnet-zzzz"
    service.beta.kubernetes.io/aws-load-balancer-internal: "false"
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-path: "/live"
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "8086"
    service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocol: "HTTP"
spec:
  gatewayClassName: stunner-gatewayclass
  listeners:
    - name: udp-listener
      port: 3478
      protocol: TURN-UDP
---
apiVersion: stunner.l7mp.io/v1
kind: UDPRoute
metadata:
  name: stunner-headless
  namespace: stunner-system
spec:
  parentRefs:
    - name: udp-gateway
  rules:
    - backendRefs:
        - name: udp-gateway
          namespace: stunner-system

There is no need to open other udp ports. You will need also to create a secret with the auth info (stunner-auth-secret). Refer to stunner documentation After deploying the udp gateway, you will have the k8s service endpoints which point to stunner. These are the loadbalancer endpoint

[sdaberdaku]

Thank you @marcportabellaclotet-mt for your prompt response. Thank you also for your Helm Charts, with a little work I was able to adapt them to the latest NetBird version (0.28.9)

I was able to deploy STUNner following the official documentation in headless mode, however I had a reachability issue. When testing the stun/turn service with icetest.info very often I would not get a response and I discovered that I needed to deploy the dataplane as a DaemonSet so that each EKS node got a stunnerd Pod running on them. Did you by any chance face a similar issue? It has to do with the .spec.externalTrafficPolicy: Local set on the LoadBalancer Service which preserves the client's original IP but prevents a second 'hop' among kubernetes nodes, and the requests would get dropped if they reached a node without a stunnerd Pod on them (reference).

I also did an experiment by simply disabling STUNner and I was still able to connect to NetBird, which makes me wonder if I need the Stun/Turn service at all (given that it is not providing the relay service in the ports 49152-65535). Maybe it is providing another functionality that I'm not grasping.

[marcportabellaclotet-mt]

Stunner is needed when there is no direct connection between netbird peers. Otherwise there is no way to make them reachable. With stunner, you do not need to open a full tange of ports. I am able to make it work just using one udp port (3478), as shared in the first comment example. The stunner endpoint (you can find it by check the dns endpoint of the load balancer created with the udp gateway) should work with the icetest.info.