wireapp / wire-server-deploy

Code to install/deploy wire-server (on kubernetes)
https://docs.wire.com
GNU Affero General Public License v3.0
94 stars 45 forks source link

Question: Why do calls work, even though no restund or sftd service are deployed ? #610

Closed Twiggeh closed 1 year ago

Twiggeh commented 1 year ago

Basic information

How did you install Wire?

There were only 2 VMs installed instead of the recommended 3, otherwise it is the same standard installation. Both VMs use Ubuntu 18, TLS was setup using letsencrypt (without auto-renewal) & DNS records are how they are described in the admin guide.

Question

At first after the installation, calls would connect very quickly ~300ms, but I noticed extreme slowdowns when the 2 calling machines would be in different networks, so I started investigating to what is happening.

At first I was investigating whether a firewall might be the issue & I globally disabled the entire firewall on all ends (router, ufw on server, ufw on client machines), but that didn't appear to be the issue :/

Eventually I turned off the restund & sftd services (systemctl stop restund && pkill restund, modified the helm chart to scale sftd to 0) and the latency stayed the same ! and the calls were connecting!

I read the documentation on restund and sftd, and it appeared to me that those services are vital for video / audio calls to work, so my question is how do they still work if no restund or sftd is active ?

Is there a sort of backup discovery for wire ? If so it appears that sometimes it is hit even when dedicated restund is deployed.

I am sorry I am at a complete loss where to look, thanks in advance !

Edit:

When viewing the restund process it appears to be sleeping ?

arthurwolf commented 1 year ago

(following to add answers to docs when available)

supersven commented 1 year ago

Hey @Twiggeh ,

Clients may discover each other for 1:1 video / audio calls if they are on the same network. AFAIK this happens via broadcasts. In this case firewall-traversal - as provided by restund - isn't used.

There are two kinds of (audio / video) calls: 1:1 calls and conference calls with multiple attendees in Wire groups. Only the latter are provided by sftd.

supersven commented 1 year ago

Eventually I turned off the restund & sftd services (systemctl stop restund && pkill restund, modified the helm chart to scale sftd to 0) and the latency stayed the same ! and the calls were connecting!

This was probably possible because you turned off the firewalls before and did a 1:1 call. A next good step would be to measure the connectivity (bandwidth) between both networks.

Twiggeh commented 1 year ago

Hi @supersven ! Thank you for the super quick replies !

I see, so to test correctly I must always be on separate networks. I will test the bandwidth too !

Another question, when testing which ports restund listens to it shows 3478 & 8080,

 netstat -tunlp | grep restund
tcp        0      0 138.68.110.150:3478     0.0.0.0:*               LISTEN      8018/restund        
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      8018/restund        
udp        0      0 138.68.110.150:3478     0.0.0.0:*                           8018/restund        
udp        0      0 127.0.0.1:33000         0.0.0.0:*                           8018/restund    

but the docs say 3478 & 5478

I think I should be setting the turns.<ip>:8080?transport=tcp, right?

supersven commented 1 year ago

@Twiggeh, Welcome :smile:

AFAIK port 8080 is only used for administrative things like readiness and liveness probes. I.e. it's fine to only use 3478:

brig:
...
  turnStatic:
      v2:
      - turn:<YOUR_RESTUND_HOST>:3478?transport=udp
      - turn:<YOUR_RESTUND_HOST>:3478?transport=tcp
Twiggeh commented 1 year ago

@supersven Ay thank you!

It was the ports at the end, I had 443 and 80 from a different part of the docs for some reason ( I believe it was the circumvent firewalls tip)

I am still intrigued why the 5478 port doesn't show up, my best guess is that 5478 is the incoming tls traffic and that I somehow didn't put the certificates in the correct place.

Now it works almost as expected :heart:, I'll mark it as resolved since my initial question was already answered!

Thank you again !

supersven commented 1 year ago

@Twiggeh Welcome :sunglasses:

In the restund config the TLS port related parameter is named tls_listen. You'll likely have to grep a bit to figure out how it relates to other parameters.

If you're using the Helm chart to install restund on Kubernetes: tls_listen is disabled there.