Restund (TURN) servers

Introduction

Restund servers allow two users on different networks (for example Alice who is in an office connected to an office router and Bob who is at home connected to a home router) to have a Wire audio or video call. More precisely:

Restund is a modular and flexible STUN and TURN Server, with IPv4 and IPv6 support.

Architecture

Since the restund servers help establishing a connection between two users, they need to be reachable by both of these users, which usually means they need to have a public IP address.

While one server is enough to get started, two servers provide high-availability in case one server gets into trouble. A Restund instance may communicate with other Restund instances.

You can either have restund servers directly exposed to the public internet:

architecture-restund

Or you can have them reachable by fronting them with a firewall or load balancer machine that may have a different IP than the server where restund is installed:

architecture-restund-lb

What is it used for

Restund is used to assist in NAT-traversal. Its goal is to connect two clients who are (possibly both) behind NAT directly in a peer to peer fashion, for optimal call quality and lowest latency.

client A sends a UDP packet to Restund; which will get address-translated by the router. Restund then sends back to the client what the source IP and the source port was that Restund observed. If the client then communicates this to Client B, Client B will be able to send data to that IP,port pair over UDP if it does so quickly enough. Client A and B will then have a peer-to-peer leg.

This is not always possible (e.g. symmetric NAT makes this technique impossible, as the router will NAT a different source-port for each connection). In that case clients fall back to TURN, which asks Restund to allocate a relay address which relays packets between nodes A and B.

Restund servers need to have a wide range of ports open to allocate such relay addresses.

Network

As briefly mentioned above, a TURN server functions as a bridge between networks. Networks which don’t have a direct route defined between them, usually have distinct address blocks. Depending on the address block they are configured with - such block is either considered to be public or private (aka special-purpose addresses [RFC 6890])

In cases where a machine, that is hosting the TURN server, also connects to a private network in which other services are running, chances are that these services are being indirectly exposed through that TURN server.

To prevent this kind of exposure, a TURN server has to be configured with an inclusive or exclusive list of address blocks to prevents undesired connections from being established 1. At the moment (Feb. 2021), this functionality is not yet available with Restund on the application-level. Instead, the system-level firewall capabilities must be utilized. The IP ranges mentioned in the article 1 should be blocked for egress and, depending on the scenario, also for ingress traffic. Tools like iptables or ufw can be used to set this up.

1(1,2)

Details about CVE-2020-26262, bypass of Coturn’s default access control protection

Protocols and open ports

Restund servers provide the best audio/video connections if end-user devices can connect to them via UDP. In this case, a firewall (if any) needs to allow and/or forward the complete UDP port range 32768-61000 for incoming UDP traffic. Ports for allocations are allocated from ip_local_port_range which is 32768-61000 by default.

Port 3478 is the default control port, however one UDP port per active connection is required, so a whole port range must be available and reachable from the outside.

In case e.g. office firewall rules disallow UDP traffic, there is a possibility to use TCP instead, at the expense of call quality. So in practise; it is recommended to allow the port range 32768-61000 on both UDP and TCP.

If Conference Calling 2.0 (SFT) is enabled, a Restund instance, additionally, must be allowed to communicate with :SFT instances on the same UDP ports mentioned above. In this scenario a Restund server becomes sort of a proxy for the client, if the client is not able to establish a direct connection to the SFT server.

For more information, please refer to the source code of the Ansible role: restund.

Control ports

Restund listens for control messages on port 3478 on both UDP and TCP. It also can listen on port 5349 which uses TLS. One can reconfigure both ports. For example, port 5349 can be reconfigured to be port 443; so that TURN traffic can not be distinguished from any other TLS traffic. This might help with overcoming certain firewall restrictions. You can instead use (if that’s easier with firewall rules) for example ports 80 and 443 (requires to run restund as root) or do a redirect from a load balancer (if using one) to redirect 443 -> 5349 and 80 -> 3478.

Amount of users and file descriptors

Each allocation (active connection by one participant) requires 1 or 2 file descriptors, so ensure you increase your file descriptor limits in case you have many users.

Currently one restund server can have a maximum of 64000 allocations. If you have more users than that in an active call, you need to deploy more restund servers.

Load balancing and high-availability

Load balancing is not possible, since STUN/TURN is a stateful protocol, so UDP packets addressed to restund server 1, if by means of a load balancer were to end up at restund server 2, would get dropped, as the second server doesn’t know the source address.

High-availability is nevertheless ensured by having and advertising more than one restund server. Instead of the load balancer, the clients will switch their server if it fails.

Discovery and establishing a call

A simplified flow of how restund servers, along with the wire-server are used to establish a call:

flow-restund

DNS

Usually DNS records are used which point to the public IPs of the restund servers (or of the respective firewall or load balancer machines). These DNS names are then used when configuring wire-server.