[OpenSIPS-Users] NAT Traversal for audio stream (call)

Adrian Georgescu ag at ag-projects.com
Thu Oct 20 13:37:28 CEST 2011


You must not rely on STUN for NAT traversal.  Read the RFC for details.

http://tools.ietf.org/html/rfc5389

Quote from the standard:

Experience since the publication of RFC 3489 has found that classic STUN simply does not work sufficiently well to be a deployable solution.

To traverse NAT reliably you need media relays and optionally ICE support in the end-points. STUN is not enough to traverse NAT is just a helper tool,

Regards,
Adrian

On Oct 20, 2011, at 1:19 PM, archiveacephale wrote:

> 
> hello everyone,
> 
> my name is Lyu from Japan, working on a iOS app integration of OpenSIPS for
> synchronized rich contents communication between clients.
> What I want to achieve is letting 2 clients communicate touch drawing + voice + eventually video streaming in realtime to each other.
> 
> Synching touch drawing is going well, but I have problem with audio calls.
> 
> For NAT Traversal I've tried STUN server, which work fine for 3G-3G, 3G-WiFi and WiFi-WiFi w/ 2 different LANs,
> but does not work for WiFi-WiFi on same LAN which is not tolerable for our project.
> STUN server seems to work fine (which I'm not sure) as there's no difference in the log
> for WiFi-WiFi (2 LANs) and WiFi-WiFi (same LAN).
> 
> As I'm a total newb in this field and not quite sure if my configuration is right, 
> I'd greatly appreciate if someone can tell me if my config set up isn't doing anything wrong.
> 
> My OpenSIPS server is running on a EC2 CentOS6 instance with OpenSIPS 1.7.0. and 
> using iDoubs v2 clients on iOS4 machines (iPhone and iPad).
> 
> Please let me know if I should share other logs than below.
> Here's my STUN log (2 clients on same LAN):
> 
> received on A1:P1
> Got a request (len=64) from LAN_GLOBAL_IP:64958
> Received stun message: 64 bytes  
> ServerName = IM-client/OMA1.0 doubango/v0.0.0
> Unknown attribute: 32808
> Request parsed ok
> BindRequest does not contain MessageIntegrity
> Request is valid:
>         flags=0
>         changeIp=0
>         changePort=0
>         from = LAN_GLOBAL_IP:64958
>         respond to = LAN_GLOBAL_IP:64958
>         mapped = LAN_GLOBAL_IP:64958
> Encoding stun message:
> Encoding MappedAddress: LAN_GLOBAL_IP:64958
> Encoding SourceAddress: SERVER_INTERNAL_IP_1:3478
> Encoding ChangedAddress: SERVER_INTERNAL_IP_2:3479
> Encoding XorMappedAddress: 250.174.7.15:56492
> Encoding ServerName: Vovida.org 0.96
> 
> received on A1:P1
> Got a request (len=64) from LAN_GLOBAL_IP:55792
> Received stun message: 64 bytes
> ServerName = IM-client/OMA1.0 doubango/v0.0.0
> Unknown attribute: 32808
> Request parsed ok
> BindRequest does not contain MessageIntegrity
> Request is valid:
>         flags=0
>         changeIp=0
>         changePort=0
>         from = LAN_GLOBAL_IP:55792
>         respond to = LAN_GLOBAL_IP:55792 
>        mapped = LAN_GLOBAL_IP:55792
> Encoding stun message:
> Encoding MappedAddress: LAN_GLOBAL_IP:55792
> Encoding SourceAddress: SERVER_INTERNAL_IP_1:3478
> Encoding ChangedAddress: SERVER_INTERNAL_IP_2:3479
> Encoding XorMappedAddress: 250.174.7.15:63714
> Encoding ServerName: Vovida.org 0.96
> 
> 
> Here is my opensips.cfg:
> 
> #
> # $Id: opensips.cfg 8141 2011-07-08 12:17:13Z vladut-paiu $
> #
> # OpenSIPS basic configuration script
> #     by Anca Vamanu <anca at voice-system.ro>
> #
> # Please refer to the Core CookBook at:
> #      http://www.opensips.org/Resources/DocsCookbooks
> # for a explanation of possible statements, functions and parameters.
> #
> 
> 
> ####### Global Parameters #########
> 
> #debug=3
> #log_stderror=no
> #log_facility=LOG_LOCAL0
> 
> fork=yes
> children=4
> 
> /* uncomment the following lines to enable debugging */
> debug=6
> #fork=no
> log_stderror=no
> 
> /* uncomment the next line to disable TCP (default on) */
> #disable_tcp=yes
> 
> /* uncomment the next line to enable the auto temporary blacklisting of 
>   not available destinations (default disabled) */
> #disable_dns_blacklist=no
> 
> /* uncomment the next line to enable IPv6 lookup after IPv4 dns 
>   lookup failures (default disabled) */
> #dns_try_ipv6=yes
> 
> /* uncomment the next line to disable the auto discovery of local aliases
>   based on revers DNS on IPs (default on) */
> #auto_aliases=no
> 
> /* uncomment the following lines to enable TLS support  (default off) */
> #disable_tls = no
> #listen = tls:your_IP:5061
> #tls_verify_server = 1
> #tls_verify_client = 1
> #tls_require_client_certificate = 0
> #tls_method = TLSv1
> #tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
> #tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
> #tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"
> 
> # default db_url to be used by modules requiring DB connection
> db_default_url="mysql://opensips:opensips@localhost/opensips"
> 
> 
> port=5060
> 
> /* uncomment and configure the following line if you want opensips to 
>   bind on a specific interface/port/proto (default bind on all available) */
> #listen=udp:192.168.1.2:5060
> 
> 
> ####### Modules Section ########
> 
> #set module path
> mpath="/usr/local/lib64/opensips/modules/"
> 
> /* uncomment next line for MySQL DB support */
> loadmodule "db_mysql.so"
> loadmodule "signaling.so"
> loadmodule "sl.so"
> loadmodule "tm.so"
> loadmodule "rr.so"
> loadmodule "maxfwd.so"
> loadmodule "usrloc.so"
> loadmodule "registrar.so"
> loadmodule "textops.so"
> loadmodule "mi_fifo.so"
> loadmodule "uri.so"
> loadmodule "acc.so"
> /* uncomment next lines for MySQL based authentication support 
>   NOTE: a DB (like db_mysql) module must be also loaded */
> loadmodule "auth.so"
> loadmodule "auth_db.so"
> /* uncomment next line for aliases support
>   NOTE: a DB (like db_mysql) module must be also loaded */
> loadmodule "alias_db.so"
> /* uncomment next line for multi-domain support
>   NOTE: a DB (like db_mysql) module must be also loaded
>   NOTE: be sure and enable multi-domain support in all used modules
>         (see "multi-module params" section ) */
> #loadmodule "domain.so"
> /* uncomment the next two lines for presence server support
>   NOTE: a DB (like db_mysql) module must be also loaded */
> loadmodule "presence.so"
> loadmodule "presence_xml.so"
> 
> 
> # ----------------- setting module-specific parameters ---------------
> 
> 
> # ----- mi_fifo params -----
> modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
> 
> 
> # ----- rr params -----
> # do not append from tag to the RR (no need for this script)
> modparam("rr", "append_fromtag", 0)
> 
> 
> # ----- registrar params -----
> /* uncomment the next line not to allow more than 10 contacts per AOR */
> modparam("registrar", "max_contacts", 10)
> 
> 
> # ----- usrloc params -----
> # modparam("usrloc", "db_mode",   0)
> /* uncomment the following lines if you want to enable DB persistency
>   for location entries */
> modparam("usrloc", "db_mode",   2)
> modparam("usrloc", "db_url",
> 	"mysql://opensips:opensips@localhost/opensips")
> 
> 
> # ----- uri params -----
> modparam("uri", "use_uri_table", 0)
> 
> 
> # ----- acc params -----
> /* what sepcial events should be accounted ? */
> modparam("acc", "early_media", 1)
> modparam("acc", "report_cancels", 1)
> /* by default ww do not adjust the direct of the sequential requests.
>   if you enable this parameter, be sure the enable "append_fromtag"
>   in "rr" module */
> modparam("acc", "detect_direction", 0)
> /* account triggers (flags) */
> modparam("acc", "failed_transaction_flag", 3)
> modparam("acc", "log_flag", 1)
> modparam("acc", "log_missed_flag", 2)
> /* uncomment the following lines to enable DB accounting also */
> modparam("acc", "db_flag", 1)
> modparam("acc", "db_missed_flag", 2)
> 
> 
> # ----- auth_db params -----
> /* uncomment the following lines if you want to enable the DB based
>   authentication */
> modparam("auth_db", "calculate_ha1", yes)
> modparam("auth_db", "password_column", "password")
> modparam("auth_db", "db_url",
> 	"mysql://opensips:opensips@localhost/opensips")
> modparam("auth_db", "load_credentials", "")
> 
> 
> # ----- alias_db params -----
> /* uncomment the following lines if you want to enable the DB based
>   aliases */
> modparam("alias_db", "db_url",
> 	"mysql://opensips:opensips@localhost/opensips")
> 
> 
> # ----- domain params -----
> /* uncomment the following lines to enable multi-domain detection
>   support */
> #modparam("domain", "db_url",
> #	"mysql://opensips:opensips@localhost/opensips")
> #modparam("domain", "db_mode", 1)   # Use caching
> 
> 
> # ----- multi-module params -----
> /* uncomment the following line if you want to enable multi-domain support
>   in the modules (dafault off) */
> #modparam("auth_db|usrloc|uri", "use_domain", 1)
> 
> 
> # ----- presence params -----
> /* uncomment the following lines if you want to enable presence */
> modparam("presence|presence_xml", "db_url",
> 	"mysql://opensips:opensips@localhost/opensips")
> modparam("presence_xml", "force_active", 1)
> modparam("presence", "server_address", "sip:127.0.0.1:5060")
> 
> 
> ####### Routing Logic ########
> 
> 
> # main request routing logic
> 
> route{
> 
> 	if (!mf_process_maxfwd_header("10")) {
> 		sl_send_reply("483","Too Many Hops");
> 		exit;
> 	}
> 
> 	if (has_totag()) {
> 		# sequential request withing a dialog should
> 		# take the path determined by record-routing
> 		if (loose_route()) {
> 			if (is_method("BYE")) {
> 				setflag(1); # do accounting ...
> 				setflag(3); # ... even if the transaction fails
> 			} else if (is_method("INVITE")) {
> 				# even if in most of the cases is useless, do RR for
> 				# re-INVITEs alos, as some buggy clients do change route set
> 				# during the dialog.
> 				record_route();
> 			}
> 			# route it out to whatever destination was set by loose_route()
> 			# in $du (destination URI).
> 			route(1);
> 		} else {
> 			/* uncomment the following lines if you want to enable presence */
> 			if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") {
> 				# in-dialog subscribe requests
> 				route(2);
> 				exit;
> 			}
> 			if ( is_method("ACK") ) {
> 				if ( t_check_trans() ) {
> 					# non loose-route, but stateful ACK; must be an ACK after 
> 					# a 487 or e.g. 404 from upstream server
> 					t_relay();
> 					exit;
> 				} else {
> 					# ACK without matching transaction ->
> 					# ignore and discard
> 					exit;
> 				}
> 			}
> 			sl_send_reply("404","Not here");
> 		}
> 		exit;
> 	}
> 
> 	#initial requests
> 
> 	# CANCEL processing
> 	if (is_method("CANCEL"))
> 	{
> 		if (t_check_trans())
> 			t_relay();
> 		exit;
> 	}
> 
> 	t_check_trans();
> 
> 	# authenticate if from local subscriber (uncomment to enable auth)
> 	# authenticate all initial non-REGISTER request that pretend to be
> 	# generated by local subscriber (domain from FROM URI is local)
> 	if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
> 	##if (!(method=="REGISTER") && is_from_local())  /*multidomain version*/
> 	{
> 		if (!proxy_authorize("", "subscriber")) {
> 			proxy_challenge("", "0");
> 			exit;
> 		}
> 		if (!db_check_from()) {
> 			sl_send_reply("403","Forbidden auth ID");
> 			exit;
> 		}
> 	
> 		consume_credentials();
> 	##	# caller authenticated
> 	}
> 
> 	# preloaded route checking
> 	if (loose_route()) {
> 		xlog("L_ERR",
> 		"Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
> 		if (!is_method("ACK"))
> 			sl_send_reply("403","Preload Route denied");
> 		exit;
> 	}
> 
> 	# record routing
> 	if (!is_method("REGISTER|MESSAGE"))
> 		record_route();
> 
> 	# account only INVITEs
> 	if (is_method("INVITE")) {
> 		setflag(1); # do accounting
> 	}
> 	if (!uri==myself)
> 	## replace with following line if multi-domain support is used
> 	##if (!is_uri_host_local())
> 	{
> 		append_hf("P-hint: outbound¥r¥n"); 
> 		# if you have some interdomain connections via TLS
> 		##if($rd=="tls_domain1.net") {
> 		##	t_relay("tls:domain1.net");
> 		##	exit;
> 		##} else if($rd=="tls_domain2.net") {
> 		##	t_relay("tls:domain2.net");
> 		##	exit;
> 		##}
> 		route(1);
> 	}
> 
> 	# requests for my domain
> 
> 	## uncomment this if you want to enable presence server 
> 	##   and comment the next 'if' block
> 	##   NOTE: uncomment also the definition of route[2] from  below
> 	if( is_method("PUBLISH|SUBSCRIBE"))
> 			route(2);
> 
> 	#if (is_method("PUBLISH"))
> 	#{
> 	#	sl_send_reply("503", "Service Unavailable");
> 	#	exit;
> 	#}
> 	
> 
> 	if (is_method("REGISTER"))
> 	{
> 		# authenticate the REGISTER requests (uncomment to enable auth)
> 		if (!www_authorize("", "subscriber"))
> 		{
> 			www_challenge("", "0");
> 			exit;
> 		}
> 		
> 		if (!db_check_to()) 
> 		{
> 			sl_send_reply("403","Forbidden auth ID");
> 			exit;
> 		}
> 
> 		if (!save("location"))
> 			sl_reply_error();
> 
> 		exit;
> 	}
> 
> 	if ($rU==NULL) {
> 		# request with no Username in RURI
> 		sl_send_reply("484","Address Incomplete");
> 		exit;
> 	}
> 
> 	# apply DB based aliases (uncomment to enable)
> 	alias_db_lookup("dbaliases");
> 
> 	# do lookup with method filtering
> 	if (!lookup("location","m")) {
> 		switch ($retcode) {
> 			case -1:
> 			case -3:
> 				t_newtran();
> 				t_reply("404", "Not Found");
> 				exit;
> 			case -2:
> 				sl_send_reply("405", "Method Not Allowed");
> 				exit;
> 		}
> 	}
> 
> 	# when routing via usrloc, log the missed calls also
> 	setflag(2);
> 
> 	route(1);
> }
> 
> 
> route[1] {
> 	# for INVITEs enable some additional helper routes
> 	if (is_method("INVITE")) {
> 		t_on_branch("2");
> 		t_on_reply("2");
> 		t_on_failure("1");
> 	}
> 
> 	if (!t_relay()) {
> 		sl_reply_error();
> 	};
> 	exit;
> }
> 
> 
> # Presence route
> /* uncomment the whole following route for enabling presence
>   NOTE: do not forget to enable the call of this route from the main
>     route */
> route[2]
> {
> 	if (!t_newtran())
> 	{
> 		sl_reply_error();
> 		exit;
> 	};
> 
> 	if(is_method("PUBLISH"))
> 	{
> 		handle_publish();
> 	}
> 	else
> 	if( is_method("SUBSCRIBE"))
> 	{
> 		handle_subscribe();
> 	}
> 
> 	exit;
> }
> 
> 
> branch_route[2] {
> 	xlog("new branch at $ru¥n");
> }
> 
> 
> onreply_route[2] {
> 	xlog("incoming reply¥n");
> }
> 
> 
> failure_route[1] {
> 	if (t_was_cancelled()) {
> 		exit;
> 	}
> 
> 	# uncomment the following lines if you want to block client 
> 	# redirect based on 3xx replies.
> 	##if (t_check_status("3[0-9][0-9]")) {
> 	##t_reply("404","Not found");
> 	##	exit;
> 	##}
> 
> 	# uncomment the following lines if you want to redirect the failed 
> 	# calls to a different new destination
> 	##if (t_check_status("486|408")) {
> 	##	sethostport("192.168.2.100:5060");
> 	##	# do not set the missed call flag again
> 	##	t_relay();
> 	##}
> }
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20111020/e2f7989a/attachment-0001.htm>


More information about the Users mailing list