[OpenSIPS-Users] NAT Traversal for audio stream (call)
Adrian Georgescu
ag at ag-projects.com
Thu Oct 20 13:37:28 CEST 2011
You must not rely on STUN for NAT traversal. Read the RFC for details.
http://tools.ietf.org/html/rfc5389
Quote from the standard:
Experience since the publication of RFC 3489 has found that classic STUN simply does not work sufficiently well to be a deployable solution.
To traverse NAT reliably you need media relays and optionally ICE support in the end-points. STUN is not enough to traverse NAT is just a helper tool,
Regards,
Adrian
On Oct 20, 2011, at 1:19 PM, archiveacephale wrote:
>
> hello everyone,
>
> my name is Lyu from Japan, working on a iOS app integration of OpenSIPS for
> synchronized rich contents communication between clients.
> What I want to achieve is letting 2 clients communicate touch drawing + voice + eventually video streaming in realtime to each other.
>
> Synching touch drawing is going well, but I have problem with audio calls.
>
> For NAT Traversal I've tried STUN server, which work fine for 3G-3G, 3G-WiFi and WiFi-WiFi w/ 2 different LANs,
> but does not work for WiFi-WiFi on same LAN which is not tolerable for our project.
> STUN server seems to work fine (which I'm not sure) as there's no difference in the log
> for WiFi-WiFi (2 LANs) and WiFi-WiFi (same LAN).
>
> As I'm a total newb in this field and not quite sure if my configuration is right,
> I'd greatly appreciate if someone can tell me if my config set up isn't doing anything wrong.
>
> My OpenSIPS server is running on a EC2 CentOS6 instance with OpenSIPS 1.7.0. and
> using iDoubs v2 clients on iOS4 machines (iPhone and iPad).
>
> Please let me know if I should share other logs than below.
> Here's my STUN log (2 clients on same LAN):
>
> received on A1:P1
> Got a request (len=64) from LAN_GLOBAL_IP:64958
> Received stun message: 64 bytes
> ServerName = IM-client/OMA1.0 doubango/v0.0.0
> Unknown attribute: 32808
> Request parsed ok
> BindRequest does not contain MessageIntegrity
> Request is valid:
> flags=0
> changeIp=0
> changePort=0
> from = LAN_GLOBAL_IP:64958
> respond to = LAN_GLOBAL_IP:64958
> mapped = LAN_GLOBAL_IP:64958
> Encoding stun message:
> Encoding MappedAddress: LAN_GLOBAL_IP:64958
> Encoding SourceAddress: SERVER_INTERNAL_IP_1:3478
> Encoding ChangedAddress: SERVER_INTERNAL_IP_2:3479
> Encoding XorMappedAddress: 250.174.7.15:56492
> Encoding ServerName: Vovida.org 0.96
>
> received on A1:P1
> Got a request (len=64) from LAN_GLOBAL_IP:55792
> Received stun message: 64 bytes
> ServerName = IM-client/OMA1.0 doubango/v0.0.0
> Unknown attribute: 32808
> Request parsed ok
> BindRequest does not contain MessageIntegrity
> Request is valid:
> flags=0
> changeIp=0
> changePort=0
> from = LAN_GLOBAL_IP:55792
> respond to = LAN_GLOBAL_IP:55792
> mapped = LAN_GLOBAL_IP:55792
> Encoding stun message:
> Encoding MappedAddress: LAN_GLOBAL_IP:55792
> Encoding SourceAddress: SERVER_INTERNAL_IP_1:3478
> Encoding ChangedAddress: SERVER_INTERNAL_IP_2:3479
> Encoding XorMappedAddress: 250.174.7.15:63714
> Encoding ServerName: Vovida.org 0.96
>
>
> Here is my opensips.cfg:
>
> #
> # $Id: opensips.cfg 8141 2011-07-08 12:17:13Z vladut-paiu $
> #
> # OpenSIPS basic configuration script
> # by Anca Vamanu <anca at voice-system.ro>
> #
> # Please refer to the Core CookBook at:
> # http://www.opensips.org/Resources/DocsCookbooks
> # for a explanation of possible statements, functions and parameters.
> #
>
>
> ####### Global Parameters #########
>
> #debug=3
> #log_stderror=no
> #log_facility=LOG_LOCAL0
>
> fork=yes
> children=4
>
> /* uncomment the following lines to enable debugging */
> debug=6
> #fork=no
> log_stderror=no
>
> /* uncomment the next line to disable TCP (default on) */
> #disable_tcp=yes
>
> /* uncomment the next line to enable the auto temporary blacklisting of
> not available destinations (default disabled) */
> #disable_dns_blacklist=no
>
> /* uncomment the next line to enable IPv6 lookup after IPv4 dns
> lookup failures (default disabled) */
> #dns_try_ipv6=yes
>
> /* uncomment the next line to disable the auto discovery of local aliases
> based on revers DNS on IPs (default on) */
> #auto_aliases=no
>
> /* uncomment the following lines to enable TLS support (default off) */
> #disable_tls = no
> #listen = tls:your_IP:5061
> #tls_verify_server = 1
> #tls_verify_client = 1
> #tls_require_client_certificate = 0
> #tls_method = TLSv1
> #tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
> #tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
> #tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"
>
> # default db_url to be used by modules requiring DB connection
> db_default_url="mysql://opensips:opensips@localhost/opensips"
>
>
> port=5060
>
> /* uncomment and configure the following line if you want opensips to
> bind on a specific interface/port/proto (default bind on all available) */
> #listen=udp:192.168.1.2:5060
>
>
> ####### Modules Section ########
>
> #set module path
> mpath="/usr/local/lib64/opensips/modules/"
>
> /* uncomment next line for MySQL DB support */
> loadmodule "db_mysql.so"
> loadmodule "signaling.so"
> loadmodule "sl.so"
> loadmodule "tm.so"
> loadmodule "rr.so"
> loadmodule "maxfwd.so"
> loadmodule "usrloc.so"
> loadmodule "registrar.so"
> loadmodule "textops.so"
> loadmodule "mi_fifo.so"
> loadmodule "uri.so"
> loadmodule "acc.so"
> /* uncomment next lines for MySQL based authentication support
> NOTE: a DB (like db_mysql) module must be also loaded */
> loadmodule "auth.so"
> loadmodule "auth_db.so"
> /* uncomment next line for aliases support
> NOTE: a DB (like db_mysql) module must be also loaded */
> loadmodule "alias_db.so"
> /* uncomment next line for multi-domain support
> NOTE: a DB (like db_mysql) module must be also loaded
> NOTE: be sure and enable multi-domain support in all used modules
> (see "multi-module params" section ) */
> #loadmodule "domain.so"
> /* uncomment the next two lines for presence server support
> NOTE: a DB (like db_mysql) module must be also loaded */
> loadmodule "presence.so"
> loadmodule "presence_xml.so"
>
>
> # ----------------- setting module-specific parameters ---------------
>
>
> # ----- mi_fifo params -----
> modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")
>
>
> # ----- rr params -----
> # do not append from tag to the RR (no need for this script)
> modparam("rr", "append_fromtag", 0)
>
>
> # ----- registrar params -----
> /* uncomment the next line not to allow more than 10 contacts per AOR */
> modparam("registrar", "max_contacts", 10)
>
>
> # ----- usrloc params -----
> # modparam("usrloc", "db_mode", 0)
> /* uncomment the following lines if you want to enable DB persistency
> for location entries */
> modparam("usrloc", "db_mode", 2)
> modparam("usrloc", "db_url",
> "mysql://opensips:opensips@localhost/opensips")
>
>
> # ----- uri params -----
> modparam("uri", "use_uri_table", 0)
>
>
> # ----- acc params -----
> /* what sepcial events should be accounted ? */
> modparam("acc", "early_media", 1)
> modparam("acc", "report_cancels", 1)
> /* by default ww do not adjust the direct of the sequential requests.
> if you enable this parameter, be sure the enable "append_fromtag"
> in "rr" module */
> modparam("acc", "detect_direction", 0)
> /* account triggers (flags) */
> modparam("acc", "failed_transaction_flag", 3)
> modparam("acc", "log_flag", 1)
> modparam("acc", "log_missed_flag", 2)
> /* uncomment the following lines to enable DB accounting also */
> modparam("acc", "db_flag", 1)
> modparam("acc", "db_missed_flag", 2)
>
>
> # ----- auth_db params -----
> /* uncomment the following lines if you want to enable the DB based
> authentication */
> modparam("auth_db", "calculate_ha1", yes)
> modparam("auth_db", "password_column", "password")
> modparam("auth_db", "db_url",
> "mysql://opensips:opensips@localhost/opensips")
> modparam("auth_db", "load_credentials", "")
>
>
> # ----- alias_db params -----
> /* uncomment the following lines if you want to enable the DB based
> aliases */
> modparam("alias_db", "db_url",
> "mysql://opensips:opensips@localhost/opensips")
>
>
> # ----- domain params -----
> /* uncomment the following lines to enable multi-domain detection
> support */
> #modparam("domain", "db_url",
> # "mysql://opensips:opensips@localhost/opensips")
> #modparam("domain", "db_mode", 1) # Use caching
>
>
> # ----- multi-module params -----
> /* uncomment the following line if you want to enable multi-domain support
> in the modules (dafault off) */
> #modparam("auth_db|usrloc|uri", "use_domain", 1)
>
>
> # ----- presence params -----
> /* uncomment the following lines if you want to enable presence */
> modparam("presence|presence_xml", "db_url",
> "mysql://opensips:opensips@localhost/opensips")
> modparam("presence_xml", "force_active", 1)
> modparam("presence", "server_address", "sip:127.0.0.1:5060")
>
>
> ####### Routing Logic ########
>
>
> # main request routing logic
>
> route{
>
> if (!mf_process_maxfwd_header("10")) {
> sl_send_reply("483","Too Many Hops");
> exit;
> }
>
> if (has_totag()) {
> # sequential request withing a dialog should
> # take the path determined by record-routing
> if (loose_route()) {
> if (is_method("BYE")) {
> setflag(1); # do accounting ...
> setflag(3); # ... even if the transaction fails
> } else if (is_method("INVITE")) {
> # even if in most of the cases is useless, do RR for
> # re-INVITEs alos, as some buggy clients do change route set
> # during the dialog.
> record_route();
> }
> # route it out to whatever destination was set by loose_route()
> # in $du (destination URI).
> route(1);
> } else {
> /* uncomment the following lines if you want to enable presence */
> if (is_method("SUBSCRIBE") && $rd == "your.server.ip.address") {
> # in-dialog subscribe requests
> route(2);
> exit;
> }
> if ( is_method("ACK") ) {
> if ( t_check_trans() ) {
> # non loose-route, but stateful ACK; must be an ACK after
> # a 487 or e.g. 404 from upstream server
> t_relay();
> exit;
> } else {
> # ACK without matching transaction ->
> # ignore and discard
> exit;
> }
> }
> sl_send_reply("404","Not here");
> }
> exit;
> }
>
> #initial requests
>
> # CANCEL processing
> if (is_method("CANCEL"))
> {
> if (t_check_trans())
> t_relay();
> exit;
> }
>
> t_check_trans();
>
> # authenticate if from local subscriber (uncomment to enable auth)
> # authenticate all initial non-REGISTER request that pretend to be
> # generated by local subscriber (domain from FROM URI is local)
> if (!(method=="REGISTER") && from_uri==myself) /*no multidomain version*/
> ##if (!(method=="REGISTER") && is_from_local()) /*multidomain version*/
> {
> if (!proxy_authorize("", "subscriber")) {
> proxy_challenge("", "0");
> exit;
> }
> if (!db_check_from()) {
> sl_send_reply("403","Forbidden auth ID");
> exit;
> }
>
> consume_credentials();
> ## # caller authenticated
> }
>
> # preloaded route checking
> if (loose_route()) {
> xlog("L_ERR",
> "Attempt to route with preloaded Route's [$fu/$tu/$ru/$ci]");
> if (!is_method("ACK"))
> sl_send_reply("403","Preload Route denied");
> exit;
> }
>
> # record routing
> if (!is_method("REGISTER|MESSAGE"))
> record_route();
>
> # account only INVITEs
> if (is_method("INVITE")) {
> setflag(1); # do accounting
> }
> if (!uri==myself)
> ## replace with following line if multi-domain support is used
> ##if (!is_uri_host_local())
> {
> append_hf("P-hint: outbound¥r¥n");
> # if you have some interdomain connections via TLS
> ##if($rd=="tls_domain1.net") {
> ## t_relay("tls:domain1.net");
> ## exit;
> ##} else if($rd=="tls_domain2.net") {
> ## t_relay("tls:domain2.net");
> ## exit;
> ##}
> route(1);
> }
>
> # requests for my domain
>
> ## uncomment this if you want to enable presence server
> ## and comment the next 'if' block
> ## NOTE: uncomment also the definition of route[2] from below
> if( is_method("PUBLISH|SUBSCRIBE"))
> route(2);
>
> #if (is_method("PUBLISH"))
> #{
> # sl_send_reply("503", "Service Unavailable");
> # exit;
> #}
>
>
> if (is_method("REGISTER"))
> {
> # authenticate the REGISTER requests (uncomment to enable auth)
> if (!www_authorize("", "subscriber"))
> {
> www_challenge("", "0");
> exit;
> }
>
> if (!db_check_to())
> {
> sl_send_reply("403","Forbidden auth ID");
> exit;
> }
>
> if (!save("location"))
> sl_reply_error();
>
> exit;
> }
>
> if ($rU==NULL) {
> # request with no Username in RURI
> sl_send_reply("484","Address Incomplete");
> exit;
> }
>
> # apply DB based aliases (uncomment to enable)
> alias_db_lookup("dbaliases");
>
> # do lookup with method filtering
> if (!lookup("location","m")) {
> switch ($retcode) {
> case -1:
> case -3:
> t_newtran();
> t_reply("404", "Not Found");
> exit;
> case -2:
> sl_send_reply("405", "Method Not Allowed");
> exit;
> }
> }
>
> # when routing via usrloc, log the missed calls also
> setflag(2);
>
> route(1);
> }
>
>
> route[1] {
> # for INVITEs enable some additional helper routes
> if (is_method("INVITE")) {
> t_on_branch("2");
> t_on_reply("2");
> t_on_failure("1");
> }
>
> if (!t_relay()) {
> sl_reply_error();
> };
> exit;
> }
>
>
> # Presence route
> /* uncomment the whole following route for enabling presence
> NOTE: do not forget to enable the call of this route from the main
> route */
> route[2]
> {
> if (!t_newtran())
> {
> sl_reply_error();
> exit;
> };
>
> if(is_method("PUBLISH"))
> {
> handle_publish();
> }
> else
> if( is_method("SUBSCRIBE"))
> {
> handle_subscribe();
> }
>
> exit;
> }
>
>
> branch_route[2] {
> xlog("new branch at $ru¥n");
> }
>
>
> onreply_route[2] {
> xlog("incoming reply¥n");
> }
>
>
> failure_route[1] {
> if (t_was_cancelled()) {
> exit;
> }
>
> # uncomment the following lines if you want to block client
> # redirect based on 3xx replies.
> ##if (t_check_status("3[0-9][0-9]")) {
> ##t_reply("404","Not found");
> ## exit;
> ##}
>
> # uncomment the following lines if you want to redirect the failed
> # calls to a different new destination
> ##if (t_check_status("486|408")) {
> ## sethostport("192.168.2.100:5060");
> ## # do not set the missed call flag again
> ## t_relay();
> ##}
> }
>
>
>
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opensips.org/pipermail/users/attachments/20111020/e2f7989a/attachment-0001.htm>
More information about the Users
mailing list