TURN windows version login account information?

Question

TURN windows version login account information?

Closed this issue 2 years ago · 9 comments

I installed eturnal on Windows.
But I don't know where to put the turn server login account information.(username,password)
Is it correct to set it in the eturnal.yml file?
The turn server does not work normally because the credential error keeps occurring.
Below is the eturnal.yml I wrote.
Please help.

# eturnal STUN/TURN server configuration file.
#
# This file is written in YAML. The YAML format is indentation-sensitive, please
# MAKE SURE YOU INDENT CORRECTLY.
#
# See: https://eturnal.net/documentation/#Global_Configuration

eturnal:

  ## Shared secret for deriving temporary TURN credentials (default: $RANDOM):
  secret: "inventis"

  ## The server's public IPv4 address (default: autodetected):
  #relay_ipv4_addr: "13.124.71.4"
  ## The server's public IPv6 address (optional):
  #relay_ipv6_addr: "2001:db8::4"

  listen:
    -
      ip: "0.0.0.0"
      port: 3478
      transport: udp
    -
      ip: "0.0.0.0"
      port: 3478
      transport: tcp
    -
      ip:  "0.0.0.0"
      port: 5349
      transport: tls

  ## UDP relay port range (usually, several ports per A/V call are required):
  relay_min_port: 49152     # This is the default.
  relay_max_port: 65535     # This is the default.

  ## Reject TURN relaying from/to the following addresses/networks:
  blacklist:                # This is the default blacklist.
    - "127.0.0.0/8"         # IPv4 loopback.
    - "::1"                 # IPv6 loopback.
    #- recommended          # Expands to a number of networks recommended to be
                            # blocked, but includes private networks. Those
                            # would have to be 'whitelist'ed if eturnal serves
                            # local clients/peers within such networks.

  ## If 'true', close established calls on expiry of temporary TURN credentials:
  strict_expiry: false      # This is the default.

  ## Logging configuration:
  log_level: info           # critical | error | warning | notice | info | debug
  log_rotate_size: 10485760 # 10 MiB (default: unlimited, i.e., no rotation).
  log_rotate_count: 10      # Keep 10 rotated log files.
  log_dir: "C:/Program Files/eturnal/log"
  run_dir: "C:/Program Files/eturnal/run"

  ## See: https://eturnal.net/documentation/#Module_Configuration
  modules:
    mod_log_stun: {}        # Log STUN queries (in addition to TURN sessions).
    #mod_stats_influx: {}   # Log STUN/TURN events into InfluxDB.
    #mod_stats_prometheus:  # Expose STUN/TURN and VM metrics to Prometheus.
    #  ip: any              # This is the default: Listen on all interfaces.
    #  port: 8081           # This is the default.
    #  tls: false           # This is the default.
    #  vm_metrics: true     # This is the default.

Answer 1 · 2022-10-17T08:24:06.000Z

For reference, the eturnal log shows the following

2022-09-05 11:35:31.313000+09:00 [info] Non-numeric expiration field: inventis [UDP, session bsrd4pd09ti3, user inventis, client 13.124.71.4:49353]
2022-09-05 11:35:31.313000+09:00 [notice] Failed long-term STUN/TURN authentication [UDP, session bsrd4pd09ti3, user inventis, client 13.124.71.4:49353]

Answer 2 · 2022-10-17T14:22:42.000Z

I don't know where to put the turn server login account information.(username,password)

eturnal currently doesn't support static credentials. What it does instead is deriving temporary credentials from a secret as described in this IETF spec and at the top of the eturnal docs. That's what most WebRTC applications do these days; i.e., they typically use a few lines of Node.js/whatever code to generate credentials on the web server sie as described in those docs, and hand them out to the client.

If you'd prefer static credentials, you could configure a random secret: … and then use PowerShell code such as the following to derive a username/password from that secret:

$username = "1735686000"         # For credentials valid until 2025-01-01.
$secret = "1pIFIj70BPsgBI92j5ux" # As specified in your eturnal.yml.

$sha = [System.Security.Cryptography.KeyedHashAlgorithm]::Create("HMACSHA1")
$sha.Key = [System.Text.Encoding]::UTF8.Getbytes($secret)
$password = [Convert]::Tobase64String($sha.ComputeHash([System.Text.Encoding]::UTF8.Getbytes(${username})))

echo $username
echo $password

That said, we do plan to allow for specifying hard-coded credentials in the configuration file for testing purposes or simple cases where that's really all you need. So far, nobody actually asked for this, so we kept delaying it. I'll have a look.

Answer 3 · 2022-10-18T01:02:33.000Z

Dear Mr. weiss
Thanks for your reply.

I have a question.
If it is a dynamic credential, what values should I put in the username and password on the turn test site?

https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
https://icetest.info/

Answer 4 · 2022-10-18T06:56:49.000Z

If it is a dynamic credential, what values should I put in the username and password on the turn test site?

Once you created a username/password using e.g. the PowerShell code shown above you can use it for that test site.

Answer 5 · 2022-10-18T08:08:27.000Z

So where should I input the PowerShell code you told me?
I'm not sure.
Sorry. Can you tell me in detail?

Answer 6 · 2022-10-18T09:25:38.000Z

So where should I input the PowerShell code you told me?

You can put it into you PowerShell in Windows or use an online tool to generate the username/ password to input in the ICE Test, e.g. here.

Username:
1735686000
Password:
6rj3WhfZzhmc8DjnI2aHs8cyd5o=

The Output provides credentials based on the

$secret = "inventis" # As specified in your eturnal.yml.

The secret part is defined in the eturnal.yml configuration file.

eturnal:

  ## Shared secret for deriving temporary TURN credentials (default: $RANDOM):
  secret: "inventis"

Answer 7 · 2022-10-19T05:37:51.000Z

Dear All,

Yes, I understand.
It's working.
Thank you for your support.

Answer 8 · 2022-12-01T00:52:10.000Z

Dear All,

Yes, I understand. It's working. Thank you for your support.

hi, YoonJiBum:

Username: 1735686000 Password: 6rj3WhfZzhmc8DjnI2aHs8cyd5o=
based on the same secret "inventis" as yours
test page trickle-ice still report err:

`

Time	Type	Foundation	Protocol	Address	Port	Priority
0.003	host	3075462482	udp	481dac3a-0f51-4c70-bba1-c2be0e1ef816.local	51131	126 \| 30 \| 255
0.038	srflx	842163049	udp	22.7.97.224	12696	100 \| 30 \| 255
0.123	Authentication failed?

`

The server stun:xxx.com:3478 returned an error with code=701:STUN host lookup received error.

The server turn:xxx.com:3478?transport=udp returned an error with code=701:TURN host lookup received error.

The server turn:xxx.com:3478?transport=udp returned an error with code=401:Unauthorized

in eturnal.log:
2022-12-01 08:59:04.434000+08:00 [notice] Failed long-term STUN/TURN authentication [UDP, session u8uqy22l5acf, user 1735686000, client 22.7.97.224:11096]

any ideas? thanks

Answer 9 · 2022-12-01T01:39:47.000Z

Dear All,
Yes, I understand. It's working. Thank you for your support.

hi, YoonJiBum:

Username: 1735686000 Password: 6rj3WhfZzhmc8DjnI2aHs8cyd5o= based on the same secret "inventis" as yours test page trickle-ice still report err:

`

Time Type Foundation Protocol Address Port Priority URL (if present) relayProtocol (if present)
0.003 host 3075462482 udp 481dac3a-0f51-4c70-bba1-c2be0e1ef816.local 51131 126 | 30 | 255
0.038 srflx 842163049 udp 22.7.97.224 12696 100 | 30 | 255
0.123 Authentication failed?
`
The server stun:xxx.com:3478 returned an error with code=701:STUN host lookup received error.

The server turn:xxx.com:3478?transport=udp returned an error with code=701:TURN host lookup received error.

The server turn:xxx.com:3478?transport=udp returned an error with code=401:Unauthorized

in eturnal.log: 2022-12-01 08:59:04.434000+08:00 [notice] Failed long-term STUN/TURN authentication [UDP, session u8uqy22l5acf, user 1735686000, client 22.7.97.224:11096]

any ideas? thanks

solved, my fault: forgot to restart eturnal... 😭