NoMachine Support

Your questions answered

Knowledge Base

Searching in: Articles & FAQs
Filter the search results
Applies to:
Last update:
Searching in: Articles & FAQs
ID: AR07N00894
Applies to: NX Technology
Added on: 2016-07-05
Last update: 2017-01-13
How to setup your own STUN/TURN server for NAT traversal

This article is intended to be an example on how to build and configure your own STUN/TURN server in order to use WebRTC for NoMachine web sessions.  WebRTC is supported since NoMachine version 5.1.40, but it's not enabled by default. For configuring the NoMachine server to use WebRTC see: https://www.nomachine.com/AR07N00892

A STUN/TURN server is needed when the node where the web session will be started is behind a NAT.  The node can be theNoMachine server host or any of the remote nodes being part of its multinode environment.

The WebRTC peer-to-peer communication happens between the user's browser and the node where the web session is started. If the node is on a public host with an external IP, the communication is established without problems. If the node is instead behind a NAT, a STUN/TURN server is necessary for negotiating NAT traversal when establishing peer-to-peer WebRTC communication.

Note that if the node is not behind a NAT there are the following possible scenarios:

1. If  the system firewall is blocking all the outbound and inbound ports, the WebRTC connection cannot be established. A STUN/TURN server is necessary also in this case.

2. If the system firewall is blocking only inbound ports, the connection is possible only if the user's device is not behind a NAT and has a public IP.

If the user's device is behind a NAT instead, connection will not be made. Also in this case setting-up a STUN/TURN server will help.

3. If the system firewall is blocking only outbound ports, WebRTC connection will be possible given that the node is on a machine with a public IP not behind a NAT.  The NAT router will not block inbound connections and the user's device will be able to make connections with the server without problems.


An alternative to set-up your own STUN/TURN server is to use any of the public NAT Traversal services available on the internet, for example this is a list of public STUN/TURN servers:

stun1.l.google.com:19302
stun2.l.google.com:19302
stun3.l.google.com:19302
stun4.l.google.com:19302
stun.stunprotocol.org:3478

 

When a STUN/TURN server is used, usually STUN is attempted firstly. Depending on your own needs, it's also possible to use either a STUN server or a TURN server only. The main difference between these two solutions is that media will travel directly between both end points if STUN is used, whereas media will be proxied through the server if TURN is utilized. Note that, depending on network topology (i.e. combinations of NAT types, firewalls and network configurations) STUN may not work. Success rate is about 80%, but in case of failure of connectivity with STUN it's necessary to have a TURN server as fallback or it will be not possible to run NoMachine web sessions with WebRTC enabled.

 

The following example explains how to setup a STUN/TURN server on latest Ubuntu versions by using the Coturn server, a free open source implementation of TURN and STUN Server: https://github.com/coturn/coturn

Note that the 'coturn' package is available in the official repositories for Ubuntu 15.04 and later. Older versions or other operating systems like CentOS don't have such a package in their repositories and it's therefore necessary to install the Coturn server manually or use an alternative older project called  'rfc5766-turn-server’.

See: https://github.com/coturn/coturn/wiki/Downloads for the available options.
 

How to setup a Coturn TURN server on Ubuntu 16.04 or 15.10

Premises

In this example Coturn is set-up on a host machine not behind a NAT and with a static public IP. A different set-up will require advanced configurations for the Coturn server which are beyond the scope of this article.

 

1) Install the coturn package by running from a console:

sudo apt-get install coturn
 

2) Prepare the Coturn server configuration file.

Locate the turnserver.conf file. It's usually: /etc/turnserver.conf

If the /etc/turnserver.conf file is not available but there is for example a /usr/local/etc/turnserver.conf.default file, copy it to /usr/local/etc:

cp -p usr/local/etc/turnserver.conf.default  /usr/local/etc/turnserver.conf

to create the turnserver.conf configuration file.

 

By default Coturn works like a STUN/TURN server.

If you want to make it work as a TURN server only edit /usr/local/etc/turnserver.conf and uncomment this key:

no-stun

This example uses default settings, i.e. the Coturn server works as STUN/TURN server.

3) The system listening IP

By default the Coturn server listens on all system IPs. It is possible to specify any of these IPs in the NoMachine server configuration.

This example uses: listening-ip=172.17.19.101
 

4) Set username and password to access the Coturn server

By default the Coturn server has no authorization set, it's advisable to set username and password to access it.

Edit /usr/local/etc/turnserver.conf and set username and password in this key:

user=username:password

Remember that these credentials will have to be specified  in the NoMachine server configuration.

In this example we set:

user=test01:testdriver
 

5) Listening ports

The default listener port for UDP and TCP is:  3478 and for TLS and DTLS is: 5349 as specified in the Coturn configuration file:

listening-port=3478
tls-listening-port=5349

These ports are the same for STUN and TURN. TURN uses a default port range 49152-65535 for connection and traffic relay.

Note that ports can be changed to 80 or 443  to go around some strict NATs, we always recommend to refer to the official documentation of the Coturn server for configuring it: https://github.com/coturn/coturn/wiki/turnserver

 

This example uses the default ports.

Remember value set for the listening-port key (3478 in this case), it will have to be specified in the NoMachine server configuration.
 

6) Configure Coturn server to support WebRTC

Please refer to the Coturn guide and usage to configure it for supporting WebRTC.
 

This example uses the following configuration, added at the end of the edit /usr/local/etc/turnserver.conf file:

verbose
fingerprint
lt-cred-mech
realm=testdrive.com
 

7) Start the Coturn server by running from a console:

$ sudo turnserver &

As a note, Coturn log directories are:  /var/log, /log/, /var/tmp, /tmp or the current directory.

The Coturn server shoul now be up and running.

 

How to configure the NoMachine server to rely on this Coturn server

8) In order to enable the use of WebRTC, edit the NoMachine configuration file, i.e.:

a) for v. 6 or later:

the server configuration file (server.cfg)

b) for v. prior to 6:

the cloud configuration file (cloud.cfg)

and applies changes described in the next steps.


8.1) Edit the configuration file, uncomment and set:

 AcceptedMethods classic,webrtc

to ensure that support for webrtc is enabled.

 

8.2) Specify settings for your Coturn server in Section "STUN", be sure to uncomment such section to enable it:

Section "STUN"

Host     <IP of the Coturn server host>
Port      <port set in the Coturn's listening-port key, see step 4)
User      <username set in the Coturn's configuration, see step 3)
Password  <password set in the Coturn's configuration, see step 3)

EndSection
 

8.3) Create: Section "TURN" by copying the same parameters of Section "STUN" and setting the appropriate values.

Since the Coturn server configuration shares the same IP, port and credentials for STUN and TURN, Section "STUN" and Section "TURN" will be identical in the configuration file.

NOTE

If Coturn is configured to work only as a TURN server, remove Section "STUN" from the configuration file and complete only Section "TURN".

 

In this example, the configuration file looks like:

Section "STUN"

Host     172.17.19.101
Port      3478
User      test01
Password testdriver

EndSection

Section "TURN"

Host     172.17.19.101
Port      3478
User      test01
Password  testdriver

EndSection