Docker min and max port not being used
S0ulDrag0n opened this issue · comments
I am running the latest coturn docker container on Unraid. I've port forwarded the STUN port but wanted to limit the relay ports. I've provided a conf file and set extra parameters to limit the max port. However, ICE tests seem to continue to return ports outside of the defined port range.
turnserver.conf
listening-port=3478
tls-listening-port=5349
min-port=49152
max-port=49154
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=sdrofiopasdfimopaipoi[pofdgip[
server-name=matrix.example.com
realm=matrix.example.com
stale-nonce=600
cert=/etc/ssl/certs/cert.pem
pkey=/etc/ssl/private/privkey.pem
syslog
no-rfc5780
no-stun-backward-compatibility
response-origin-only-with-rfc5780
Unraid Docker command:
docker run
-d
--name='coturn'
--net='br0'
--ip='192.168.1.45'
-e TZ="America/Los_Angeles"
-e HOST_OS="Unraid"
-e HOST_HOSTNAME="Maynard"
-e HOST_CONTAINERNAME="coturn"
-e 'TCP_PORT_3478'='3478'
-e 'UDP_PORT_3478'='3478'
-e 'DETECT_EXTERNAL_IP'='yes'
-e 'DETECT_RELAY_IP'='yes'
-l net.unraid.docker.managed=dockerman
-l net.unraid.docker.icon='https://raw.githubusercontent.com/xthursdayx/docker-templates/master/xthursdayx/images/webrtc-icon.png'
-v '/mnt/cache/appdata/coturn/turnserver.conf':'/etc/coturn/turnserver.conf':'rw'
-v '/mnt/cache/appdata/coturn/keys':'/etc/ssl/':'rw' 'coturn/coturn'
--min-port=49152
--max-port=49154
ICE results:
IceGatheringState: complete
host
udp
:49256
N/A
srflx
udp
111.111.111.111:49256
0.0.0.0:0
What might be the cause of this?
@S0ulDrag0n could you please show the server's stdout? It should print its configuration on start. There we can see whether the specified options were actually considered.
@tyranron Thanks for the quick response! Sorry about that, there are the logs:
0: (1): INFO: System cpu num is 128
0: (1): INFO: log file opened: /var/tmp/turn_1_2024-04-18.log
0: (1): INFO: System enable num is 48
0: (1): INFO: Coturn Version Coturn-4.6.2 'Gorst'
0: (1): INFO: Max number of open files/sockets allowed for this process: 40960
0: (1): INFO: Due to the open files/sockets limitation, max supported number of TURN Sessions possible is: 20000 (approximately)
0: (1): INFO:
==== Show him the instruments, Practical Frost: ====
0: (1): INFO: OpenSSL compile-time version: OpenSSL 3.0.11 19 Sep 2023 (0x300000b0)
0: (1): INFO: TLS 1.3 supported
0: (1): INFO: DTLS 1.2 supported
0: (1): INFO: TURN/STUN ALPN supported
0: (1): INFO: Third-party authorization (oAuth) supported
0: (1): INFO: GCM (AEAD) supported
0: (1): INFO: SQLite supported, default database location is /var/lib/coturn/turndb
0: (1): INFO: Redis supported
0: (1): INFO: PostgreSQL supported
0: (1): INFO: MySQL supported
0: (1): INFO: MongoDB supported
0: (1): INFO: Default Net Engine version: 3 (UDP thread per CPU core)
0: (1): INFO: Domain name:
0: (1): INFO: Default realm: matrix.example.com
0: (1): WARNING: CONFIG: You specified --lt-cred-mech and --use-auth-secret in the same time.
Be aware that you could not mix the username/password and the shared secret based auth methods.
Shared secret overrides username/password based auth method. Check your configuration!
0: (1): ERROR: CONFIG: Empty cli-password, and so telnet cli interface is disabled! Please set a non empty cli-password!
0: (1): WARNING: cannot find certificate file: /etc/ssl/certs/cert.pem (1)
0: (1): WARNING: cannot start TLS and DTLS listeners because certificate file is not set properly
0: (1): WARNING: cannot find private key file: /etc/ssl/private/privkey.pem (1)
0: (1): WARNING: cannot start TLS and DTLS listeners because private key file is not set properly
0: (1): INFO: Certificate file found: /etc/ssl/certs/cert.pem
0: (1): INFO: Private key file found: /etc/ssl/private/privkey.pem
0: (1): WARNING: NO EXPLICIT LISTENER ADDRESS(ES) ARE CONFIGURED
0: (1): INFO: ===========Discovering listener addresses: =========
0: (1): INFO: Listener address to use: 127.0.0.1
0: (1): INFO: Listener address to use: 192.168.1.45
0: (1): INFO: =====================================================
0: (1): INFO: Total: 1 'real' addresses discovered
0: (1): INFO: =====================================================
0: (1): WARNING: NO EXPLICIT RELAY ADDRESS(ES) ARE CONFIGURED
0: (1): INFO: ===========Discovering relay addresses: =============
0: (1): INFO: Relay address to use: 192.168.1.45
0: (1): INFO: =====================================================
0: (1): INFO: Total: 1 relay addresses discovered
0: (1): INFO: =====================================================
0: (1): WARNING: Cannot create pid file: /var/run/turnserver.pid
0: (1): INFO: pid file created: /var/tmp/turnserver.pid
0: (1): INFO: IO method: epoll (with changelist)
0: (1): INFO: RFC5780 disabled! /NAT behavior discovery/
0: (1): INFO: Wait for relay ports initialization...
0: (1): INFO: relay 192.168.1.45 initialization...
0: (1): INFO: relay 192.168.1.45 initialization done
0: (1): INFO: Relay ports initialization done
0: (10): DEBUG: turn server id=0 created
0: (12): DEBUG: turn server id=2 created
0: (11): DEBUG: turn server id=1 created
0: (13): DEBUG: turn server id=3 created
0: (14): DEBUG: turn server id=4 created
0: (15): DEBUG: turn server id=5 created
0: (16): DEBUG: turn server id=6 created
0: (17): DEBUG: turn server id=7 created
0: (18): DEBUG: turn server id=8 created
0: (19): DEBUG: turn server id=9 created
0: (20): DEBUG: turn server id=10 created
0: (21): DEBUG: turn server id=11 created
0: (23): DEBUG: turn server id=13 created
0: (22): DEBUG: turn server id=12 created
0: (24): DEBUG: turn server id=14 created
0: (25): DEBUG: turn server id=15 created
0: (27): DEBUG: turn server id=17 created
0: (26): DEBUG: turn server id=16 created
0: (28): DEBUG: turn server id=18 created
0: (29): DEBUG: turn server id=19 created
0: (30): DEBUG: turn server id=20 created
0: (31): DEBUG: turn server id=21 created
0: (32): DEBUG: turn server id=22 created
0: (33): DEBUG: turn server id=23 created
0: (34): DEBUG: turn server id=24 created
0: (35): DEBUG: turn server id=25 created
0: (37): DEBUG: turn server id=27 created
0: (36): DEBUG: turn server id=26 created
0: (38): DEBUG: turn server id=28 created
0: (39): DEBUG: turn server id=29 created
0: (40): DEBUG: turn server id=30 created
0: (41): DEBUG: turn server id=31 created
0: (43): DEBUG: turn server id=33 created
0: (42): DEBUG: turn server id=32 created
0: (44): DEBUG: turn server id=34 created
0: (45): DEBUG: turn server id=35 created
0: (46): DEBUG: turn server id=36 created
0: (47): DEBUG: turn server id=37 created
0: (48): DEBUG: turn server id=38 created
0: (49): DEBUG: turn server id=39 created
0: (50): DEBUG: turn server id=40 created
0: (51): DEBUG: turn server id=41 created
0: (1): INFO: Total General servers: 128
0: (111): DEBUG: turn server id=101 created
0: (127): DEBUG: turn server id=117 created
0: (132): DEBUG: turn server id=122 created
0: (131): DEBUG: turn server id=121 created
0: (120): DEBUG: turn server id=110 created
0: (137): DEBUG: turn server id=127 created
0: (107): DEBUG: turn server id=97 created
0: (135): DEBUG: turn server id=125 created
0: (133): DEBUG: turn server id=123 created
0: (130): DEBUG: turn server id=120 created
0: (125): DEBUG: turn server id=115 created
0: (52): DEBUG: turn server id=42 created
0: (128): DEBUG: turn server id=118 created
0: (136): DEBUG: turn server id=126 created
0: (110): DEBUG: turn server id=100 created
0: (117): DEBUG: turn server id=107 created
0: (126): DEBUG: turn server id=116 created
0: (85): DEBUG: turn server id=75 created
0: (121): DEBUG: turn server id=111 created
0: (114): DEBUG: turn server id=104 created
0: (123): DEBUG: turn server id=113 created
0: (115): DEBUG: turn server id=105 created
0: (94): DEBUG: turn server id=84 created
0: (113): DEBUG: turn server id=103 created
0: (109): DEBUG: turn server id=99 created
0: (118): DEBUG: turn server id=108 created
0: (134): DEBUG: turn server id=124 created
0: (98): DEBUG: turn server id=88 created
0: (84): DEBUG: turn server id=74 created
0: (122): DEBUG: turn server id=112 created
0: (92): DEBUG: turn server id=82 created
0: (103): DEBUG: turn server id=93 created
0: (119): DEBUG: turn server id=109 created
0: (100): DEBUG: turn server id=90 created
0: (90): DEBUG: turn server id=80 created
0: (112): DEBUG: turn server id=102 created
0: (88): DEBUG: turn server id=78 created
0: (91): DEBUG: turn server id=81 created
0: (83): DEBUG: turn server id=73 created
0: (97): DEBUG: turn server id=87 created
0: (93): DEBUG: turn server id=83 created
0: (106): DEBUG: turn server id=96 created
0: (102): DEBUG: turn server id=92 created
0: (86): DEBUG: turn server id=76 created
0: (105): DEBUG: turn server id=95 created
0: (116): DEBUG: turn server id=106 created
0: (95): DEBUG: turn server id=85 created
0: (87): DEBUG: turn server id=77 created
0: (89): DEBUG: turn server id=79 created
0: (101): DEBUG: turn server id=91 created
0: (104): DEBUG: turn server id=94 created
0: (81): DEBUG: turn server id=71 created
0: (99): DEBUG: turn server id=89 created
0: (108): DEBUG: turn server id=98 created
0: (124): DEBUG: turn server id=114 created
0: (80): DEBUG: turn server id=70 created
0: (82): DEBUG: turn server id=72 created
0: (129): DEBUG: turn server id=119 created
0: (96): DEBUG: turn server id=86 created
0: (79): DEBUG: turn server id=69 created
0: (57): DEBUG: turn server id=47 created
0: (75): DEBUG: turn server id=65 created
0: (60): DEBUG: turn server id=50 created
0: (61): DEBUG: turn server id=51 created
0: (78): DEBUG: turn server id=68 created
0: (72): DEBUG: turn server id=62 created
0: (77): DEBUG: turn server id=67 created
0: (63): DEBUG: turn server id=53 created
0: (70): DEBUG: turn server id=60 created
0: (64): DEBUG: turn server id=54 created
0: (59): DEBUG: turn server id=49 created
0: (54): DEBUG: turn server id=44 created
0: (55): DEBUG: turn server id=45 created
0: (66): DEBUG: turn server id=56 created
@S0ulDrag0n seems like the config was picked up correctly, so the min/max ports are intact. Seems like not Docker-related issue.
Where are you running ICE gathering from? From your output, I don't see any relay
candidates (only host
and srflx
are there):
ICE results:
IceGatheringState: complete host udp :49256 N/A srflx udp 111.111.111.111:49256 0.0.0.0:0
So these ports are definitely not the server's relay
ones.
Are all the expected ports actually reachable by TCP and UDP? Maybe some firewall issues?
@tyranron I was testing here: https://icetest.info/
I took out the server addresses from my result but the ports are the same. The port it's trying to reach (49256) is unreachable and I originally wanted to restrict it to the min and max port. However, the server doesn't seem to be taking the range. Hence, the attempt to use port 49256.
min-port=49152
max-port=49154
I was using this to test: stun:matrix.example.com:3478
@S0ulDrag0n this seems so wrong on so many points...
-
Are you sure, that the
matrix.example.com
domain points to your server? I doubt that. For me, it's not even resolvable. Did you try to use your real IP address (judging from the provided logs, it's192.168.1.45
). -
If you're using only the STUN protocol via
stun:matrix.example.com:3478
server, why are you expectingrelay
candidates at all? They can only appear when TURN is used.min-port
andmax-port
, as specified in the documentation, are only applicable torelay
candidates:- --min-port
<port>
Lower bound of the UDP port range for relay endpoints allocation. Default value is 49152, according to RFC 5766. - --max-port
<port>
Upper bound of the UDP port range for relay endpoints allocation. Default value is 65535, according to RFC 5766.
- --min-port
I think was able to resolve my issue. I was testing over a VPN on another machine and that was derping it. After switching to a mobile hotspot, I was able to successfully make a connection. I did run into another issue where coturn was not able to allocate enough ports. It turned out I had set the min and max ports in two places. Removing one and increasing the range allowed for more successful connections. I did notice sometimes the the server would not return a relay though. There doesn't seem to be anything in the logs either indicating an issue.
Otherwise, I think the main issue is resolved for now. Not sure how the occasional missing relay will affect things long term.
Nvm, occasionally, there will be no video/audio. It does come up after a long pause. Restarting the server does address this though.