Questions about how mediasoup connects to TURN servers from both ends

I’ve been trying to integrate TURN servers into my application’s stack. Up until now, we’ve had our mediasoup backend servers publicly available, but for security purposes we want to make them private so that everything in our EKS cluster is on private subnets. Since they have been publicly available up until now, there’s been no problem with clients connecting directly to the servers running mediasoup.

My understanding is that this sort of situation is where TURN comes into play. Based on a couple of older threads here, I’m starting to piece together how mediasoup needs to be configured. Per what I saw in STUN / TURN server - #12 by ibc, the backend server shouldn’t need to know anything about TURN at all, and mediasoup client should just need the address and credentials of the TURN server.

When I move our backend servers to a private subnet, as expected the client can’t make a direct connection to the host, and then tries to go through the TURN server. It’s stalling out at that point, however, and I’m unsure where the problem is, whether it’s something about how the TURN server is set up and configured, or whether I’m missing something about how mediasoup needs to be configured.

The TURN server is coturn set up in an EC2 instance that has a public IP address. The security group attached to that instance is letting all TCP and UDP traffic in from everywhere. The instance is in the same VPC as the backend host servers, and I can successfully ping TCP and UDP ports on the host servers from the TURN server, so I think the security is sufficiently open there. trickle-ice suggests that there aren’t any problems with the public-facing networking.

When I look at the logs of the TURN server, I see some ALLOCATE requests coming from the client, but based on what I’ve read, these should be followed soon after by CREATE_PERMISSION requests, and I don’t see any. I think these are supposed to be sent from the client, so I’m unclear as to why mediasoup-client isn’t sending them.

For reference, the iceCandidates that mediasoup server is sending to the client looks like this:

  address: "<internal AWS address>"
  foundation: "udpcandidate"
  ip: "<same internal AWS address>"
  port: 7440
  priority: 1076558079
  protocol: "udp"
  type: "host"

and what I’m setting iceServers to in the client looks like this:

        "urls": "turn:<TURN server IP>:3478",
        "username": "<TURN server username>",
        "credential": "<TURN server password>"

Is there anything else I need to do for mediasoup? Any common reasons why it would never request permissions?

This seems to have all been issues with my TURN setup and other networking. I eventually tried a marketplace TURN server (to rule out my unfamiliarity with configuring coturn), and after working through some networking “fun”, got everything working through the TURN server.

In case anyone stumbles across this, one thing that got me was that the managed TURN server I set up was in a different VPC than where mediasoup was. The mediasoup backend servers were sending out a private AWS DNS address, e.g., which the TURN server couldn’t resolve, even after peering the two VPCs. I had to manually change the address and ip in iceCandidates to be the raw IP address.

And, of course, I needed to make sure the security groups sitting between the TURN server and the mediasoup servers let that traffic through.