Support for connections without inbound ports on the server

I believe the answer to my question is MediaSoup doesn’t work for me, but I will try anyways. I have an application (built with webrtc-rs) that I want to replace with mediasoup. This is an application where the server sits behind a customer network that has no inbound ports enabled (communication is done over an SSH tunnel). During my implementation, it looks like mediasoup uses ICE-lite (and doesn’t require STUN servers), but I do need to provide an announceIP, which is publicly available and can be connected to from the outside. Do I have it correct that there is no way around this limitation?

Are you trying to tunnel WebRTC traffic through and ssh tunnel? I suppose in theory, this could work. But probably not well.

I don’t believe ssh tunnels support UDP, so you would have to set the enableUdp option to false. And then announceIP would be set to whatever ip address is on the other end of that tunnel.

The ideal solution would be the underlying mechanism that allows Pion/libwebrtc to work via STUN where IP discovery is done through some third party server. However, I don’t know enough about the WebRTC spec right now to deduce how that works without requiring the client to forward any ports.

I guess what I’m looking for is if there’s a straightforward method to have this work in mediasoup that I may be overlooking, whereby I write my own STUN client implementation and pass that as my annouceIP and port.

It sounds like you need something with a full ICE implementation. Mediasoup is ICE-light, which just passively listens on the bound IPs. It doesn’t have any mechanism for reaching out to STUN servers.