One port to rule them all ?

[Alain DEVILLE <a....@neo-it.fr>]

Hello,

I have a functional openmeetings installation, and one of the user is in a
restrictive infrastructure for accesing internet (only port 443 and 80 are
allowed), is there a method/tools for proxy/reverse proxy all the port used
?

I know that i can < hide > my server behind an apache proxy or an nginx but
the problem of the ports used for coturn and kurento aren't solved, even web
socket could be tricky.

By default the ports used by openmeetings are these ones :

3478 TCP-UDP IN

5443 TCP IN

8888 TCP IN

49152:65535 UDP IN-OUT

 

Is it possible to encapsulate all fluxs (web/audio/video) in one port ?

Best regards

 

Alain DEVILLE

 

 



-- 
L'absence de virus dans ce courrier électronique a été vérifiée par le logiciel antivirus Avast.
https://www.avast.com/antivirus

One port to rule them all ?

[Konstantin Kuzov <ma...@gmail.com>]

Yes, it is possible to setup a server so such clients will work. But it is
a bit tricky:
 1) You need to change TURN url in OM so it will use tcp-mode (like turns:
turn.example.org:443?transport=tcp).
 2) Clients behind restrictive firewalls are also most likely proxied and
so there may be traffic inspection on 443 port. As such we need to also
mask TURN traffic as https using SSL/TLS by supplying certificates to
coturn and changing TURN url flavour from turn to turns in OM config.
 3) Lastly you need to setup some frontend proxy on server's 443 port which
could inspect first received packet and by some criteria (like SNI or ALPN)
redirect that and all further packets to specific destination.

I posted to this maillist sample configs about month ago which utilize
nginx's proxying + ssl_preread with SNI redirection. You can check them out
in maillist archive.

There are quirks though:
1) ALPN: currently there are no browsers which send ALPN for turn. Also
chromium-based browsers don't send ALPN for websockets.
2) Firefox for some reason not play nicely when proxied by nginx's
ssl_preread. But works fine when coturn is listening directly on 443 port.
Not investigated much why is that happening. Chromium-based browsers works
just fine.
3) Also as I mentioned in original mail you generally don't want to proxy
all users via tcp and preferably use this mode only for users behind
restrictive firewalls. As It will add additional latency and there be more
quality degradation on unstable networks. You can achieve that by
specifying multiple comma-separated turn urls in OM and put tcp-one as the
last.


пн, 22 июн. 2020 г. в 15:20, Alain DEVILLE <a....@neo-it.fr>:

> Hello,
>
> I have a functional openmeetings installation, and one of the user is in a
> restrictive infrastructure for accesing internet (only port 443 and 80 are
> allowed), is there a method/tools for proxy/reverse proxy all the port
> used ?
>
> I know that i can « hide » my server behind an apache proxy or an nginx
> but the problem of the ports used for coturn and kurento aren’t solved,
> even web socket could be tricky…
>
> By default the ports used by openmeetings are these ones :
>
> *3478 TCP-UDP IN*
>
> *5443 TCP IN*
>
> *8888 TCP IN*
>
> *49152:65535 UDP IN-OUT*
>
>
>
> Is it possible to encapsulate all fluxs (web/audio/video) in one port ?
>
> Best regards
>
>
>
> Alain DEVILLE
>
>
>
>
>
>
> ------------------------------
> [image: Avast logo] <https://www.avast.com/antivirus>
>
> L'absence de virus dans ce courrier électronique a été vérifiée par le
> logiciel antivirus Avast.
> www.avast.com <https://www.avast.com/antivirus>
>
>
> <#m_1454556209756979259_m_7271882993435897413_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>