← Back to context

Comment by numpad0

12 hours ago

STUN/TURN is basically icanhazip for WebRTC. STUN gives you your public IP:port. TURN is the same, but the returned IP:port is the one that had been dynamically allocated to you at time of querying, rather than the actual ones.

WebRTC clients take that STUN/TURN response and send to peers through out-of-band, through e.g. a lobby server chat mechanism, to set up the connection. This allows NAT table entries to be created as if they are outbound connection at both ends.

You can't make P2P connection with STUN/TURN alone. STUN/TURN is just a tool required for WebRTC.

5 comments

numpad0

Reply
foresto  2 hours ago

> TURN is the same, but the returned IP:port is the one that had been dynamically allocated to you at time of querying, rather than the actual ones.

I don't know you mean by this, but I think you're confused. I have implemented STUN, so I know how it works. AFAIK, TURN doesn't reveal an address/port any different from that revealed by STUN, and cannot, because its discovery feature is STUN. (Also, a typical home user has only one internet-facing address, not a dynamic one plus another one.)

Rather, TURN provides a STUN address/port discovery service and a data relay service. The relay is for cases where two peers wishing to connect are both behind difficult NAT, meaning there is no quick and reliable way for them to directly connect even when they have their STUN results. So instead of connecting directly, they communicate through the relay.

bob1029  10 hours ago

TURN is the last resort and isn't just signaling. It carries the traffic as well.

If you can make all the STUN servers fail from the perspective of the clients, you could hypothetically force them to use TURN servers that are more centralized and easier to spy on. STUN negotiates pipes n:n. TURN is closer to n:1.

  • michaelt  9 hours ago

    > force them to use TURN servers that are more centralized and easier to spy on

    Webrtc traffic is encrypted as it travels through the TURN servers, isn't it? Sure, you get some which-ip-contacted-which-using-what-service metadata, but any active middleman able to mess with STUN traffic already has that.

    It could just be that someone's fucked up a setting somewhere. I mean, the reason WebRTC has loads of options for 'interactive connectivity establishment' is because it's common to see users behind NAT, users whose NAT cant be traversed with STUN, IPv6 being broken, UDP getting blocked, TCP ports other than port 443 getting blocked, etc etc.

    If a country's ISPs use CGNAT to avoid giving users precious IPv4 addresses, and world events made the ISPs turn the security settings up to 11, STUN just stops working.