How to Install & Configure TURN Server (coTURN)

How to Install & Configure TURN Server (coTURN)

Comments 0 Comment

This blog page covers how to install and configure coTURN server for your SIP or WebRTC projects (like Jitsi Meet) to allow users behind restrictive firewalls or proxies to connect.

What is TURN?

TURN stands for Traversal Using Relays around NAT. Similar as STUN, it is a network protocol / packet format (IETF RFC 5766) used to assist in the discovery of paths between peers on the Internet. It differs from STUN in that it uses a public relay to transfer packets between peers. TURN is used to exchange media packets when no other option is available. So that it consumes server resources and has an increased latency due to the extra hop in peer to peer connection.

The time when you must use TURN is when one of the peers is behind a symmetric NAT and the other is behind either a symmetric NAT or port-restricted NAT. The frequency of cases where a relay is necessary is around %10 of the overall connections, since STUN is enough for most cases.

Install coTURN Server

Audio / Video based services requires a wide range of UDP ports to be available for WebRTC. In some network restricted sites, such as those behind NAT or a firewall that restricts outgoing UDP connections, users may be unable to make outgoing UDP connections to your media server.

TURN protocol is designed to allow UDP communication flows to bypass NAT or firewalls by forcing the client to connect to the TURN server, and then force TURN server to connect to the destination on their behalf.

Using a TURN server under your control improves the success of connections to your multimedia application and also improves user privacy, since it acts like a proxy so that peers will no longer be sending their IP address information to a public STUN server.

Required Hardware

TURN protocol is not really CPU or memory intensive. Additionally, since it’s only used during connection setup (for STUN) and as a fallback for users who would otherwise be unable to connect, the bandwidth requirements aren’t particularly high. For a moderate number of connections, a single small VPS configuration is usually enough. Here you can find my reccomendations to install coTURN:

  • At least two vCPUs
  • 4GB Memory.
  • 20GB HDD. SSD can be used, but not mandatory.
  • The most important thing is the networking performance.
    • Low jitter (less than 30ms)
    • Low latency (less than 150ms)
    • Enough bandwidth to handle relayed media streams in both directions.

Having the server behind NAT (like on Amazon EC2) is OK, but all incoming UDP and TCP connections on any port (TCP 80 & 443, UDP 3478, 10000-20000) must be forwarded to coTURN server and not firewalled.

Required Software

I recommend using a minimal server installation of Debian with netinst or Ubuntu. Since coTURN software uses port TCP 443, the server which coTURN will be installed cannot have any other web applications running.

coTURN is already available in the Debian and Ubuntu repositories and it can be installed with apt-get:

$ sudo apt-get update
$ sudo apt-get install coturn

Please note that coTURN will not start automatically until the configuration is finished. You can find the configuration tasks in below.

DNS Entry For coTURN

You need to setup a fully qualified domain name (FQDN) that resolves the external IP address of your coTURN server. You’ll use this domain name to generate a TLS certificate.

Generating TLS Certificates

You can use certbot to generate free TLS certificates from Let’s Encrypt. To setup certbot, enter the following commands on your coTURN server:

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot

Note: If you face with add-apt-repository command not found error, please use sudo apt-get install software-properties-common command to install the necessary packets.

You can then run a certbot command like the following to generate the certificate, replacing turn.fatiherikci.com with the domain name of your TURN server:

$ sudo certbot certonly --standalone --preferred-challenges http \
    --deploy-hook "systemctl restart coturn" \
    -d turn.fatiherikci.com

Current versions of the certbot command set up automatic renewal by default. Note that when certbot renews the certificate, it will restart coTURN service, so coTURN will start to use the updated certificate files. This will cause an interruption on any ongoing TURN connections. You may change the certbot renewal schedule or disable automatic renewal if you like.

Configure coTURN

coTURN configuration is stored in /etc/turnserver.conf file. There are a lot of options and all of them are documented in comments in that file. I include a sample configuration below with comments as the recommended settings, also with notes in places where customization is needed.

You can replace the contents /etc/turnserver.conf with the file below and make these changes:

  • Replace turn.fatiherikci.com with the hostname of your TURN server
  • Change the values in bold with your choices.

You can see an example config file below:

server-name=turn.fatiherikci.com
realm=turn.fatiherikci.com
cert=/etc/letsencrypt/live/turn.fatiherikci.com/cert.pem
pkey=/etc/letsencrypt/live/turn.fatiherikci.com/privkey.pem
fingerprint 
listening-ip=0.0.0.0 
external-ip= 1.2.3.4/192.168.0.1 #or just write the external ip 
listening-port=3478 
min-port=10000 
max-port=20000 
log-file=/var/log/turnserver.log 
verbose 
user=myusername:mypassword 
lt-cred-mech

You can now start the COTURN service with this command:

$ systemctl start coturn

Running coTURN as a Service

The Debian / Ubuntu package for coTURN requires that you edit a file to enable at startup. Edit /etc/default/coturn file and uncomment the following line:

TURNSERVER_ENABLED=1

That’s it! coTURN install is complete. Now you have an up and runnning TURN server!

Testing Your TURN Server

To test your coTURN server, you can use Trickle-Ice testing tool. Go to trickle-ice webpage and enter following:

STUN or TURN URI : turn:Your Public IP Address:3478
TURN username: Username
TURN password: Password

Then click Add Server button and then click Gather Candidates button. If everything works well, you should see Done as final result.

What is ENUM? ENUM Syntax

What is ENUM? ENUM Syntax

ENUM (Telephone Number Mapping, E.164 Number to URI Mapping) is an addressing protocol that converts telephone numbers to URI format (name@domain). This allows you to access a SIP, H.323 or other Internet phone user by dialing a phone number.

The ENUM function aims to ensure that users can be accessed anywhere in the world with the same number, best quality and the cheapest way. ENUM maps a phone number to an Internet address in the DNS system. Thus, a user with an ENUM number can broadcast the DNS record to which the call will be routed. Even different routes can be defined for different types of calls (fax, video, etc.).

It is possible to obtain an ENUM record as if it were a domain name. Nowadays, you can obtain this registration free of charge through many registration services and VoIP service providers.

ENUM Syntax

ENUM allows normal phone (E.164) numbers to be displayed as DNS names ending in e164.arpa. A number can be decoded for one or more predefined services.

For example, a telephone number + 90-312-555-1234 will be displayed as 4.3.2.1.5.5.5.2.1.3.0.9.e164.arpa after issuing rules defined in RFC 3761 and below:

  1. All characters except digits are removed. (“+90-312-555-1234” becomes “903125551234″)
  2. A period (“.”) Is placed between each number. (“9.0.3.1.2.5.5.5.1.2.3.4”)
  3. The order of the numbers is reversed. (“4.3.2.1.5.5.5.2.1.3.0.9”)
  4. .e164.arpa is added to the end of the array. (“4.3.2.1.5.5.5.2.1.3.0.9.arp a”)

To respond to this syntax, the DNS server must have a record that looks like this:

$ ORIGIN 4.3.2.1.5.5.5.2.1.3.0.9.barley.
    NAPTR 10 100 "u" "E2U + sip" "! ^. * $! Sip: fatih.erikci@fatiherikci.com!" .
    NAPTR 10 101 & quot; u & quot; & quot; E2U + h323 & quot; .
    NAPTR 10 102 "u" "E2U + msg" "! ^. * $! Mailto: fatih.erikci@fatiherikci.com!" .

In this record you see three different routing sequences for the address 4.3.2.1.5.5.5.2.1.3.0.9. The first is SIP, the second is H.323 and the third is the SMTP response. Device selects which service to communicate by using these records.

How It Works?

The operating principle of ENUM is similar to the DNS queries we use on the Internet. DNS NAPTR resource records are used in queries.

ENUM Query and Call
ENUM Query and Call
  1. The phone calls an E.164 number (+90-312-555-1234)
  2. Gateway translates it (4.3.2.1.5.5.5.2.1.3.0.9.e164.arpa) and asks the DNS server.
  3. The DNS server responds to this query with a URI (sip: fatih.erikci@fatiherikci.com).
  4. The gateway sends the call to the SIP server as a SIP URI call.
  5. The SIP server rings the IP phone registered with the URI.
Cisco Headset 730
Cisco 730 Series Headset

Cisco 730 Series Headset

Cisco has also introduced 700 series headsets as well as new Webex series collaboration products at 2019 Partner Summit.

As you may know, Cisco has introduced many products and technologies in the field of unified communications and collaboration, and has entered the phone headset market with its 500 series headsets last year. This year at Partner Summit Cisco introduced the 700 series, which targets mobile workers segment.

Cisco Headset 730 Specifications

The 700 series is a series of headsets aimed primarily traveling mobile workers and 730 is the first model of the series. Especially in crowded environments, the noise canceling mechanisms ensure clear communication for both the headset and the called party. Below you will find detailed features of the Cisco 730 headsets:

  • Connectivity via Bluetooth 5.0, USB-A and 3.5mm
  • Premium Codec Support (SBC, AAC, aptX, aptXHD)
  • Active Background Noise Cancellation with 4 Microphones
  • Clear Voice Transmission with 2 Electret Condenser Microphone
  • Intelligent Sensor Technology (Mute on Earphone)
  • Boom-less Microphone
  • On-Ear Controls
  • Voice Activated AI
  • Cisco Headset App for Customized Experience (App Store & Google Play)
  • Automatic Firmware Upgrades

Here is a table that compares the Cisco 700 series headphones to the 500 series:

700 Series500 Series
Suitable For Mobile / Office Workers Office / Call Center Workers
Primary Connection Type Bluetooth 5.0 Wired/DECT Wireless
Talking Time15+ hrs9 hrs
Concurrent Connections 2 BT + 1 USBDepends on Base Station
Wireless Coverage65+ meters90+ meters
Ear Wearing StyleBinaural OnlyMonaural & Binaural
Color OptionsCarbon Black & PlatinumBlack
Active Noise CancellingYesNo
Noise Reduction MicrophoneYesYes
RJ-9 ConnectionNoYes
Cisco 730 Headset
Cisco 730 Series Headsets Have 2 Color Options

For more information about Cisco 730 series headsets, please refer to the datasheet page.

Price

The price of the newly introduced Cisco 730 series headset has not been set yet, but considering that the list price of the 560 series wireless headphones is around $600, my guess is that the list price will be in the range of $800 – $900.

Last Words

With the 730 series headset, Cisco has provided a professional solution for both the consumer market and business purposes. Cisco 730 headset is a very useful product especially for frequent travelers.

Cisco IP DECT
Cisco IP DECT Solutions

Cisco IP DECT Solutions

Cisco has introduced IP DECT Solutions, which have been developed to meet the need for wireless telephony. Until now Cisco didn’t have a DECT phone solution in its product family and this situation being complemented by Wi-Fi or 3rd party DECT products.

Cisco IP DECT products operate in the USA and Canada in the frequency band range of 1920 – 1930 MHz and 1880 – 1900 MHz frequency band in other countries. The IP DECT series currently consists of 210 series base station and the 6825 series handheld terminal.

Let’s take a closer look at these products:

Cisco 6825 IP DECT Handset

Cisco 6825 IP DECT Handset
Cisco 6825 IP DECT Handset
  • 2 Inches 240 × 320 Pixels 65K Color Display
  • Up to 17 Hours of Talk, 200 Hours of Standby Time
  • 2 Lines Supported
  • Narrow Band (G.726) and Wide Band (G.722) Codec Support
  • Bluetooth and 3.5mm Wired Headset Support
  • Waist Clip
  • Dimensions: 117 mm x 46 mm x 20 mm
  • Weight: 86 gr.

Cisco 210 IP DECT Base Station

Cisco 210 IP DECT Base Station
Cisco 210 IP DECT Base Station
  • 30 Handheld Terminal Registration Per Single Base Station
  • 5 Simultaneous Calls With Broadband Codecs and 10 Simultaneous Calls With Narrowband Codecs in Single Base Station
  • Multicell Technology
  • Scalability Up To 254 Base Stations
  • Total 1,000 SIP Device Registrations
  • Total 1,000 Simultaneous Calls with Broadband Codec, 2,000 Simultaneous Calls with Narrow Band Codec
  • G.711 (A-law & mu-law), G.722.2, G.726, G.729 (a & ab) Codec Support
  • PoE Class 2
You Can Use Multiple Cisco 210 Base Stations In Your Network (source cisco.com)
You Can Use Multiple Cisco 210 Base Stations In Your Network (source cisco.com)

In the Multicell concept, there is no central mechanism to control base stations. When deployed, one base station becomes the master station, and the other stations connect to master with the “Chain ID” defined on the base station and start their data synchronization. Yeah, that’s all.

Supported Platforms

Since the IP DECT series is a multiplatform product, it supports almost all PBXs using the standard SIP protocol. Here are Cisco’s officially supported platforms:

  • Asterisk
  • Cisco BroadSoft BroadWorks
  • Cisco BroadCloud
  • Centile
  • Metaswitch

Even looking at this list, you can actually understand Cisco’s strategy in unified communications solutions. 🙂

Last Words

Although Cisco has always put WiFi phones in the foreground, DECT phones -which have a soft belly in the projects- have started to meet the need. As I wrote in my previous article, we will see if Cisco can surpass its competitors in this field with OpEx oriented solutions such as UCaaS and HaaS.

Cisco Webex Desk Pro Review

Cisco Webex Desk Pro Review

Cisco announced Webex Desk Pro at its 2019 Partner Summit event on November 6th, 2019.

During the event, they announced the collaboration solutions as a solution that can be installed together under a single infrastructure of systems that can be installed both in the cloud and in the organization. The name of this single infrastructure that includes call, messaging, meetings, devices and call center will be called as Webex.

Webex infrastructure, which has become quite flexible in terms of integration, will also be able to work integrated with the business tools such as Microsoft, Google, Slack and Salesforce.

Cisco Webex Desk Pro
Cisco Webex Desk Pro Introduction

After the launch of the infrastructure, two products, Webex Desk Pro and Webex Panorama, were launched in the device category. (I want to explore Webex Panorama in more detail, so I am saving it for another post)

Cisco Webex Desk Pro Features

Cisco Webex Desk Pro is a personal collaboration device with a structure similar to current DX80. Of course there are new features that distinguish it from the DX80. Let’s summarize them briefly:

  • 27 ″ 4K Touch Screen
  • 71 Degree View Angle HD Camera
  • Advanced Artificial Intelligence and Analytics
  • Microphone Array with Noise Canceling Mechanism
  • Premium Sound System
  • USB-C Connection
  • Support for Web Applications
Webex Desk Pro Has a Touchscreen

Compared to previous models, Webex Desk Pro has new features like face recognition and artificial intelligence. In this way, it knows who is in front of the device and can address the person by it’s name. It can also adjust the camera according to your posture. You can blur the background of the camera image or replace it with another image. I have to add that personal assistant Webex Assistant is also in it.

The Cisco Webex Desk Pro can also be used as a docking station and a touchscreen monitor with a USB-C connection.

Cisco – Microsoft Collaboration

In addition to these innovations and products, Cisco-Microsoft cooperation was also introduced. Microsoft Teams, which initially seemed to be Webex’s competitor, will now be able to work directly with Webex rooms. (hello to those who are trying to integrate Skype for Business with CUCM in the past🙂)

Hardware as a Service (HaaS)

Cisco has also announced the option of Hardware as a Service (HaaS) as a service for IP telephony, desktop and room collaboration devices. In this service, institutions can have the equipments with long turm subscription contracts instead of buying them.

HaaS combined with Flex Plan, turns into a model that can be owned with fully operational costs, with no investment costs for enterprises, which is good news for many businesses from SMEs to large enterprises. Who wouldn’t want to own a Cisco IP phone for $5 or a Webex video conferencing system for $60 a month?

In the HaaS method, if you proceed with a 3-year membership model, at the end of 3 years you can continue the service on an annual basis or if you extend your membership for 3 more years, the devices are replaced with new ones. If the devices have become EoS at the end of 3 years, you can also replace them with new models.

For now, HaaS is only offered in the US, but many countries are considering providing this service in a short time.

Last Words

Cisco, which has developed many pioneering technologies and concepts in the field of collaboration, has produced an exciting product. Webex Desk Pro, a personal collaboration and productivity product, will be available for purchase on February 2020.