Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Turn with external tls termination #168

Merged
merged 3 commits into from Dec 14, 2021
Merged

Turn with external tls termination #168

merged 3 commits into from Dec 14, 2021

Conversation

lukasIO
Copy link
Contributor

@lukasIO lukasIO commented Nov 3, 2021
edited

fixes #71

edit: Unfortunately I'm lacking a proper test setup to test if it is actually working as intended :\

@lukasIO lukasIO changed the title Turn without tls termination Turn with external tls termination Nov 3, 2021
@davidzhao
Copy link
Member

Great work @lukasIO! It'd be good to validate if this is indeed working before we merge. I'll try it in a day or two.

@bekriebel
Copy link
Member

@davidzhao Would it still be possible to get this into the next release? I think it may help some of my use cases as well.

In addition to this, is it feasible to change the Listen calls to listen on all endpoints (Listen("tcp", ":PORT", Listen("udp", ":PORT" instead of tcp4/udp4)? I know TURN over ipv6 isn't implemented yet, but Fly uses all ipv6 internally and terminates ipv6 at the edges - so I need to be able to have it listen on the ipv6 interface just so I can have the edges proxy to the endpoint.

@davidzhao
Copy link
Member

@bekriebel I haven't gotten a chance to test it yet. Lmk if you have. I'd like to merge it in, but would just want to ensure it actually does what we are looking for.

re: IPv6, let's discuss separately about that. We have an item on our backlog for it.

@bekriebel
Copy link
Member

@bekriebel I haven't gotten a chance to test it yet. Lmk if you have. I'd like to merge it in, but would just want to ensure it actually does what we are looking for.

I'll try to test it out tomorrow. I think I have an environment where I can test it pretty easily.

re: IPv6, let's discuss separately about that. We have an item on our backlog for it.

Sounds good!

@bekriebel
Copy link
Member

@davidzhao This does seem to work exactly as expected. With this, I can move the TLS termination to a proxy and pass the TCP connection to livekit with no certificates in place.

I tested with HAProxy and it passes the connection tester on Chrome without issue. I do get an error connecting to TURN with the checker on Firefox, however that issue also occurs if I put a proxy in front of the TLS enabled version of LiveKit TURN and don't terminate TLS with HAProxy as well. This seems to be some issue with HAProxy & Firefox when doing TCP proxying and doesn't seem to have anything to do with where TLS is terminated.

This gets a 👍 from me.

@davidzhao
Copy link
Member

Thanks for confirming @bekriebel ! Merging it!

@davidzhao davidzhao merged commit 0d0a275 into livekit:master Dec 14, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support TURN server without TLS cert
3 participants
@lukasIO @davidzhao @bekriebel