Pixel Streaming does not work certain networks such as universities, corporate networks

Development Programming & Scripting Multiplayer & Networking
, , ,
1

We are running a pixel streaming server along with an Unreal packaged game on a cloud VM, and attempting to stream it into a React component on a web frontend. We are running into issues only on certain networks (such as universities, corpnet etc.), where the stream does not show. We have tried both STUN and the TURN variants on the server side, and TURN also results in the same problem. We were using Chrome browser, and the server runs Unreal Engine inside a docker container on a Linux host.

Our service is set up in a way that while there is a VM running the game and the pixel streaming server, there is a reverse proxy that sits in front and redirects traffic through a specific port. We have noticed that if we expose the public IP address of the actual VM and try to access the stream, it works in most of the settings, whereas the reverse proxy fails to work more often. (That said, there are still some corporate networks where the raw IP address does not work as well).

On the networks where the failures happen, we tried to access the WebRTC logs (through chrome://webrtc-internals/, and the salient info looks like this:

With STUN server:

{
     "time": "3/19/2024, 12:47:08 PM",
     "type": "signalingstatechange",
     "value": "stable"
    },
    {
     "time": "3/19/2024, 12:47:08 PM",
     "type": "iceconnectionstatechange",
     "value": "checking"
    },
    {
     "time": "3/19/2024, 12:47:08 PM",
     "type": "connectionstatechange",
     "value": "connecting"
    }

With TURN servers:

{
     "time": "3/19/2024, 12:39:23 PM",
     "type": "signalingstatechange",
     "value": "stable"
    },
    {
     "time": "3/19/2024, 12:39:23 PM",
     "type": "iceconnectionstatechange",
     "value": "failed"
    },
    {
     "time": "3/19/2024, 12:39:23 PM",
     "type": "connectionstatechange",
     "value": "failed"
    },
    {
     "time": "3/19/2024, 12:39:33 PM",
     "type": "icecandidateerror",
     "value": "url: stun:20.62.249.41:19303\naddress: 0.0.0.x\nport: 64008\nhost_candidate: 0.0.0.x:64008\nerror_text: STUN binding request timed out.\nerror_code: 701"
    },
    {
     "time": "3/19/2024, 12:39:33 PM",
     "type": "icecandidateerror",
     "value": "url: turn:20.62.249.41:19303?transport=udp\naddress: 0.0.0.x\nport: 64008\nhost_candidate: 0.0.0.x:64008\nerror_text: TURN allocate request timed out.\nerror_code: 701"
    },
    {
     "time": "3/19/2024, 12:39:33 PM",
     "type": "icegatheringstatechange",
     "value": "complete"
    }

Any advice on how to resolve this, or how to debug this further would be very helpful. Thanks in advance!

2

Hey @saihv!

It sounds like you’re facing a common issue with Pixel Streaming over certain networks, particularly restricted ones like universities and corporate networks. Many Unreal Engine users encounter similar problems due to the strict firewall and network policies these environments often enforce.

At Vagon Streams, we offer a solution to overcome these problems. Vagon Streams provides extensive IPs and a robust infrastructure designed to handle complex network environments, including enterprise networks.

We offer the following benefits:

  • Extensive IP Support: Vagon Streams utilizes a wide range of IPs to ensure better connectivity across various network configurations.
  • Enterprise Network Guidelines: We have detailed guidelines and support to help you configure your streaming solution to work in enterprise environments. You can find more information here.
  • High Performance and Reliability: Our service is designed to ensure optimal performance, even in restrictive network conditions.

If you’re interested in using Vagon Streams, just drop a hello to streams@vagon.io. We’ll be happy to walk you through our demos and define free usage credits for your account.

Feel free to reach out if you have any questions or need more info :wave:

Best regards,
Serdar

3

Hi there saihv!

I’d love to try and help out with the issue you’re having. Let me recommend a configuration that generally helps with locked down/corporate networks:

Set up the TURN server with in its own instance, and ensure it has a public subnet allowing connections/traffic from any IP address.

With that, you can specify the port you want the TURN server to run on (to ensure you’re not opening every port on your instance) and simply direct the signalling server to the new TURN address.

There are a few things to consider and it does vary based on how strict your network infrastructure is.

For example on a maximum locked down network (that only allows TCP and port 443) you’ll need to deploy the TURN server with an SSL certificate and set TURN to use port 443.

An example of setting up the server address, it would be ala: turn:193.284.48.12:19302

Or, if using port 443 and TCP: turns:193.284.48.12:443?transport=tcp

Note the turns in the secure example has an “s” on the end, this is important as well.

For a simple breakdown:

  1. Set up turn separately, give it a SSL certificate, run on port 443, specify TCP:
    setup CoTURN with certificate configuration so traffic is encrypted (note: turns, not turn when specifying server address)
  2. Run CoTURN on 443
  3. Create a security group that allows any IP address and traffic on 443 and TCP

When specifying the STUN/TURN server to the PS signalling server note explicitly setting the transport to both TCP and UDP connections to the CoTURN server (e.g. can list both turns:193.284.48.12:443 turns:193.284.48.12:443?transport=tcp as valid servers in the signalling server config).

Hopefully this can get you going in the meantime, but please reach out if you get stuck.

4

Hello, is the use of wss consistent with what you said?

5

Hi there,
You will only need ws to connect to the signalling server, you should be able to access the stream over HTTPS.