[SOLVED] Setting up Pixelstreaming on an EC2 with TURN

Hello everybody,

I was wondering if anybody has managed to setup pixelstreaming on an EC2 with TURN enabled ?

I have got it up and running using the Start_WithTURN_SignallingServer.ps1 script and if I do not block any ports it works fine.

But if I block all UDP ports (except 53 and 443 since I cannot seem to navigate without them) on my client machine to simulate somebody behind a strict company firewall, I get a black screen with “WebRTC connection negotiated” and nothing happens.

Google Meet works in this configuration so I should be able to make the game work too.

Here is what I have put in the turnserver.conf:

listening-port=3478
tls-listening-port=5349
tcp-proxy-port=443
external-ip=MyEC2PublicIP

I have opened all ports on the EC2 instance to my IP in case there was that was badly configured.

Are there anything I am missing and need to do for it to work?
Or are my port restrictions too strong? (If so what should other ports should I open?)
(Additional question does anyone know what ports are generally open in restrictive company networks?)

Thank you in advance for any help

1 Like

Update: got it working, the issue was the windows firewall on the EC2

For anybody in need here is my latest config :

listening-port=3478
tls-listening-port=443
alt-listening-port=80

tcp-proxy-port=443
listening-ip=ec2InternalIP
relay-ip=ec2InternalIP
external-ip=ec2InternalIP/MyEC2PublicIP
1 Like

Update 2:
It seems that the TURN server is only working on UDP, I am not managing to get a TCP replay working.

Trickle ICE output :
firefox_eiRjAExhde

If anybody has suggestions on how to get TURN TCP relay working I would appreciate it a lot.

1 Like

Hi there!

I see you’re going for a TCP connection and port 443, which is a considerably strict environment.
You’ll likely need to set up an SSL certificate and ensure your TURN server address is configured accordingly. An example would be: turns:193.284.48.12:443?transport=tcp

Note that the “s” in “turns” above is important as this declares the secure connection.
You’ll also need to ensure you’ve created a security group for your AWS instance that allows any UP address and traffic on 443 and TCP.

Let me know if you get stuck and I’ll see if I can help further!

1 Like

Hello and thank you for your reply MWillWallT.

From what I understand if I want to setup a SSL certificat I will need a fixed domain/URL for each pixel streaming instance.
Anybody with the URL of an instance will be able to connect to the session that is currently active, if there is one, and interfere with the session.

For me this is a big problem which I do not have at the moment since the URL to connect to an instance is based on the EC2 instances public IP that changes each time it is started (I know it is possible to have a fixed IP for an EC2 instance using Elastic IP).

Is this correct or is it possible to have an SSL certificat that I can use on EC2 instances with the URL changing each time it starts ?

Is there any other way to setup pixelstreaming over only TCP?
(maybe using a different port?)

Also one this that makes me doubt that turn is working properly, if I use the option “/?ForceTURN=true” in the URL no matter the configuration I use it does not work. Does this option actually implemented properly? Or is there something in the game code that I need to change for it to function?

Otherwise here is my latest advancements testing with only ports 53 and 443 open on UDP (I would like to be able to make it work over only TCP but already getting this to work reliably would be good):

One of the difficulties I have been having is that while testing it would randomly no longer work .
I have found that with my current configuration the connexion works 40% of the time.
So When I test I connect to the instance 10 times to be sure it is still or no longer working.

This is my current conf file changes (I saw issues in the logs binding to port 80) :

listening-port=443
alt-listening-port=444
tcp-proxy-port=443
tls-listening-port=443
alt-tls-listening-port=5349

Some of the port handling is hard coded in the scripts so I have made some changes there (I am not sure if the command line options or the conf file has priority so I changed the code to be sure of the configuration).

In the Start_Common.ps1 I changed 2 parts to force the use of port 443 :

 if ($SetTurnServerVar -eq "y") {
  $global:TurnServer = $global:PublicIP + ":443" #Here
 }
 if ($SetStunServerVar -eq "y") {
  $global:StunServer = "stun.l.google.com:19302"
 }
}

function use_args($arg) {
 $CmdArgs = $arg -split (" ")
 while($CmdArgs.count -gt 0) {
  $Cmd, $CmdArgs = $CmdArgs
  if ($Cmd -eq "--stun") {
   $global:StunServer, $CmdArgs = $CmdArgs
  } elseif ($Cmd -eq "--turn") {
   $global:TurnServer, $CmdArgs = $CmdArgs
  } elseif ($Cmd -eq "--publicip") {
   $global:PublicIP, $CmdArgs = $CmdArgs
   $global:TurnServer = $global:publicip + ":443" #And here
  } elseif ($Cmd -eq "--build") {
   $global:BuildFrontend, $CmdArgs = $CmdArgs
  } elseif ($Cmd -eq "--help") {
   print_usage
  } else {
   echo "Unknown command, adding to cirrus command line: $Cmd"
   $global:CirrusCmd += " $Cmd"
  }
 }
}

I left the IP handling in the Start_TURNServer.ps1 script since it avoids me having to hard code the IPs, here is the line I have changed (I have removed the port option now set in the conf file and put the options full name for it to be easier to read) :

$Arguments = "-c ..\..\..\turnserver.conf --allowed-peer-ip=$LocalIP -r $Realm --external-ip $PublicIP/$LocalIP --relay-ip $LocalIP --listening-ip $LocalIP --no-cli --no-tls --no-dtls --pidfile `"C:\coturn.pid`" -f -a -u $TurnUsername`:$TurnPassword"