How to create and setup a STUN/TURN server on AWS?

Source:

Published:

Keywords: STUN, TURN, AWS, CoTURN, Genymotion, WebRTC

Document ID: https://support.genymotion.com/hc/en-us/articles/4419469274513-How-to-create-and-setup-a-STUN-TURN-server-on-AWS#split1

> Important: You no longer need to use your own STUN/TURN server if your instance does not have a public IP since Genymotion PaaS/Device Image ver. 13.0.0.

With Android 8.0 and above, Genymotion Device images (PaaS) AMIs require a STUN/TURN server for WebRTC connections. To palliate this, our Android 8.0+ images forward all WebRTC connections to our own STUN/TURN server.

This means Genymotion instances require a public IP and access to the Internet to reach the Genymotion STUN/TURN server. As a result, Genymotion instances without a public IP cannot display and may show a black screen.

If using a public IP does not comply with a setup or security requirements, the solution is to use an own STUN/TURN server.

This tutorial shows how to install and setup a STUN/TURN server on AWS.

Prerequisite

We recommend using an Ubuntu Server 20.04LTS (Focal) x86_64 instance for general purpose. We recommend using the instance type t3.micro.

You also need to add inbound rules to the TURN/STUN server EC2 security group. The inbound rules must allow inbound connection from your Genymotion instance(s) to TCP (HTTPS) and UDP port 443.

Install and configure CoTURN server

1.

2.

Add the Universe repository:

sudo apt-add-repository universe

3.

Update and upgrade Ubuntu:

sudo apt update && sudo apt upgrade

4.

Reboot the server from the EC2 dashboard or with:

sudo reboot

5.

Install CoTURN server:

sudo apt-get install coturn

6.

Edit the file /etc/default/coturn.

Un-comment TURNSERVER_ENABLED=1 to have CoTURN start on boot.

7.

Edit the file /etc/turnserver.conf.

Un-comment listening-port=3478 and change it to listening-port=443 to have CoTURN server listen to port 443:

# TURN listener port for UDP and TCP (Default: 3478).
# Note: actually, TLS & DTLS sessions can connect to the
# "plain" TCP & UDP port(s), too - if allowed by configuration.
# listening-port=443

We chose to use TCP prot 443 to ensure best compliance with security requirements.

8.

Un-comment listening-ip.

Replace the default IP with your Ubuntu server private IP:

# Specify listening IP, if not set then Coturn listens on all system IPs.
listening-ip=xxx.xxx.xxx.xxx

9.

Add a user and password for your Genymotion virtual device.

Un-comment user=username1:password1 and replace username1 and password1 by the username and password of your choice:

# 'Static' user accounts for long term credentials mechanism, only.
# This option cannot be used with TURN REST API.
# 'Static' user accounts are NOT dynamically checked by the turnserver process,
# so that they can NOT be changed while the turnserver is running.
#
#user=username1:key1
#user=username2:key2
# OR:
user=my_username:123456
#user=username2:password2

10.

Edit the file /lib/systemd/system/coturn.service.

Add the line AmbientCapabilities=CAP_NET_BIND_SERVICE in the [Service] section:

[Service]
User=turnserver
Group=turnserver
Type=forking
RuntimeDirectory=turnserver
PIDFile=/run/turnserver/turnserver.pid
ExecStart=/usr/bin/turnserver --daemon -c /etc/turnserver.conf --pidfile /run/turnserver/turnserver.pid
#FixMe: turnserver exit faster than it is finshing the setup and ready for handling the connection.
ExecStartPost=/bin/sleep 2
Restart=on-failure
InaccessibleDirectories=/home
PrivateTmp= yes
AmbientCapabilities=CAP_NET_BIND_SERVICE

11.

Reboot the instance.

12.

Verify that the CoTURN server started correctly and is listening to port 443:

sudo systemctl status coturn

If everything is in order, you should get the following output: 

0: IO method (general relay thread): epoll (with changelist)
0: turn server id=0 created
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=1 created
0: Total General servers: 2
0: IO method (auth thread): epoll (with changelist)
0: IO method (admin thread): epoll (with changelist)
0: IO method (auth thread): epoll (with changelist)
0: SQLite DB connection success: /var/lib/turn/turndb
systemd[1]: Started coTURN STUN/TURN Server.

Configuring the Genymotion instance to use your TURN server

Next, configure the Genymotion instance to forward WebRTC to your STUN/TURN server.

1.

From the instance UI, go to the Configuration panel.

2.

Fill the TURN & STUN box with your STUN/TURN server URIs, username and password.

The TURN URI synthax should be turn:xxx.xxx.xxx.xxx:443 and STUN URI should be stun:xxx.xxx.xxx.xxx:443, where xxx.xxx.xxx.xxx is your server private IP.

3.

Click APPLY

The Genymotion instance now uses your TURN/STUN server on port 443 for webRTC connections.

For more details and alternate methods with command line tools, please refer to .