3

I have build a one to one webrtc communication system (peer to peer). I use coturn as a STUN and as TURN. The connection works in chrome (72) and firefox (65) whithot VPN. The connection also works in chrome and firefox, when behind a symetric NAT (for example while using a mobile-phone). The connection works also when using VPN and chrome.

The connection (ICE) failed, when using VPN and firefox! Testet with a couple of popular VPN's.

Any Ideas, what could be wrong/ how to solve?

My TURN-Server Configuration looks like:

listening-port=3478
tls-listening-port=5349
realm=xyz.com
min-port=49152
max-port=65535
user=uuuuuuuuuuuuu:ppppppppppp
pkey=/usr/local/psa/var/modules/letsencrypt/etc/live/turn.xyz.net/privkey.pem
cert=/usr/local/psa/var/modules/letsencrypt/etc/live/turn.xyz.net/cert.pem
CA-file=/usr/local/psa/var/modules/letsencrypt/etc/live/turn.xyz.net/chain.pem
mysql-userdb="host=localhost dbname=turnxxxxxx user=uuuuuuuuuuuu password=ppppppppppp port=3306"
fingerprint
lt-cred-mech
ArianeCalipso
  • 127
  • 9
  • Probably depends a lot on the VPN you use. If it comes with a browser extension it might put Firefox into a more strict mode then Chrome (e.g. proxy only mode). You might want to look at where the network traffic is going in case of Firefox. Looking at about:webrtc in Firefox might also help. – Nils Ohlmeier Mar 04 '19 at 19:29
  • @Nils Ohlmeier: Thank you for your quick answer. I have seen about: webrtc: in Firefox in the affected VPN I get no information at all. I have tested the browser plugin hotspot-shild -> this works! I tested Kaspersky Secure Connection (based on Hotspot-Shild) as installed VPN software -> does not work! I then tested as installed VPN software Pulse-Secure -> does not work! I'm already in dialogue with the vendors, but I also wanted to check if I could do any settings in Firefox to get the behavior I wanted. Is there a way to disable/prevent "proxy only mode"? Thanks. – ArianeCalipso Mar 04 '19 at 20:35
  • Sorry "proxy only mode" was a bad term. I'm referring to the web extension https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/privacy/network and in there the webRTCIPHandlingPolicy which a VPN browser extension might set to "disable_non_proxied_udp". That mode works currently different between Chrome and Firefox and could explain the difference in behavior. – Nils Ohlmeier Mar 06 '19 at 04:51
  • Hello Nils. Thanks for clarification. Our customers give absolute priority to firefox and insist on pulse secure VPN. My goal is to get our medical solution running in VPN / firefox. The VPN is installed version and can't exchanged. Our service enables secure communicate between patients and their doctor - even in countries where data protection and privacy is trampled on. I read about privacynetwork. Should I develop a webextension for firefox that changes "webRTCIPHandlingPolicy"? Can I somehow "persuade" the Firefox browser to enable webrtc communication in VPN tunnel? – ArianeCalipso Mar 14 '19 at 15:11
  • @ArianeCalipso did you ever find a resolution to this? – AndrewJC Dec 05 '19 at 23:46

1 Answers1

2

You should expect any WebRTC-related application to fail in all browsers, when VPN is on. I have exactly opposite situation - when VPN is on, no browser works except FireFox. And in my app no TURN servers are used at all. Somehow my VPN misses FireFox.

In general, WebRTC is prohibited by VPNs, because of IP address leak paranoia. Your real IP address can leak through signaling messages and STUN binding response, so once VPNs see STUN binding requests, they just kill it. VPNs cannot kill your signaling messages so your private IP can still leak, but that's a problem only with IPV6, where private and public IPs are the same. But, when it's time for STUN binding request/respose, VPNs kill it. Not sure how your Chrome survives.

user1390208
  • 1,866
  • 20
  • 20
  • I know the IP-Leaking discussion and I agree with your assessment. The same VPN (Pulse-Secure), which does not allow Firefox to connect, has been in productive use in our company with Chrome for some years now. I have to enable Firefox. In chrome I did not make any settings. However, it is not enough for the connection via Chrome - from my experience- not just use a STUN - you absolutely need a TURN. In coturn you can switch "no-stun" for testing purposes. I'm interested in how you managed to get Firefox up and running in the VPN. Have you made any settings in Firefox? – ArianeCalipso Mar 05 '19 at 08:19
  • 2
    In my opinion, it's just a bug in my VPN software, that they allow Firefox. I did not make any adjustments in Firefox settings. I did notice while wiresharking, that my VPN kills STUN binding requests, so I did notice that Firefox sends slightly different STUN binding request from that in Chrome/Edge: Firefox does not include some optional fields. Maybe that's the reason? Anyway, VPN's behavior towards this is not documented as far as I know. – user1390208 Mar 05 '19 at 12:56