livekit icon indicating copy to clipboard operation
livekit copied to clipboard
verified publisher icon livekit

Turn ERROR: could not establish pc connection

Open rajil opened this issue 1 year ago • 15 comments

Hello,

I am terminating TURN ssl at the reverse proxy and sending the traffic over to the livekit server. Unfortunately https://livekit.io/connection-test is giving an error on TURN.

The nginx proxy is setup like so with the livekit server at 172.17.1.134

stream {
   server {
    listen 192.168.50.16:4431 ssl ;
    proxy_pass 172.17.1.134:5349;
    ssl_certificate /etc/letsencrypt/live/turn.mydomain.top/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/turn.mydomain.top/privkey.pem; # managed by Certbot

  }

  map $ssl_preread_server_name $targetBackend {
    turn.mydomain.top 192.168.50.16:4431;
    default       192.168.50.16:4430;
  }


  server {
    listen 443;
    proxy_pass $targetBackend;
    ssl_preread on;
  }
}

The livekit config is like so,

port: 7880
bind_addresses:
  - "0.0.0.0"
rtc:
  tcp_port: 7881
  port_range_start: 50100
  port_range_end: 50200
  use_external_ip: true # may need to set true or set node_ip
turn:
  enabled: true
  domain: turn.mydomain.top
  tls_port: 5349
  udp_port: 3479
  external_tls: true
keys:
  devkey: "blah"
logging:
   level: debug
   pion_level: error

When livekit starts i can see the following,

livekit-1  | 2024-11-19T05:23:41.277Z   INFO    livekit server/main.go:208      starting in development mode
livekit-1  | 2024-11-19T05:23:41.278Z   INFO    livekit routing/interfaces.go:120       using single-node routing
livekit-1  | 2024-11-19T05:23:41.493Z   INFO    livekit rtcconfig/webrtc_config.go:262  failed to get external ip       {"local": "172.17.1.134", "err": "write udp4 172.17.1.134:50141->74.125.250.129:19302: write: operation not permitted"}
livekit-1  | 2024-11-19T05:23:46.406Z   WARN    livekit rtcconfig/ip.go:272     could not validate external IP  {"ip": "123.456.789.123", "error": "context canceled"}
livekit-1  | 2024-11-19T05:23:46.406Z   DEBUG   livekit rtcconfig/ip.go:246     error reading from UDP socket   {"err": "read udp 172.17.0.1:50141: use of closed network connection"}
livekit-1  | 2024-11-19T05:23:46.407Z   INFO    livekit rtcconfig/webrtc_config.go:262  failed to get external ip       {"local": "172.17.0.1", "err": "context canceled"}
livekit-1  | 2024-11-19T05:23:46.407Z   INFO    livekit rtcconfig/webrtc_config.go:85   no external IPs found, using node IP for NAT1To1Ips     {"ip": "123.456.789.123"}
livekit-1  | 2024-11-19T05:23:46.408Z   INFO    livekit service/turn.go:145     Starting TURN server    {"turn.relay_range_start": 30000, "turn.relay_range_end": 30002, "turn.portTLS": 5349, "turn.externalTLS": true, "turn.portUDP": 3479}
livekit-1  | 2024-11-19T05:23:46.408Z   INFO    livekit service/server.go:258   starting LiveKit server {"portHttp": 7880, "nodeID": "ND_vnj2ibmRBbCo", "nodeIP": "123.456.789.123", "version": "1.8.0", "bindAddresses": ["0.0.0.0"], "rtc.portTCP": 7881, "rtc.portICERange": [50100, 50200]}
livekit-1  | 2024-11-19T05:23:46.408Z   DEBUG   livekit service/signal.go:122   starting relay signal server    {"topic": "ND_vnj2ibmRBbCo"}

The livekit log is attached. Any idea why the internal TURN doesnt work?

livekitlog.txt

rajil avatar Nov 19 '24 05:11 rajil

Both pub and sub peerconnection were connected in the log, the disconnect reason is CLIENT_REQUEST_LEAVE which indicates the client left actively.

cnderrauber avatar Nov 21 '24 01:11 cnderrauber

Does it mean that TURN is working but the livekit connection test utility is reporting incorrectly?

rajil avatar Nov 21 '24 02:11 rajil

I don't know which error is reported but the relay candidates are gathered so the turn is working

cnderrauber avatar Nov 21 '24 02:11 cnderrauber

This is the error i get, image

Are you looking at line 62 to confirm the relay candidate?

    62  livekit-1  | 2024-11-19T05:27:20.904Z   DEBUG   livekit.transport       rtc/transport.go:1428   added ICE candidate     {"room": "!XprDcIZOFuYhxqUTyn:mydomain.com", "roomID": "RM_RR4TKj2SzA5P", "partici
pant": "@user:mydomain.com:FDHUXFTCTC", "pID": "PA_XTHt2Kszb26n", "remote": false, "transport": "PUBLISHER", "candidate": {"candidate":"candidate:2645882119 1 udp 41885951 123.456.789.123 30001 typ relay raddr 
231.456.789.123 rport 24017 generation 0 ufrag FKrM network-id 1","sdpMid":"0","sdpMLineIndex":0,"usernameFragment":"FKrM"}}

rajil avatar Nov 21 '24 02:11 rajil

right, the relay candidate created and added successfully. can you check the webrtc-internals of the failure test to see if there was more details

cnderrauber avatar Nov 26 '24 05:11 cnderrauber

There are multiple sessions in webrtc-internal when a test is made and i dont know which session to test. Additionally, the session closes pretty quickly and the information is lost in webrtc-internals. I don't know how to save the log.

rajil avatar Nov 26 '24 08:11 rajil

Although with a different setup (Kubernetes deployment), I have the same issue. Did you solve it?

LiveKit tester fails with Error: could not establish pc connection. Signaling works, connection without TURN works, TURN load balancer configured correctly, I can telnet to TURN on 443, yet tester fails.

kamilzzz avatar Jan 21 '25 10:01 kamilzzz

+1

mm2293 avatar Mar 31 '25 15:03 mm2293

I have same issue, Has anyone got a solution to this problem? Please!

lephus avatar Apr 03 '25 08:04 lephus

+1

williambao avatar Apr 25 '25 15:04 williambao

Hope this helps, I have implemented it successfully https://medium.com/@phule9225/self-hosted-livekit-server-deployment-guide-on-cloud-aws-google-cloud-digitalocean-vultr-etc-b371026b3782

lephus avatar Apr 25 '25 16:04 lephus

Same issue +1, do you know if there is other tool to check TURN ? By the way, when using the VM setup without LB, the TURN check passes, but not when using a VM behind a LB. Thanks!

devniel avatar May 16 '25 09:05 devniel

Hi, I fixed it on my side! it was required to expose a public IP address for each instance of my "cluster" (Azure VMSS), this is required by TURN, if the instance behind your proxy is not publicly accessible it will fail. On my side I have a main public IP address for my LB and each instance has its own public IP Address too.

devniel avatar May 16 '25 14:05 devniel

@devniel I have the same issue, my livekit instance is behind a proxy as well and only has a local IP address. Do you know why the TURN server requires a public IP address on the instance? What's the difference? Shouldn't it be the same as just passing all relevant ports to the instance via NAT or proxy? If no, why not? Or is there any alternative workaround?

jkhsjdhjs avatar May 19 '25 23:05 jkhsjdhjs

Hi, I am facing the same issue. My livekit server's host has a local IP and I have setup NAT to public IP. I have also disabled "use_external_ip" and am manually setting node_ip to the public IP. I have enabled livekit's internal turn server(have provided the necessary crt and key file).

Livekit calls are working but not via TURN. Livekit's https://livekit.io/connection-test says "Could not establish pc connection via TURN". So, as @devniel pointed out, is it true that it's mandatory for public IP to be hosted on the livekit turn server's host? Or is there a workaround to make it work with NAT??

Tagging @boks1971 and @davidzhao for your input.

Thanks

iithehangmanii avatar May 20 '25 10:05 iithehangmanii

@iithehangmanii Can you please share your livekit server config and logs?

What is the connectivity between SFU and TURN server? Are they on the same network?

boks1971 avatar Sep 10 '25 04:09 boks1971

I have a livekit instance. Connecting via ios/macos/android works fine. Connecting via Windows results in: "could not establish pc connection".

Edit: I tried on another Windows machine. It worked well. Hmmm

mustafa0x avatar Sep 26 '25 16:09 mustafa0x

Please join the LiveKit community slack if for help with setup issues https://livekit.io/join-slack

biglittlebigben avatar Oct 30 '25 20:10 biglittlebigben