Preface
In fact, I have never been interested in intranet penetration technology before, mainly because my home broadband is an IPv4/IPv6 public network dual-stack environment (IPv4 is 3 dial-ups, 3 public IPs, 3 upstream 60M, which can't be used up!), once the dynamic domain name is configured and the port mapping is added on iQuick, I can access it at will, and I haven't even really used IPv6.
I do know about stun, because the derp relay server of tailscale also reserves port 3478 by default. I know the general principle. After all, I also sold CGN products when I was doing pre-sales. I also have a general understanding of these hole-punching technologies, but I have never practiced them, because tailscale is so easy to use. . . It works well, why worry about the principle. . .
这次是因为准备研究下lucky的IPv6–>IPv4地址的端口转发功能(因为爱快不支持IPv6端口转发,虽然动态域名方案也可以解决访问内网不同IPv6公网地址主机的问题,但是从安全的角度来说,统一入口并经过安全设备的过滤是必要的),恰巧看到了stun:
So I just studied it as a side study, treated it as scientific research, eliminated a blind spot in knowledge, and wrote an article casually.
How stun and turn work
How do stun and turn work?
If we want to explain this issue from a purely technical perspective, we must first talk about the working principle of NAT, then talk about the classification of NAT (Full Cone NAT, Address Restricted Cone NAT, Port Restricted Cone NAT, Symmetric NAT), and then talk about reverse connection technology, TCP, UDP hole punching technology... There is too much to talk about in this way, and I think most of my friends are not interested, and there are many articles of this kind on the Internet, so I am not going to talk about it this way. I will just summarize it in my own words. However, there must be something wrong with the technical details. After all, it is just a metaphor.
Based on whether the access client and the access target have public IP addresses, our access can be divided into the following types.
1. Both the access client and the access target have public IP
This situation is equivalent to both parties having mobile phone numbers, and it is very easy to find each other. Not only can the access client directly find the access target, but conversely, the access target can also directly find the access client. This is called two-way communication.
2. The access client does not have a public IP but the access target has a public IP
In this case, it just means that the target cannot find the client, after all, there is only one landline switchboard number. However, the client can still find the target directly. This is called one-way communication. Now most of the access is of this type.
3. The access client has a public IP but the access target does not have a public IP (but hole punching is possible)
This situation is quite troublesome. Although the access client has a mobile phone number, the access target only has a switchboard number but no extension number. What should I do? At this time, stun makes a shining debut:
In this case, stun can be understood as a middleman or a gunman. He knows both the client and the target and can contact them directly (assuming that stun has the mobile phone numbers of both parties, but the target's mobile phone number cannot be directly told to the client. This is understandable. Now many parties are unwilling to directly give the second party their mobile phone number and only keep their work phone number). When the client wants to communicate with the target, the first step is to contact stun and ask for the specific extension number of the target; the second step is that stun will directly contact the target and ask for the extension number; the third step is that the target tells stun the extension number; the fourth step is that stun tells the client the target's extension number; the fifth step is that the client directly contacts the target using the switchboard number + extension number.
Note 1: The premise of this method is that the access target has an extension number and can tell others the extension number (the confidentiality unit cannot disclose the extension number). In technical terms, the NAT type supports hole punching, at least not Symmetric NAT.
Note 2: If you tell the target the mobile phone number of the access client, and let the target call the client directly using the office landline, this is called a reverse connection. However, this is not the operation of stun.
Note 3: In this method, STUN is only responsible for matchmaking, and does not care about the details of subsequent communication between the client and the target. In technical terms, subsequent access traffic has nothing to do with STUN. For example, watching movies and transferring large files are all point-to-point access between the client and the target, and the speed depends on the uplink bandwidth of the target.
Note 4: This is actually the so-called implementation method of intranet penetration with large bandwidth and unlimited traffic on the Internet.
4. Neither the access client nor the access target has a public IP and cannot drill a hole
It can be understood that the target company is a confidential company and cannot disclose its extension number. The client does not have a mobile phone and the switchboard number is not accessible to each other. What should we do in this situation? Turn finally makes its debut:
In this case, it can be understood that because the access client and the access target cannot contact each other directly, so turn to say: I am a mouthpiece, you all trust my words, so all communication is conveyed by me, even if it is a gift (large-capacity file), leave it to me to deliver.
Compared with stun, turn is the last resort. Its advantage is that there will be no problem in establishing the connection. Its disadvantage is that the speed is limited by the upstream and downstream bandwidth of the turn server. Therefore, stun is usually used first, and then turn if it doesn't work.
In fact, Tailscale's Derp relay server also uses the STUN protocol, but in addition to STUN, there are more technologies, so the actual experience of Tailscale is much better. For the construction of the Derp server, please refer to:Debian series build tailscale DERP server (relay server) for dummies.
Note 1: Both stun and turn require that the deployment host has a public IP address, and the access end and access target must be UDP-reachable with the deployment host.
Note 2: You can download a NAT type test tool under Windows to test the NAT type of your own environment: the download link is as follows:https://github.com/HMBSbige/NatTypeTester/releases.
Select RFC 5780:
Deploy coturn
Note: There are many ways to deploy coturn. I chose Docker because it is the simplest way to deploy. However, it may not be the best way to perform. You can choose the most suitable deployment method according to your actual environment.
The deployed host has an IPv4 public address
My Tencent Cloud lightweight server has a fixed public IPv4 address (but it seems that some cloud hosts do not necessarily give fixed public IPv4 addresses directly, and the so-called fixed public IP of the cloud host is actually a one-to-one mapping, and the server itself is still a private address). The home broadband is a dynamic public IPv4 address (pointed to the intranet host through the port mapping function of the router). In order to obtain it in different scenariosexternal-ip
andrelay-ip
For the parameters required by these two coturns, it is recommended to use the coturn automatic detection method.
The commands to build docker are as follows:
docker run --name coturn -d --restart=always \ -e DETECT_EXTERNAL_IP=yes \ #Automatically detect external-ip -e DETECT_RELAY_IP=yes \ #Automatically detect relay-ip -e user=guest:guest \ #These are the username and password used by turn for authentication. Here they are both guest, because turn needs to do the heavy work, while stun just needs to talk, so there is no need for authentication. -e realm=stun.example.com \ # Fill in the domain name corresponding to the public IPv4 address (can also be a dynamic domain name) -p 3478:3478/tcp -p 3478:3478/udp \ # Specify the listening port of stun and turn. The default is 3478. You can also change it to other ports. It doesn't matter because the stun client can specify the port number when filling in the server address. I didn't use the default port. -p 5349:5349/tcp -p 5349:5349/udp \ # The tls listening port of stun and turn. In fact, tls sessions can also connect to port 3478. Keeping 3478 and 5349 at the same time is to meet the RFC 5766 specification. It seems that this port is not mapped. -p 49160-49170:49160-49170/udp \ # These ports are used to exchange media data in turn mode. You can specify the port range yourself. Generally, there is no need to fill in a smaller range. coturn/coturn --min-port=49160 --max-port=49170 # Specify the minimum to maximum port range
Note 1: In fact, the official recommendation is to use--net=host
Parameters, namely host mode deployment, because when docker uses-p
When mapping a large range of ports, a lot of performance may be consumed. I have actively narrowed the port range: 49160-49170. At the same time, it was just an experiment and I didn't plan to use it (I have tailscale, so I don't like it...). Moreover, the host mode must use port 3478, and my port 3478 is occupied by tailscale's derp relay server, so I used the -p mode. When you actually use it, just use it according to your own preferences.
Note 2: If there is a firewall or other security device, remember to open the corresponding port in the access rules. If it is behind NAT, remember to do port mapping.
The deployed host has an IPv6 public address
The deployment host can also have an IPv6 public network address. Coturn supports IPv6.DETECT_EXTERNAL_IP=yes
It can detect both IPv4 and IPv6 addresses, so the commands in the previous section do not need to be changed. Instead, a key issue should be the AAAA resolution of the domain name stun.example.com, which needs to be dynamically resolved to the IPv6 address corresponding to the deployment host. At the same time, the stun client must also have an IPv6 address and use the stun.example.com domain name as the connection address of the stun server and can also correctly receive the AAAA record resolution corresponding to the domain name. This requirement is because some DNS servers or DNS proxies can disable the resolution of AAAA records, such as iQuick:
test
Scientific and comprehensive testing method
After the deployment is complete, you can use the following link to test:Test Link.
The test interface is as follows:
Use Tencent Cloud lightweight server as stun server for testing
The following figure is the result of my construction and testing using Tencent Cloud Server (fixed IPv4 public network address):
Use home broadband equipment as stun server
The following picture shows the result of my home equipment construction and testing:
1. Enable IPv4 and IPv6 resolution for accessed domain names at the same time:
Wow, a lot of nodes were detected. This is related to the complex environment at home, including ipv4, ipv6, tailscale virtual addresses, etc. Moreover, my test stun client and my stun server are actually in the same intranet (using the port return function of iKuai, which is actually hairpin). The key is that the access domain name of my stun server supports both A record and AAAA record resolution, so I can't understand these nodes... But it doesn't matter. The result is that it passed. The key is that there are 2 srfix and 2 relays, which means that if there are both IPv4 and IPv6 resolutions at the same time, and the stun client also supports both IPv4 and IPv6 dual-stack environments, they can be detected at the same time.
2. Enable IPv4 resolution only for accessed domain names:
This is much more normal.
3. Enable IPv6 resolution only for accessed domain names:
Note: Because I used a very non-standard environment of deploying stun server and stun client (with IPv4 address) in the same intranet to simulate IPv6 environment, the test results are strange, but it doesn’t matter, as long as it proves that stun can work when accessing domain name resolution with only IPv6 address.
Testing method using stun client
If you already have a ready-made stun client, you can directly test the effect. Take lucky's built-in stun client as an example:
After a while, STUN will successfully penetrate the public network address and the address and port in the red box will appear:
Use the obtained public network address and port to access:
Summarize
In fact, at this point, the construction of the stun server and the use of the stun client have been completed, but it can be seen that this is actually of no practical value. Why?
Because the public IP and port corresponding to the "STUN penetration public address" in the red box in the above picture are all changing, how can we use it like this? So if we really want to use it in practice, there is still one step left, which is to convert the changing public IP and port in the red box into an unchanging domain name, just like the dynamic domain name we usually use. However, this special "dynamic domain name" requires the API interface of the domain name provider you use and at least 2 variables of your account in the domain name provider console (domain name id, record id or zone id, rule id, etc.), and then a series of operations to implement it. I looked at it and found that the configuration method of each domain name provider is different, and there is no commonality. It is not very meaningful to write one (mainly because I am too lazy to do it, it was just a scientific research question, and stun is actually suitable for use as a low-level technology. For example, synctihg relies on stun to implement it. You can refer to my other article:Docker series: A detailed tutorial on how to synchronize multiple folders using Docker based on syncthing), so I'll stop here and leave it at that. I hope this article will be helpful to friends who need stun.
Also: I strongly recommend tailscale. Isn’t it great to have a fixed private IP?