Last active
February 28, 2024 23:59
-
-
Save gbrayut/ee14dbbb7de21c67cdd25065fa67bcc9 to your computer and use it in GitHub Desktop.
stun-gke-nlb testing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://github.com/processone/eturnal but probably better to use https://github.com/processone/eturnal/tree/master/examples/kubernetes-kustomize | |
| # for testing use https://icetest.info/ should match results for stun:stun.l.google.com:19302 | |
| apiVersion: v1 | |
| kind: Namespace | |
| metadata: | |
| name: eturnal | |
| --- | |
| apiVersion: apps/v1 | |
| kind: Deployment | |
| metadata: | |
| name: eturnal | |
| namespace: eturnal | |
| labels: | |
| app: eturnal | |
| spec: | |
| selector: | |
| matchLabels: | |
| app: eturnal | |
| template: | |
| metadata: | |
| labels: | |
| app: eturnal | |
| spec: | |
| containers: | |
| - name: eturnal | |
| image: docker.io/eturnal/eturnal | |
| ports: | |
| - containerPort: 3478 | |
| #env: # See https://eturnal.net/doc/#Environment_Variables | |
| #- name: ETURNAL_RELAY_IPV4_ADDR # I think this is only needed for TURN not STUN. | |
| # value: "34.66.156.5" # Should match the NLB IP address, which is the expected relay IP instead of Cloud NAT or Node's public IP | |
| --- | |
| apiVersion: v1 | |
| kind: Service | |
| metadata: | |
| name: eturnal | |
| namespace: eturnal | |
| spec: | |
| #ipFamilyPolicy: RequireDualStack | |
| ports: | |
| - port: 19302 | |
| targetPort: 3478 | |
| protocol: UDP | |
| name: stun | |
| selector: | |
| app: eturnal | |
| type: LoadBalancer | |
| # Test using: https://icetest.info/ and add stun "stun:IPADDRESS:19302" compared to "stun:stun.l.google.com:19302" | |
| # View packets from gke node using toolbox and apt install tshark | |
| #root@gke-gke-iowa-default-pool-fa46c430-p74m:~# tshark -f "udp port 19302" | |
| #Running as user "root" and group "root". This could be dangerous. | |
| #Capturing on 'eth0' | |
| # 1 0.000000000 174.162.248.150 → 34.66.156.5 STUN 62 Binding Request | |
| # 2 0.001051915 34.66.156.5 → 174.162.248.150 STUN 86 Binding Success Response XOR-MAPPED-ADDRESS: 174.162.248.150:59983 | |
| # 3 10.044048979 174.162.248.150 → 34.66.156.5 STUN 62 Binding Request | |
| # 4 10.045048666 34.66.156.5 → 174.162.248.150 STUN 86 Binding Success Response XOR-MAPPED-ADDRESS: 174.162.248.150:59983 | |
| # 5 20.091969119 174.162.248.150 → 34.66.156.5 STUN 62 Binding Request | |
| # 6 20.093088180 34.66.156.5 → 174.162.248.150 STUN 86 Binding Success Response XOR-MAPPED-ADDRESS: 174.162.248.150:59983 | |
| # Follow STUN server logs | |
| #kubectl logs -n eturnal deploy/eturnal -f | |
| # Use eturnalctl to change settings like loglevel | |
| #kubectl exec -it -n eturnal deploy/eturnal -- /bin/sh | |
| # eturnalctl loglevel debug | |
| # Also make sure you have a firewall rule to allow ingress to pods | |
| #gcloud compute firewall-rules create allow-stun-ingress --project $DEVSHELL_PROJECT_ID \ | |
| # --direction=INGRESS \ | |
| # --action=allow \ | |
| # --rules=udp:19302 \ | |
| # --source-ranges=0.0.0.0/0 --network=gke-vpc |
Good write-up of how NLB and UDP works at https://cloud.google.com/load-balancing/docs/network/udp-with-network-load-balancing
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Results from https://icetest.info/ testing NLB and matching google stun results (sans ipv6 result since I used a single stack gke)