Jami STUN server Two IP addresses

Jorge · March 2, 2025, 3:32am

Questions:

Does the Jami client make use of a STUN server ? Maybe just the mobile phone apps? I believe because Jami uses opendht bootstrap, Jami does not need to use a STUN server, but maybe it still does? If it does not, then would it be safe to specify “no-stun” for the TURN server’s configuration? ( –no-stun Run as TURN server only, all STUN requests will be ignored.)
If Jami does use STUN server then is it good to set " –secure-stun Require authentication of the STUN Binding request" ? As I would expect the TURN server settings in the Jami client is what Jami uses for a STUN server and user, password, and realm are specified, so I would expect any STUN requests would also use user and password. (Is realm relevant for STUN?)
I tested with Trickle ICE and the STUN test did not succeed when secure-stun was set, even if I specified user and password.
when I did a nslookup on turn.jami.net, I noticed two IP addresses. If I use two IP addresses on my TURN server, it removes the log message “WARNING: I cannot support STUN CHANGE_REQUEST functionality because only one IP address is provided” but is there any advantage for Jami if the STUN/TURN server uses two IP addresses? Does using two IP addresses improve the functionality of STUN for Jami?

sblin · March 5, 2025, 12:24pm

Jami doesn’t use stun for jami accounts because the DHT got this role. It may be used for sip accounts

Jorge · March 5, 2025, 12:56pm

Thank you for that information.

At present I am not using SIP, which then means I do not need to implement about STUN as yet.

Rubus_chiliadenus · March 29, 2025, 8:34am

But I saw dhtnet doesn’t add Reflexive Candidates correctly.

github.com/savoirfairelinux/dhtnet

src/ice_transport.cpp

master


      
          auto genericSrflxCand = setupGenericReflexiveCandidates();
          
          if (not genericSrflxCand.empty()) {
              // Generic srflx candidates will be added only if different
              // from UPnP candidates.
              if (upnpSrflxCand.empty()
                  or (upnpSrflxCand[0].second.toString() != genericSrflxCand[0].second.toString())) {
                  addServerReflexiveCandidates(genericSrflxCand);
                  // if (logger_)
                  //     logger_->debug("[ice:{}] Added generic srflx candidates:", fmt::ptr(this));
              }
          }

github.com/savoirfairelinux/dhtnet

src/ice_transport.cpp

master


      
          std::vector<std::pair<IpAddr, IpAddr>>
          IceTransport::Impl::setupGenericReflexiveCandidates()
          {
              if (not accountLocalAddr_) {
                  if (logger_)
                      logger_->warn("[ice:{}] Missing local address, generic srflx candidates unable to be generated!",
                            fmt::ptr(this));
                  return {};
              }
          
              if (not accountPublicAddr_) {
                  if (logger_)
                      logger_->warn("[ice:{}] Missing public address, generic srflx candidates unable to be generated!",
                            fmt::ptr(this));
                  return {};
              }
          
              std::vector<std::pair<IpAddr, IpAddr>> addrList;
              auto isTcp = isTcpEnabled();

This file has been truncated. show original

It doesn’t use DHT to get mapped ports. However, the bootstrap node, the DHT proxy, even a DHT neighbor which is behind NATs having Endpoint-Independent Filtering, could be used to get mapped ports.