Configure Parsec Relay Server

The Parsec Relay Server is part of the Parsec for Teams Enterprise license. It's a solution for when you need more control over your network infrastructure and want to ensure P2P connections will be successful. It can be used as a way to route all Parsec traffic through one public IP address and as a solution for managing strict firewall/NAT settings. If you'd prefer to avoid the Parsec Relay Server, look into Parsec's networking requirements.

The Parsec Relay Server is an on-premises high performance relay (HPR) server. It is a lightweight server program that relays many concurrent Parsec sessions through a single IP address / port configuration. It can be used to assist with NAT traversal as either an on-premises relay for large LAN deployments of Parsec, or as a general purpose WAN relay server.

The Relay Server will bind to all interfaces with both [public_port] and [private_port]. The [public_address]:[public_port] will be communicated to peers that need to route through the Relay Server and must be accessible from the WAN. Use UDP ports for the private and public port. [private_port] may be configured for additional security. Using a [private_port] ensures that relay requests can only be originated on the [private_port] specified, and any relay requests attempting to be originated on [public_port] will be dropped. If [public_port] is the same as [private_port], only a single port will be used.

Before installing and configuring the Parsec Relay server, we highly recommend you review the technical reference section which covers prerequisites, advanced configuration, deployment considerations, and troubleshooting,

Install

1) Copy the download URL for the relay server from the Teams Global App Settings page. The .tar.gz contains the Relay Server files and the Readme.

2) SSH into the Linux machine that you'll use for the relay server and download and extract the tar ball, then copy the `parsechpr` and `parsechpr.service` files to the relevant directories:

ssh <user>@<LAN-IP>
wget <relay download URL>
tar -xf <relay.tar.gz>
cd parsechpr1.0
sudo cp parsechpr /bin sudo cp parsechpr.service /etc/systemd/system

Configure

1) Use your text editor of choice to modify `ExecStart` under [Service] in parsechpr.service to point to the Public IP address, public (WAN interface) port and internal (LAN interface) port. 

sudo nano /etc/systemd/system/parsechpr.service

Example: `ExecStart=/bin/parsechpr 1.2.3.4 5000 4900`

Syntax: ExecStart=/bin/parsechpr [Public IP Address] [WAN/public interface port] [LAN/Internal interface port]

Save: CTRL + X to close, CTRL + Y to confirm modify, Enter to overwrite

2) Run the service:

sudo systemctl start parsechpr
sudo systemctl enable parsechpr

3) Enter the relay's private (LAN) IP and private port in the "Relay Host IP Addresses" field of the Teams Global App Settings page: gateway_IP.PNG

That's it! Again, we highly recommend reviewing the technical reference section for additional details regarding the Parsec Relay server.

Confirm 'parsechpr' service is running

service parsechpr status

Configure Parsec Hosts to use the Relay Server

As an alternative to configuring the relay for all hosts globally via the Teams Global App Settings page, or by group on the Groups page the relay server address may be manually specified in the configuration file via app_stun_address:

app_stun_address = 10.1.2.20@4900 # Use a local address if possible

An '@' character must be used to delimit the IP address and port. Up to 10 address@port
pairs may be configured, separated by commas:

app_stun_address = 10.1.2.20@23050,10.1.2.21@23051,.... NOTE: this is a different format than in the Application Configuration page on the admin panel. Please read this article to know the format to use on the config page.

It is also possible to leverage DNS records to configure HPR candidates for Parsec hosts.

Connection behavior

If more than one relay server is available, Parsec will choose a relay server at random on each connection attempt. If an attempt fails because the relay address could not be reached, Parsec will blacklist that address for 10 minutes and only consider the remaining addresses.

The Relay Server acts as a phony STUN server that exposes itself as the peer's address rather than the true public IP. This will cause Parsec to route all WAN traffic through the Relay Server instead of using its normal NAT traversal routines.

Additional connection scenarios can be found here.