🔧 [kasmVNC] Unix relay subscription & WebRTC ICE failure – TURN server may be misconfigured

[byteshiva]

Description:
While running kasmVNC, I'm encountering recurring errors related to WebRTC connectivity and Unix relay subscriptions:

uname -a 

Linux  6.1.0-37-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.140-1 (2025-05-22) x86_64 GNU/Linux

But the same is working when executed using root, but root is not recommended for vnc session.

sudo vncserver 

Web client error

Unix relay subscription failed, No such unix channel webutil-DUkojxeL.js:4:7012
WebRTC: ICE failed, add a TURN server and see about:webrtc for more details

Expected Behavior:

• Unix relay should successfully subscribe to the relevant channel.
• WebRTC should establish peer connections using available ICE candidates or fallback to a TURN server.

Actual Behavior:

• The system logs a failure to find the expected Unix channel (webutil-DUkojxeL.js).
• ICE negotiation fails, suggesting a TURN server may be missing or not properly configured.

Steps to Reproduce:

1. Deploy or access a kasmVNC session
2. Connect to the session through the web client.
3. Monitor browser console and logs.
4. Observe the Unix relay and WebRTC ICE errors.

Environment:

• kasmVNC Version: 1.3.4
• Deployment Method: Kasmvnc debian
• Browser: Firefox
• OS: mxlinux

Additional Context:

• This may indicate a misconfiguration or a race condition where the Unix channel isn’t created before subscription is attempted.
• The WebRTC ICE failure may be due to lack of a properly defined TURN server in the ICE configuration.
• See also: about:webrtc for more insights on connection failure.

 cat ~/.vnc/kasmvnc.yaml 
desktop:
  resolution:
    width: 1024
    height: 768
  allow_resize: true
  pixel_depth: 24
  gpu:
    hw3d: false
    drinode: /dev/dri/renderD128

network:
  protocol: http
  interface: 0.0.0.0
  websocket_port: auto
  use_ipv4: true
  use_ipv6: true
  udp:
    public_ip: auto
    port: auto
    payload_size: auto
    stun_server: auto
  ssl:
    pem_certificate: /etc/ssl/certs/ssl-cert-snakeoil.pem
    pem_key: /etc/ssl/private/ssl-cert-snakeoil.key
    require_ssl: true
  # unix_relay:
  #   name:
  #   path:


user_session:
  new_session_disconnects_existing_exclusive_session: false
  concurrent_connections_prompt: false
  concurrent_connections_prompt_timeout: 10
  idle_timeout: never

keyboard:
  remap_keys:
  ignore_numlock: false
  raw_keyboard: false

pointer:
  enabled: true

runtime_configuration:
  allow_client_to_override_kasm_server_settings: true
  allow_override_standard_vnc_server_settings: true
  allow_override_list:
    - pointer.enabled
    - data_loss_prevention.clipboard.server_to_client.enabled
    - data_loss_prevention.clipboard.client_to_server.enabled
    - data_loss_prevention.clipboard.server_to_client.primary_clipboard_enabled

logging:
  log_writer_name: all
  log_dest: logfile
  level: 30

security:
  brute_force_protection:
    blacklist_threshold: 5
    blacklist_timeout: 10

data_loss_prevention:
  visible_region:
    # top: 10
    # left: 10
    # right: 40
    # bottom: 40
    concealed_region:
      allow_click_down: false
      allow_click_release: false
  clipboard:
    delay_between_operations: none
    allow_mimetypes:
      - chromium/x-web-custom-data
      - text/html
      - image/png
    server_to_client:
      enabled: true
      size: unlimited
      primary_clipboard_enabled: false
    client_to_server:
      enabled: true
      size: unlimited
  keyboard:
    enabled: true
    rate_limit: unlimited
  logging:
    level: off
  watermark:
    # image: /etc/kasmvnc/picture.png
    # location: 10,10
    # tint: 255,20,20,128
    # repeat_spacing: 10
    # text:
      # template: "${USER} %H:%M"
      # font: auto
      # font_size: 48
      # timezone_name: Australia/Adelaide
      # angle: 0

encoding:
  max_frame_rate: 60
  full_frame_updates: none
  rect_encoding_mode:
    min_quality: 7
    max_quality: 8
    consider_lossless_quality: 10
    rectangle_compress_threads: auto

  video_encoding_mode:
    jpeg_quality: -1
    webp_quality: -1
    max_resolution:
      width: 1920
      height: 1080
    enter_video_encoding_mode:
      time_threshold: 5
      area_threshold: 45%
    exit_video_encoding_mode:
      time_threshold: 3
    logging:
      level: off
    scaling_algorithm: progressive_bilinear

  compare_framebuffer: auto
  zrle_zlib_level: auto
  hextile_improved_compression: true

server:
  http:
    headers:
      - Cross-Origin-Embedder-Policy=require-corp
      - Cross-Origin-Opener-Policy=same-origin
    httpd_directory: /usr/share/kasmvnc/www
  advanced:
    x_font_path: auto
    kasm_password_file: ${HOME}/.kasmpasswd
    x_authority_file: auto
  auto_shutdown:
    no_user_session_timeout: never
    active_user_session_timeout: never
    inactive_user_session_timeout: never

command_line:
  prompt: true

[mmcclaskey]

KasmVNC does not currently support a TURN server, meaning that your server-side cannot be behind NAT, though static 1 to 1 NAT such as an AWS VM with a public IP should work. If your server does have a direct public IP and is not behind dynamic NAT, then you can try updating your yaml config network.udp.public_ip, change it from auto to the public IP address of your system. KasmVNC does support auto discovery of the systems IP address, but statically setting it can reduce one more thing that can go wrong.

Ensure that UDP is open going both directions, if your server is a VM in AWS or something like that, you will need to open up UDP.

[byteshiva]

KasmVNC does not currently support a TURN server, meaning that your server-side cannot be behind NAT, though static 1 to 1 NAT such as an AWS VM with a public IP should work. If your server does have a direct public IP and is not behind dynamic NAT, then you can try updating your yaml config network.udp.public_ip, change it from auto to the public IP address of your system. KasmVNC does support auto discovery of the systems IP address, but statically setting it can reduce one more thing that can go wrong.

Ensure that UDP is open going both directions, if your server is a VM in AWS or something like that, you will need to open up UDP.

Why does KasmVNC require sudo vncserver (root) to work locally, while failing under a normal user? Specifically:

1. Does it need root to bind to privileged ports (<1024) for UDP? (Bidirectional UDP must be open for local operation.)
2. Are there firewall rules (iptables/nftables) blocking non-root UDP socket access?
3. Does KasmVNC enforce strict UDP socket permissions that only root can satisfy?

[mmcclaskey]

KasmVNC does not require root. If you see sudo anywhere in our docs being required to run vncserver, please let me know.

1. No, we do not bind to priv ports.
2. I can't speak to your system's firewall rules. KasmVNC has not insight into iptables or any other firewall on your systems.
3. No