how to videochat with ichat when i doesn’t actually work
disclaimer: this is getting pretty complicated in the end, you should know how to use a shell (err, Terminal.app) and what ip addresse and ports are.
now that every macbook (pro) user owns the means to make video conferences, it was time for me to give it a try, too. with its h.264 video codec, ichat offers damn good video quality and i haven’t seen anything else that can compete (anything else that’s free, free for mac users at least).
(you can skip the blahblah if you want to)
following the habits of a happy mac user, i fired up ichat, added a (macbook pro) friend to the buddy list and clicked on the video chat button, expecting everything to work just fine - as usual - but it didn’t. it didn’t work. hey, it’s an apple, it’s supposed to work out of the box. well, i soon discovered that my dsl router is in fact not from apple, and my friend’s neither - gotcha. a bit of googling revealed that we were not the only ones on the world having this problem. apparently, some people managed to get video chat running by forwarding some ports through their nat routers and breaking holes into their firewalls. didn’t work for us.
now we could have gone to the next apple store and buy two airport express base stations (hey that would have given me airtunes, i’ve alway wanted that … anyway) and everything would have worked just fine. we didn’t. instead, we asked the software people.
the actual problem is (probably) this: as long as you send text messages over ichat, all the data goes over a central server, which routes the messages from one user to he other. every client has a connection to the server and they can exchange data without any problems. even if the clients are behind a nat router (which pretty much any broadband household with wireless lan is), the server isn’t and that allows for fast and easy chatting. when it comes to video, the communication works differently: now the two clients try to establish a direct connection using their ip addresses and specific communicaion ports - and if there wasn’t nat, this post would end now - but there is. point is: nat causes all kinds of problems when clients try to establish direct links, especially when both clients are behind a nat router.
but let’s get to the point: how do you connect two clients that don’t like nat through nat router? - you put them in the same network, without any routers. what we did in short:
- set up a virtual private network (vpn) using openvpn
- set up our own jabber server
- connect the two clients via the vpn and to the jabber server
- spend lots of time on getting it to work (so you don’t have to)
- smile for the camera
and here’s the long version:
to circumvent the problems caused by the nat routers we created a virtual private network, which allows two clients in separate lans to be in one (virtual) lan. we therefore set up openvpn clients on both macs and an openvpn server on a separate linux machine which is connected to my lan. (it could be set up anywhere, e.g. on a server on the internet). we then installed a jabber server on the vpn server and connected to it using ichat. from then on everything worked just fine.
install openvpn on the server
i use a separate debian machine as the vpn servr, but you should be able to install it on one of the macs as well. (anyone done that? leave a comment)
to install openvpn on debian all you have to do is (as root):
apt-get install openvpn
now you have to create the ssl certificates for the vpn server and clients. see the openvpn howto for more detailed instructions.
go to /usr/share/doc/openvpn/examples/easy-rsa and type:
. ./vars
./build-ca
./build-key-server server
./build-key client1
./build-key client2
this creates a whole bunch of files in the keys subdirectory. copy ca.crt, dh1024.pem, server.crt and server.key to /etc/openvpn/. each client gets the ca.crt and his clientx.crt and clientx.key.
now you have to configure the server: just copy my server.conf file to /etc/openvpn. that’s it. start the server by typing
/etc/init.d/openvpn start
install openvpn on the clients
(this has to be done on both (well, all. after all, ichat supports as many as 4 video chat partners) clients of course.) the easiest way i have found to install openvpn on a mac is using darwinports - so if you don’t have it already install darwinports now. then open up a shell (the terminal) and type
sudo port install openvpn2
this should install openvpn 2 onto your mac. put all the files you have copied from the server into one directory and add this example openvpn client configuration. open it in an editor and find this line:
remote example-server 1194
and change example-server to the ip address of your openvpn server. note: if your openvpn server is directly accessible from both clients (i.e. it’s not standing in one of your lans) just enter its ip address or host name.
if that server is sitting in one of your lans (or one of your macs is the server) things get a bit more complicated: for the client that is in the same lan simply enter the server’s ip address in the lan (usually starting with 192.168). for the other client, you have to install a port forwarding on your nat router: forward port 1194 UDP to the same port on your vpn server. on the remote client enter your public ip address. this is the address your internet service provider has assigned to you. depending on your type of connection this addres can change over time. if you want to get professional you probably want to use a dynamic dns service such as dyndns.com
next, find
cert clientx.crt
key clientx.key
and change clientx to the file names of this client’s crt and key file. that was the vpn client configuration. next you need to install the vpn tun driver for mac os x. (see the README for instructions)
now it’s time to start up the vpn. in the terminal go to the diretory with your client certificates and configuration file and enter:
sudo openvpn2 --config openvpn-client.conf
if you are lucky you will see lots of text ending with something like:
Thu Apr 27 10:42:35 2006 Initialization Sequence Completed
if not .. well, go and find out why it didn’t work. the comments are open.
install the jabber server
back on the debian machine, enter (as root again)
apt-get install jabber
this installs and runs a jabber server on the computer. next create a jabber account for every ichat client. the easiest way i have found to do this is to apt-get install gabber. when connecting it to the server with just any login information it will ask you if the account should be created on the server.
configure ichat
after you have connected both clients to the openvpn and started the jabber server, you can now finally start using ichat. create a new ichat jabber account and enter the login information you have created with gabber before. on the ’server settings’ tab, enter the IP address of the jabber server (if you have followed the instructions it should be 10.8.0.1, port 5222, no SSL.
now connect both clients to jabber, click that video icon and .. boom (as steve jobs would say)
Tags:apple debian howto ichat jabber linux mac mac os nat openvpn osx router video video conference videochat virtual private network vpn