Configuration of TURN server completed (?).

matrix/coturn/README.md

@@ -6,6 +6,13 @@ include_toc: true
 # TURN server
 
 You need an TURN server to connect participants that are behind a NAT firewall.
+Because IPv6 doesn't really need TURN, and Chrome can get confused if it has
+to use TURN over IPv6, we'll stick to a strict IPv4-only configuration.
+
+Also, because VoIP traffic is only UDP, we won't do TCP.
+
+
+# Installation
 
 Installation is short:
 
@@ -35,9 +42,121 @@ before we assign a new line to it, so this is the bit we add:
 ```
 [Service]
 ExecStart=
-ExecStart=/usr/bin/turnserver -c /etc/coturn/turnserver.conf --pidfile=
+ExecStart=/usr/bin/turnserver -c /etc/coturn/turnserver.conf --pidfile=/etc/coturn/run/turnserver.pid
 ```
 
-This takes care of the configuration file. Now, the configuration itself...
+Create the directory `/etc/coturn/run` and chgrp it to `turnserver`, so that
+coturn can write its pid there: `/run/turnserver.pid` can't be written because
+coturn doesn't run as root.
+
+This prepares us for the next step: configuring the whole thing.
 
 
+# DNS and certificate
+
+As stated before, we only use IPv4, so a CNAME to our machine that also does
+IPv6 is a bad idea. Fix a new entry in DNS for TURN only, we'll use
+`turn.matrix.example.com` here.
+
+Make sure this entry only has an A record, no AAAA.
+
+Get a certificate for this name:
+
+```
+certbot certonly --nginx -d turn.matrix.example.com
+```
+
+This assumes you've already setup and started nginx (see [nginx](../nginx)).
+
+Of course, when this certificate is renewed, coturn must be restarted!
+
+
+# Configurationfile
+
+Synapse's documentation gives a reasonable [default
+config](https://element-hq.github.io/synapse/latest/setup/turn/coturn.html).
+
+We'll need a shared secret that Synapse can use to control coturn, so let's
+create that first:
+
+```
+pwgen -s 64 1
+```
+
+Now that we have this, we can configure our configuration file under
+`/etc/coturn/turnserver.conf`.
+
+```
+# We don't need more than 10000 connections:
+min-port=50000
+max-port=60000
+
+use-auth-secret
+static-auth-secret=<previously created secret>
+
+realm=turn.matrixdev.example.com
+user-quota=12
+total-quota=1200
+
+# Of course: substitute correct IPv4 address:
+listening-ip=185.206.232.60
+
+# VoIP traffic is only UDP
+no-tcp-relay
+
+# coturn doesn't run as root, so the certificate has
+# to be copied/chowned here.
+cert=/etc/coturn/ssl/fullchain.pem
+pkey=/etc/coturn/ssl/privkey.pem
+
+denied-peer-ip=0.0.0.0-255.255.255.255
+denied-peer-ip=127.0.0.0-0.255.255.255
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+
+# We do only IPv4
+allocation-default-address-family="ipv4"
+
+# No weak TLS
+no-tlsv1
+no-tlsv1_1
+```
+
+All other options in the configuration file are either commented out, or
+defaults.
+
+The certificate files reside under `/etc/letsencrypt/live`, but coturn doesn't
+run as root, and can't read them. Therefore we create the directory
+`/etc/coturn/ssl` where we copy the files to. This script should be run after
+each certificate renewal:
+
+```
+#!/bin/bash
+
+# This script is hooked after a renewal of the certificate, so
+# that it's copied and chowned and made readable by coturn:
+
+cd /etc/coturn/ssl
+cp /etc/letsencrypt/live/turn.matrixdev.example.com/{fullchain,privkey}.pem .
+chown turnserver:turnserver *.pem
+systemctl restart coturn
+```
+
+Run this automatically after every renewal by adding this line to
+`/etc/letsencrypt/renewal/turn.matrixdev.example.com.conf`:
+
+```
+renew_hook = /etc/coturn/fixssl
+```
+
+Yes, it's a bit primitive and could (should?) be polished. But for now: it
+works.