From 34690b8aac14a3fd4cb912f41d77b08923e9d4c6 Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Fri, 15 Nov 2024 21:38:05 +0100 Subject: [PATCH] Configuration of TURN server completed (?). --- matrix/coturn/README.md | 123 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 121 insertions(+), 2 deletions(-) diff --git a/matrix/coturn/README.md b/matrix/coturn/README.md index 3c5e5a6..2dbfc81 100644 --- a/matrix/coturn/README.md +++ b/matrix/coturn/README.md @@ -6,6 +6,13 @@ include_toc: true # TURN server You need an TURN server to connect participants that are behind a NAT firewall. +Because IPv6 doesn't really need TURN, and Chrome can get confused if it has +to use TURN over IPv6, we'll stick to a strict IPv4-only configuration. + +Also, because VoIP traffic is only UDP, we won't do TCP. + + +# Installation Installation is short: @@ -35,9 +42,121 @@ before we assign a new line to it, so this is the bit we add: ``` [Service] ExecStart= -ExecStart=/usr/bin/turnserver -c /etc/coturn/turnserver.conf --pidfile= +ExecStart=/usr/bin/turnserver -c /etc/coturn/turnserver.conf --pidfile=/etc/coturn/run/turnserver.pid ``` -This takes care of the configuration file. Now, the configuration itself... +Create the directory `/etc/coturn/run` and chgrp it to `turnserver`, so that +coturn can write its pid there: `/run/turnserver.pid` can't be written because +coturn doesn't run as root. + +This prepares us for the next step: configuring the whole thing. +# DNS and certificate + +As stated before, we only use IPv4, so a CNAME to our machine that also does +IPv6 is a bad idea. Fix a new entry in DNS for TURN only, we'll use +`turn.matrix.example.com` here. + +Make sure this entry only has an A record, no AAAA. + +Get a certificate for this name: + +``` +certbot certonly --nginx -d turn.matrix.example.com +``` + +This assumes you've already setup and started nginx (see [nginx](../nginx)). + +Of course, when this certificate is renewed, coturn must be restarted! + + +# Configurationfile + +Synapse's documentation gives a reasonable [default +config](https://element-hq.github.io/synapse/latest/setup/turn/coturn.html). + +We'll need a shared secret that Synapse can use to control coturn, so let's +create that first: + +``` +pwgen -s 64 1 +``` + +Now that we have this, we can configure our configuration file under +`/etc/coturn/turnserver.conf`. + +``` +# We don't need more than 10000 connections: +min-port=50000 +max-port=60000 + +use-auth-secret +static-auth-secret= + +realm=turn.matrixdev.example.com +user-quota=12 +total-quota=1200 + +# Of course: substitute correct IPv4 address: +listening-ip=185.206.232.60 + +# VoIP traffic is only UDP +no-tcp-relay + +# coturn doesn't run as root, so the certificate has +# to be copied/chowned here. +cert=/etc/coturn/ssl/fullchain.pem +pkey=/etc/coturn/ssl/privkey.pem + +denied-peer-ip=0.0.0.0-255.255.255.255 +denied-peer-ip=127.0.0.0-0.255.255.255 +denied-peer-ip=10.0.0.0-10.255.255.255 +denied-peer-ip=172.16.0.0-172.31.255.255 +denied-peer-ip=192.168.0.0-192.168.255.255 +denied-peer-ip=100.64.0.0-100.127.255.255 +denied-peer-ip=192.0.0.0-192.0.0.255 +denied-peer-ip=169.254.0.0-169.254.255.255 +denied-peer-ip=192.88.99.0-192.88.99.255 +denied-peer-ip=198.18.0.0-198.19.255.255 +denied-peer-ip=192.0.2.0-192.0.2.255 +denied-peer-ip=198.51.100.0-198.51.100.255 +denied-peer-ip=203.0.113.0-203.0.113.255 + +# We do only IPv4 +allocation-default-address-family="ipv4" + +# No weak TLS +no-tlsv1 +no-tlsv1_1 +``` + +All other options in the configuration file are either commented out, or +defaults. + +The certificate files reside under `/etc/letsencrypt/live`, but coturn doesn't +run as root, and can't read them. Therefore we create the directory +`/etc/coturn/ssl` where we copy the files to. This script should be run after +each certificate renewal: + +``` +#!/bin/bash + +# This script is hooked after a renewal of the certificate, so +# that it's copied and chowned and made readable by coturn: + +cd /etc/coturn/ssl +cp /etc/letsencrypt/live/turn.matrixdev.example.com/{fullchain,privkey}.pem . +chown turnserver:turnserver *.pem +systemctl restart coturn +``` + +Run this automatically after every renewal by adding this line to +`/etc/letsencrypt/renewal/turn.matrixdev.example.com.conf`: + +``` +renew_hook = /etc/coturn/fixssl +``` + +Yes, it's a bit primitive and could (should?) be polished. But for now: it +works.