From ebf7a04178a8b56ae105b2a603fd39f043e27d1d Mon Sep 17 00:00:00 2001 From: Hans van Zijst Date: Thu, 28 Nov 2024 14:16:46 +0100 Subject: [PATCH] Added configuration file for coturn. --- matrix/coturn/README.md | 10 +-- matrix/coturn/turnserver.conf | 113 ++++++++++++++++++++++++++++++++++ 2 files changed, 118 insertions(+), 5 deletions(-) create mode 100644 matrix/coturn/turnserver.conf diff --git a/matrix/coturn/README.md b/matrix/coturn/README.md index 1d54163..5165a75 100644 --- a/matrix/coturn/README.md +++ b/matrix/coturn/README.md @@ -60,14 +60,14 @@ This prepares us for the next step: configuring the whole thing. As stated before, we only use IPv4, so a CNAME to our machine that also does IPv6 is a bad idea. Fix a new entry in DNS for TURN only, we'll use -`turn.matrix.example.com` here. +`turn.example.com` here. Make sure this entry only has an A record, no AAAA. Get a certificate for this name: ``` -certbot certonly --nginx -d turn.matrix.example.com +certbot certonly --nginx -d turn.example.com ``` This assumes you've already setup and started nginx (see [nginx](../nginx)). @@ -98,7 +98,7 @@ max-port=60000 use-auth-secret static-auth-secret= -realm=turn.matrixdev.example.com +realm=turn.example.com user-quota=12 total-quota=1200 @@ -150,7 +150,7 @@ each certificate renewal: # that it's copied and chowned and made readable by coturn: cd /etc/coturn/ssl -cp /etc/letsencrypt/live/turn.matrixdev.example.com/{fullchain,privkey}.pem . +cp /etc/letsencrypt/live/turn.example.com/{fullchain,privkey}.pem . chown turnserver:turnserver *.pem # We should restart either coturn or LiveKit, they cannot run both! @@ -160,7 +160,7 @@ systemctl restart coturn ``` Run this automatically after every renewal by adding this line to -`/etc/letsencrypt/renewal/turn.matrixdev.example.com.conf`: +`/etc/letsencrypt/renewal/turn.example.com.conf`: ``` renew_hook = /etc/coturn/fixssl diff --git a/matrix/coturn/turnserver.conf b/matrix/coturn/turnserver.conf new file mode 100644 index 0000000..8e1c6d7 --- /dev/null +++ b/matrix/coturn/turnserver.conf @@ -0,0 +1,113 @@ +# Coturn TURN SERVER configuration file + +# Only IPv4, IPv6 can confuse some software +listening-ip=111.222.111.222 + +# Lower and upper bounds of the UDP relay endpoints: +# (default values are 49152 and 65535) +# +min-port=50000 +max-port=60000 + +use-auth-secret +static-auth-secret= + +realm=turn.example.com + + +# Per-user allocation quota. +# default value is 0 (no quota, unlimited number of sessions per user). +# This option can also be set through the database, for a particular realm. +user-quota=12 + +# Total allocation quota. +# default value is 0 (no quota). +# This option can also be set through the database, for a particular realm. +total-quota=1200 + +# Uncomment if no TCP relay endpoints are allowed. +# By default TCP relay endpoints are enabled (like in RFC 6062). +# +no-tcp-relay + +# Certificate file. +# Use an absolute path or path relative to the +# configuration file. +# Use PEM file format. +cert=/etc/coturn/ssl/fullchain.pem + +# Private key file. +# Use an absolute path or path relative to the +# configuration file. +# Use PEM file format. +pkey=/etc/coturn/ssl/privkey.pem + +# Option to redirect all log output into system log (syslog). +# +syslog + +# Option to allow or ban specific ip addresses or ranges of ip addresses. +# If an ip address is specified as both allowed and denied, then the ip address is +# considered to be allowed. This is useful when you wish to ban a range of ip +# addresses, except for a few specific ips within that range. +# +# This can be used when you do not want users of the turn server to be able to access +# machines reachable by the turn server, but would otherwise be unreachable from the +# internet (e.g. when the turn server is sitting behind a NAT) +# +denied-peer-ip=0.0.0.0-255.255.255.255 +denied-peer-ip=127.0.0.0-0.255.255.255 +denied-peer-ip=10.0.0.0-10.255.255.255 +denied-peer-ip=172.16.0.0-172.31.255.255 +denied-peer-ip=192.168.0.0-192.168.255.255 +denied-peer-ip=100.64.0.0-100.127.255.255 +denied-peer-ip=192.0.0.0-192.0.0.255 +denied-peer-ip=169.254.0.0-169.254.255.255 +denied-peer-ip=192.88.99.0-192.88.99.255 +denied-peer-ip=198.18.0.0-198.19.255.255 +denied-peer-ip=192.0.2.0-192.0.2.255 +denied-peer-ip=198.51.100.0-198.51.100.255 +denied-peer-ip=203.0.113.0-203.0.113.255 + + +# TURN server allocates address family according TURN client requested address family. +# If address family not requested explicitly by the client, then it falls back to this default. +# The standard RFC explicitly define that this default must be IPv4, +# so use other option values with care! +# Possible values: "ipv4" or "ipv6" or "keep" +# "keep" sets the allocation default address family according to +# the TURN client allocation request connection address family. +allocation-default-address-family="ipv4" + +# Turn OFF the CLI support. +# By default it is always ON. +# See also options cli-ip and cli-port. +# +no-cli + +# Do not allow an TLS/DTLS version of protocol +# +no-tlsv1 +no-tlsv1_1 + +# Disable RFC5780 (NAT behavior discovery). +# +# Strongly encouraged to use this option to decrease gain factor in STUN +# binding responses. +# +no-rfc5780 + +# Disable handling old STUN Binding requests and disable MAPPED-ADDRESS +# attribute in binding response (use only the XOR-MAPPED-ADDRESS). +# +# Strongly encouraged to use this option to decrease gain factor in STUN +# binding responses. +# +no-stun-backward-compatibility + +# Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled. +# +# Strongly encouraged to use this option to decrease gain factor in STUN +# binding responses. +# +response-origin-only-with-rfc5780