hans/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity
Fediversity/matrix/coturn/README.md

4.9 KiB
Raw Blame History

Table of Contents

TURN server

You need a TURN server to connect participants that are behind a NAT firewall. Because IPv6 doesn't really need TURN, and Chrome can get confused if it has to use TURN over IPv6, we'll stick to a strict IPv4-only configuration.

Also, because VoIP traffic is only UDP, we won't do TCP.

TURN-functionality can be offered by coturn and LiveKit alike: coturn is used for legacy calls (only one-on-one, supported in Element Android), whereas Element Call (supported by ElementX, Desktop and Web) uses LiveKit.

In our documentation we'll enable both, which is probably not the optimal solution, but at least it results in a system that supports old and new clients.

Here we'll describe coturn, the dedicated ICE/STUN/TURN server that needs to be configured in Synapse, LiveKit has its own page.

Installation

Installation is short:

apt install coturn

For sake of maintainability we'll move the only configuration file into its own directoy:

mkdir /etc/coturn
mv /etc/turnserver.conf /etc/coturn

We need to tell systemd to start it with the configuration file on the new place. Edit the service file with:

systemctl edit coturn

Contrary to what the comment suggests, only the parts you add will override the content that's already there. We have to "clean" the ExecStart first, before we assign a new line to it, so this is the bit we add:

[Service]
ExecStart=
ExecStart=/usr/bin/turnserver -c /etc/coturn/turnserver.conf --pidfile=/etc/coturn/run/turnserver.pid

Create the directory /etc/coturn/run and chgrp it to turnserver, so that coturn can write its pid there: /run/turnserver.pid can't be written because coturn doesn't run as root.

This prepares us for the next step: configuring the whole thing.

DNS and certificate

As stated before, we only use IPv4, so a CNAME to our machine that also does IPv6 is a bad idea. Fix a new entry in DNS for TURN only, we'll use turn.example.com here.

Make sure this entry only has an A record, no AAAA.

Get a certificate for this name:

certbot certonly --nginx -d turn.example.com

This assumes you've already setup and started nginx (see nginx).

{#fixssl} The certificate files reside under /etc/letsencrypt/live, but coturn and LiveKit don't run as root, and can't read them. Therefore we create the directory /etc/coturn/ssl where we copy the files to. This script should be run after each certificate renewal:

#!/bin/bash

# This script is hooked after a renewal of the certificate, so that the
# certificate files are copied and chowned, and made readable by coturn:

cd /etc/coturn/ssl
cp /etc/letsencrypt/live/turn.example.com/{fullchain,privkey}.pem .
chown turnserver:turnserver *.pem

# Make sure you only start/restart the servers that you need!
systemctl try-reload-or-restart coturn livekit-server

Run this automatically after every renewal by adding this line to /etc/letsencrypt/renewal/turn.example.com.conf:

renew_hook = /etc/coturn/fixssl

Yes, it's a bit primitive and could (should?) be polished. But for now: it works. This will copy and chown the certificate files and restart coturn and/or LiveKit, depending on if they're running or not.

Configuration

Synapse's documentation gives a reasonable default config.

We'll need a shared secret that Synapse can use to control coturn, so let's create that first:

pwgen -s 64 1

Now that we have this, we can configure our configuration file under /etc/coturn/turnserver.conf.

# We don't use the default ports, because LiveKit uses those
listening-port=3480
tls-listening-port=5351

# We don't need more than 10000 connections:
min-port=40000
max-port=49999

use-auth-secret
static-auth-secret=<previously created secret>

realm=turn.example.com
user-quota=12
total-quota=1200

# Of course: substitute correct IPv4 address:
listening-ip=111.222.111.222

# VoIP traffic is only UDP
no-tcp-relay

# coturn doesn't run as root, so the certificate has
# to be copied/chowned here.
cert=/etc/coturn/ssl/fullchain.pem
pkey=/etc/coturn/ssl/privkey.pem

denied-peer-ip=0.0.0.0-255.255.255.255
denied-peer-ip=127.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255

# We do only IPv4
allocation-default-address-family="ipv4"

# No weak TLS
no-tlsv1
no-tlsv1_1

All other options in the configuration file are either commented out, or defaults.

Make sure you've opened the correct ports in the firewall.