Added configuration file for coturn.

2024-11-28 14:16:46 +01:00 · 2024-11-28 14:16:46 +01:00 · ebf7a04178
commit ebf7a04178
parent 438682dabf
2 changed files with 118 additions and 5 deletions
--- a/matrix/coturn/README.md
+++ b/matrix/coturn/README.md
@ -60,14 +60,14 @@ This prepares us for the next step: configuring the whole thing.

 As stated before, we only use IPv4, so a CNAME to our machine that also does
 IPv6 is a bad idea. Fix a new entry in DNS for TURN only, we'll use
-`turn.matrix.example.com` here.
+`turn.example.com` here.

 Make sure this entry only has an A record, no AAAA.

 Get a certificate for this name:

 ```
-certbot certonly --nginx -d turn.matrix.example.com
+certbot certonly --nginx -d turn.example.com
 ```

 This assumes you've already setup and started nginx (see [nginx](../nginx)).
@ -98,7 +98,7 @@ max-port=60000
 use-auth-secret
 static-auth-secret=<previously created secret>

-realm=turn.matrixdev.example.com
+realm=turn.example.com
 user-quota=12
 total-quota=1200

@ -150,7 +150,7 @@ each certificate renewal:
 # that it's copied and chowned and made readable by coturn:

 cd /etc/coturn/ssl
-cp /etc/letsencrypt/live/turn.matrixdev.example.com/{fullchain,privkey}.pem .
+cp /etc/letsencrypt/live/turn.example.com/{fullchain,privkey}.pem .
 chown turnserver:turnserver *.pem

 # We should restart either coturn or LiveKit, they cannot run both!
@ -160,7 +160,7 @@ systemctl restart coturn
 ```

 Run this automatically after every renewal by adding this line to
-`/etc/letsencrypt/renewal/turn.matrixdev.example.com.conf`:
+`/etc/letsencrypt/renewal/turn.example.com.conf`:

 ```
 renew_hook = /etc/coturn/fixssl
--- a/matrix/coturn/turnserver.conf
+++ b/matrix/coturn/turnserver.conf
@ -0,0 +1,113 @@
+# Coturn TURN SERVER configuration file
+
+# Only IPv4, IPv6 can confuse some software
+listening-ip=111.222.111.222
+
+# Lower and upper bounds of the UDP relay endpoints:
+# (default values are 49152 and 65535)
+#
+min-port=50000
+max-port=60000
+
+use-auth-secret
+static-auth-secret=<very secure password>
+
+realm=turn.example.com
+
+
+# Per-user allocation quota.
+# default value is 0 (no quota, unlimited number of sessions per user).
+# This option can also be set through the database, for a particular realm.
+user-quota=12
+
+# Total allocation quota.
+# default value is 0 (no quota).
+# This option can also be set through the database, for a particular realm.
+total-quota=1200
+
+# Uncomment if no TCP relay endpoints are allowed.
+# By default TCP relay endpoints are enabled (like in RFC 6062).
+#
+no-tcp-relay
+
+# Certificate file.
+# Use an absolute path or path relative to the
+# configuration file.
+# Use PEM file format.
+cert=/etc/coturn/ssl/fullchain.pem
+
+# Private key file.
+# Use an absolute path or path relative to the
+# configuration file.
+# Use PEM file format.
+pkey=/etc/coturn/ssl/privkey.pem
+
+# Option to redirect all log output into system log (syslog).
+#
+syslog
+
+# Option to allow or ban specific ip addresses or ranges of ip addresses.
+# If an ip address is specified as both allowed and denied, then the ip address is
+# considered to be allowed. This is useful when you wish to ban a range of ip
+# addresses, except for a few specific ips within that range.
+#
+# This can be used when you do not want users of the turn server to be able to access
+# machines reachable by the turn server, but would otherwise be unreachable from the
+# internet (e.g. when the turn server is sitting behind a NAT)
+#
+denied-peer-ip=0.0.0.0-255.255.255.255
+denied-peer-ip=127.0.0.0-0.255.255.255
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+
+
+# TURN server allocates address family according TURN client requested address family.
+# If address family not requested explicitly by the client, then it falls back to this default.
+# The standard RFC explicitly define that this default must be IPv4, 
+# so use other option values with care! 
+# Possible values: "ipv4" or "ipv6" or "keep" 
+# "keep" sets the allocation default address family according to 
+# the TURN client allocation request connection address family.
+allocation-default-address-family="ipv4"
+
+# Turn OFF the CLI support.
+# By default it is always ON.
+# See also options cli-ip and cli-port.
+#
+no-cli
+
+# Do not allow an TLS/DTLS version of protocol
+#
+no-tlsv1
+no-tlsv1_1
+
+# Disable RFC5780 (NAT behavior discovery).
+#
+# Strongly encouraged to use this option to decrease gain factor in STUN
+# binding responses.
+#
+no-rfc5780
+
+# Disable handling old STUN Binding requests and disable MAPPED-ADDRESS
+# attribute in binding response (use only the XOR-MAPPED-ADDRESS).
+#
+# Strongly encouraged to use this option to decrease gain factor in STUN
+# binding responses.
+#
+no-stun-backward-compatibility
+
+# Only send RESPONSE-ORIGIN attribute in binding response if RFC5780 is enabled.
+#
+# Strongly encouraged to use this option to decrease gain factor in STUN
+# binding responses.
+#
+response-origin-only-with-rfc5780