Setting up a TURN server
TURN is a subset of STUN that provides a mechanism for routing traffic through the server as a fallback as well as the standard hole punching that STUN provides.
Contents
Automated Setup using BBB
Big blue button has a script to automatically install configure coturn for BBB. I found that this script ran into problems when setting up so I had to manually configure it.
Manual Configuration
Install
Note: Most installs use port 443 for TLS connections, if the server is not dedicated to TURN then I'd recommend using the defaults instead 5349.
sudo apt-get install coturn
Generate the certificate with (disable any services that are using port 80 first):
sudo certbot certonly --standalone --preferred-challenges http -d turn.example.com
sudo mkdir mkdir /etc/turnserver
sudo echo '#!/bin/bash -e
for certfile in fullchain.pem privkey.pem ; do
cp -L /etc/letsencrypt/live/<turn.example.com>/"${certfile}" /etc/turnserver/"${certfile}".new
chown turnserver:turnserver /etc/turnserver/"${certfile}".new
mv /etc/turnserver/"${certfile}".new /etc/turnserver/"${certfile}"
done
systemctl kill -sUSR2 coturn.service
' > /etc/letsencrypt/renewal-hooks/deploy/coturn
sudo chmod 0755 /etc/letsencrypt/renewal-hooks/deploy/coturn
sudo /etc/letsencrypt/renewal-hooks/deploy/coturn # Initial run.
Generate a secret with:
openssl rand -hex 16
Create dph.pem file.
sudo mkdir -p /etc/turnserver
sudo openssl dhparam -dsaparam -out /etc/turnserver/dhp.pem 2048
Configure file: /etc/turnserver.conf
Recommended configuration:
listening-port=3478
tls-listening-port=5349
listening-ip=<SERVER IP>
min-port=32769
max-port=65535
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=<GENERATED SECRET>
realm=turn.example.com
cert=/etc/turnserver/fullchain.pem
pkey=/etc/turnserver/privkey.pem
dh-file=/etc/turnserver/dhp.pem
cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
no-loopback-peers
no-multicast-peers
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
allowed-peer-ip=10.0.0.1
no-cli
no-tlsv1
no-tlsv1_1
Firewall
Open the required ports in the firewall with:
sudo ufc allow 3478
sudo ufc allow 5349
Manually Generate Credentials
You can manually generate TURN credentials with the following script:
#!/bin/bash
HOST=turn.example.com
SECRET=YourSecretHere
time=$(date +%s)
expiry=8400
username=$(( $time + $expiry ))
echo
echo " https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/"
echo
echo URI : turn:$HOST:5349
echo username : $username
echo password : $(echo -n $username | openssl dgst -binary -sha1 -hmac $SECRET | openssl base64)
echo
Debugging
You can use Trickle ICE to test if your TURN server is working. Test STUN functionality with "all" mode and TURN with "relay" mode.
If your coturn server doesn't "just work" I would recommend disabling the firewall before testing with
sudo ufc disable