Difference between revisions of "Setting up a TURN server"
(Automatic and manual configuration, Debugging and See Also sections.) |
(→Install: Added configurations options for point of reference.) |
||
| Line 11: | Line 11: | ||
Configure file: '''/etc/turnserver.conf''' | Configure file: '''/etc/turnserver.conf''' | ||
| + | |||
| + | Recommended configuration: | ||
| + | <source> | ||
| + | listening-port=3478 | ||
| + | tls-listening-port=5349 | ||
| + | listening-ip=<SERVER IP> | ||
| + | |||
| + | min-port=32769 | ||
| + | max-port=65535 | ||
| + | |||
| + | fingerprint | ||
| + | lt-cred-mech | ||
| + | |||
| + | use-auth-secret | ||
| + | static-auth-secret=<GENERATED SECRET> | ||
| + | |||
| + | realm=turn.example.com | ||
| + | |||
| + | cert=/etc/turnserver/fullchain.pem | ||
| + | pkey=/etc/turnserver/privkey.pem | ||
| + | dh-file=/etc/turnserver/dhp.pem | ||
| + | |||
| + | cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" | ||
| + | |||
| + | no-loopback-peers | ||
| + | no-multicast-peers | ||
| + | |||
| + | denied-peer-ip=10.0.0.0-10.255.255.255 | ||
| + | denied-peer-ip=192.168.0.0-192.168.255.255 | ||
| + | denied-peer-ip=172.16.0.0-172.31.255.255 | ||
| + | allowed-peer-ip=10.0.0.1 | ||
| + | |||
| + | |||
| + | no-cli | ||
| + | |||
| + | no-tlsv1 | ||
| + | no-tlsv1_1 | ||
| + | </source> | ||
| + | |||
=== Firewall === | === Firewall === | ||
Open the required ports in the firewall with: | Open the required ports in the firewall with: | ||
Revision as of 21:20, 1 June 2021
TURN is a subset of STUN that provides a mechanism for routing traffic through the server as a fallback as well as the standard hole punching that STUN provides.
Contents
Automated Setup using BBB
Big blue button has a script to automatically install configure coturn for BBB. I found that this script ran into problems when setting up so I had to manually configure it.
Manual Configuration
Install
sudo apt-get install coturnConfigure file: /etc/turnserver.conf
Recommended configuration:
listening-port=3478
tls-listening-port=5349
listening-ip=<SERVER IP>
min-port=32769
max-port=65535
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=<GENERATED SECRET>
realm=turn.example.com
cert=/etc/turnserver/fullchain.pem
pkey=/etc/turnserver/privkey.pem
dh-file=/etc/turnserver/dhp.pem
cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
no-loopback-peers
no-multicast-peers
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
allowed-peer-ip=10.0.0.1
no-cli
no-tlsv1
no-tlsv1_1Firewall
Open the required ports in the firewall with:
sudo ufc allow 3478
sudo ufc allow 5349Manually Generate Credentials
You can manually generate TURN credentials with the following script:
#!/bin/bash
HOST=turn.example.com
SECRET=YourSecretHere
time=$(date +%s)
expiry=8400
username=$(( $time + $expiry ))
echo
echo " https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/"
echo
echo URI : turn:$HOST:5349
echo username : $username
echo password : $(echo -n $username | openssl dgst -binary -sha1 -hmac $SECRET | openssl base64)
echoDebugging
You can use Trickle ICE to test if your TURN server is working. Test STUN functionality with "all" mode and TURN with "relay" mode.
If your coturn server doesn't "just work" I would recommend disabling the firewall before testing with
sudo ufc disable
