Setting up a TURN server

TURN is a subset of STUN that provides a mechanism for routing traffic through the server as a fallback as well as the standard hole punching that STUN provides.

Automated Setup using BBB

Big blue button has a script to automatically install configure coturn for BBB. I found that this script ran into problems when setting up so I had to manually configure it.

Manual Configuration

Install

Note: Most installs use port 443 for TLS connections, if the server is not dedicated to TURN then I'd recommend using the defaults instead 5349.

sudo apt-get install coturn

Generate the certificate with (disable any services that are using port 80 first):

sudo certbot certonly --standalone --preferred-challenges http  -d turn.example.com

sudo mkdir mkdir /etc/turnserver

sudo echo '#!/bin/bash -e
for certfile in fullchain.pem privkey.pem ; do
	cp -L /etc/letsencrypt/live/<turn.example.com>/"${certfile}" /etc/turnserver/"${certfile}".new
	chown turnserver:turnserver /etc/turnserver/"${certfile}".new
	mv /etc/turnserver/"${certfile}".new /etc/turnserver/"${certfile}"
done
systemctl kill -sUSR2 coturn.service
' > /etc/letsencrypt/renewal-hooks/deploy/coturn

sudo chmod 0755 /etc/letsencrypt/renewal-hooks/deploy/coturn
sudo /etc/letsencrypt/renewal-hooks/deploy/coturn # Initial run.

Generate a secret with:

openssl rand -hex 16

Create dph.pem file.

sudo mkdir -p /etc/turnserver
sudo openssl dhparam -dsaparam  -out /etc/turnserver/dhp.pem 2048

Configure file: /etc/turnserver.conf

Recommended configuration:

listening-port=3478
tls-listening-port=5349
listening-ip=<SERVER IP>

min-port=32769
max-port=65535

fingerprint
lt-cred-mech

use-auth-secret
static-auth-secret=<GENERATED SECRET>

realm=turn.example.com

cert=/etc/turnserver/fullchain.pem
pkey=/etc/turnserver/privkey.pem
dh-file=/etc/turnserver/dhp.pem

cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"

no-loopback-peers
no-multicast-peers

denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
allowed-peer-ip=10.0.0.1


no-cli

no-tlsv1
no-tlsv1_1

Firewall

Open the required ports in the firewall with:

sudo ufc allow 3478
sudo ufc allow 5349

Manually Generate Credentials

You can manually generate TURN credentials with the following script:

#!/bin/bash

HOST=turn.example.com
SECRET=YourSecretHere

time=$(date +%s)
expiry=8400
username=$(( $time + $expiry ))

echo
echo "          https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/"
echo
echo      URI : turn:$HOST:5349
echo username : $username 
echo password : $(echo -n $username | openssl dgst -binary -sha1 -hmac $SECRET | openssl base64)
echo

Debugging

You can use Trickle ICE to test if your TURN server is working. Test STUN functionality with "all" mode and TURN with "relay" mode.

If your coturn server doesn't "just work" I would recommend disabling the firewall before testing with

sudo ufc disable

See Also

• Big Blue Button
• Jitsi
• https://docs.bigbluebutton.org/2.2/setup-turn-server.html
• https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.md