vps/roles/coturn/templates/turnserver.conf

listening-port={{ ports['coturn_listening'] }}
tls-listening-port={{ ports['coturn_tls_listening'] }}

# Lower and upper bounds of the UDP relay endpoints:
# (default values are 49152 and 65535)
min-port={{ ports['coturn_relay_min'] }}
max-port={{ ports['coturn_relay_max'] }}

#verbose
fingerprint

# Credentials in secrets.conf (static-auth-secret)
use-auth-secret
static-auth-secret={{ coturn_secrets['static_auth_secret'] }}

realm=turn.{{ domain }}

# TLS certificates, including intermediate certs.
# For Let's Encrypt certificates, use `fullchain.pem` here.
cert=/etc/coturn/cert.pem

# TLS private key file
pkey=/etc/coturn/pkey.pem

# Do not allow an TLS/DTLS version of protocol
no-tlsv1
no-tlsv1_1

# Disable RFC5780 (NAT behavior discovery).
no-rfc5780
no-stun-backward-compatibility
response-origin-only-with-rfc5780
no-cli

# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
no-tcp-relay

# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
total-quota=1200

# don't let the relay ever try to connect to private IP address ranges within your network (if any)
# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
# recommended additional local peers to block, to mitigate external access to internal services.
# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`listening-port={{ ports['coturn_listening'] }}`
			`tls-listening-port={{ ports['coturn_tls_listening'] }}`
Update for Coturn rootless (changed to slirp4netns driver). 2024-02-15 11:24:39 +01:00
			`# Lower and upper bounds of the UDP relay endpoints:`
			`# (default values are 49152 and 65535)`
The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`min-port={{ ports['coturn_relay_min'] }}`
			`max-port={{ ports['coturn_relay_max'] }}`
Update for Coturn rootless (changed to slirp4netns driver). 2024-02-15 11:24:39 +01:00
coturn en network_mode: host 2023-12-08 16:45:50 +01:00			`#verbose`
add coturn 2023-12-08 12:22:33 +01:00			`fingerprint`

Update for Coturn rootless (changed to slirp4netns driver). 2024-02-15 11:24:39 +01:00			`# Credentials in secrets.conf (static-auth-secret)`
add coturn 2023-12-08 12:22:33 +01:00			`use-auth-secret`
The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`static-auth-secret={{ coturn_secrets['static_auth_secret'] }}`
add coturn 2023-12-08 12:22:33 +01:00
The Great Ansible Update. 2024-02-17 19:01:04 +01:00			`realm=turn.{{ domain }}`
add coturn 2023-12-08 12:22:33 +01:00
			`# TLS certificates, including intermediate certs.`
			# For Let's Encrypt certificates, use `fullchain.pem` here.
			`cert=/etc/coturn/cert.pem`

			`# TLS private key file`
			`pkey=/etc/coturn/pkey.pem`

			`# Do not allow an TLS/DTLS version of protocol`
coturn en network_mode: host 2023-12-08 16:45:50 +01:00			`no-tlsv1`
			`no-tlsv1_1`
Update for Coturn rootless (changed to slirp4netns driver). 2024-02-15 11:24:39 +01:00
			`# Disable RFC5780 (NAT behavior discovery).`
			`no-rfc5780`
			`no-stun-backward-compatibility`
			`response-origin-only-with-rfc5780`
			`no-cli`
add coturn 2023-12-08 12:22:33 +01:00
			`# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.`
			`no-tcp-relay`

Update for Coturn rootless (changed to slirp4netns driver). 2024-02-15 11:24:39 +01:00			`# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.`
			`user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.`
			`total-quota=1200`

add coturn 2023-12-08 12:22:33 +01:00			`# don't let the relay ever try to connect to private IP address ranges within your network (if any)`
			`# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.`
			`denied-peer-ip=10.0.0.0-10.255.255.255`
			`denied-peer-ip=192.168.0.0-192.168.255.255`
			`denied-peer-ip=172.16.0.0-172.31.255.255`
			`# recommended additional local peers to block, to mitigate external access to internal services.`
			`# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability`
			`no-multicast-peers`
			`denied-peer-ip=0.0.0.0-0.255.255.255`
			`denied-peer-ip=100.64.0.0-100.127.255.255`
			`denied-peer-ip=127.0.0.0-127.255.255.255`
			`denied-peer-ip=169.254.0.0-169.254.255.255`
			`denied-peer-ip=192.0.0.0-192.0.0.255`
			`denied-peer-ip=192.0.2.0-192.0.2.255`
			`denied-peer-ip=192.88.99.0-192.88.99.255`
			`denied-peer-ip=198.18.0.0-198.19.255.255`
			`denied-peer-ip=198.51.100.0-198.51.100.255`
			`denied-peer-ip=203.0.113.0-203.0.113.255`
			`denied-peer-ip=240.0.0.0-255.255.255.255`
coturn: add ipv6 denied-peers 2023-12-11 19:48:17 +01:00			`denied-peer-ip=::1`
			`denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff`
			`denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255`
			`denied-peer-ip=100::-100::ffff:ffff:ffff:ffff`
			`denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff`
			`denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff`
			`denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`
			`denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff`