diff --git a/nftables.conf b/nftables.conf index 762b590..5a6d5cf 100755 --- a/nftables.conf +++ b/nftables.conf @@ -18,6 +18,10 @@ table inet filter { # SSH tcp dport 995 limit rate 15/minute accept + # TURN + tcp dport { 3478, 5349 } limit rate 5/second accept + udp dport { 3478, 5349, 49152-49200 } limit rate 5/second accept + # Allow ICMP meta l4proto icmp limit rate 1/second accept meta l4proto ipv6-icmp limit rate 1/second accept diff --git a/ports.txt b/ports.txt index 4ade8aa..c27e6ed 100644 --- a/ports.txt +++ b/ports.txt @@ -1,6 +1,8 @@ 80/443 -> NGINX reverse proxy 995 -> SSH +3478 -> coturn 3735 -> Etebase +5349 -> coturn 5432 -> Syncthing 8008 -> Synapse 8080 -> Nextcloud AIO @@ -11,3 +13,4 @@ 8443 -> stdisco 11000 -> Nextcloud 22000 -> Syncthing +49152-49200/udp -> coturn diff --git a/synapse/coturn-docker-entrypoint.sh b/synapse/coturn-docker-entrypoint.sh new file mode 100755 index 0000000..106f607 --- /dev/null +++ b/synapse/coturn-docker-entrypoint.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# If command starts with an option, prepend it with a `turnserver` binary. +if [ "${1:0:1}" == '-' ]; then + set -- turnserver "$@" +fi + +# Evaluate each argument separately to avoid mixing them up in a single `eval`. +expanded=() +for i in "$@"; do + expanded+=("$(eval "echo $i")") +done + +cp /etc/coturn/server.conf /tmp/turnserver.conf +cat /etc/coturn/secret.conf >> /tmp/turnserver.conf + +exec "${expanded[@]}" diff --git a/synapse/docker-compose.yaml b/synapse/docker-compose.yaml index 4ed4f17..6336ec4 100644 --- a/synapse/docker-compose.yaml +++ b/synapse/docker-compose.yaml @@ -1,4 +1,35 @@ services: + coturn: + container_name: synapse_coturn + image: coturn/coturn:alpine + restart: always + user: '1003:1003' + command: + - "--log-file=stdout" + - "-c" + - "/tmp/turnserver.conf" + environment: + - DETECT_EXTERNAL_IP=yes + - DETECT_RELAY_IP=yes + - DETECT_EXTERNAL_IPV6=yes + - DETECT_RELAY_IPV6=yes + ports: + - 3478:3478 + - 3478:3478/udp + - 5349:5349 + - 5349:5349/udp + - 49152-49200:49152-49200/udp + tmpfs: + - /var/lib/coturn + volumes: + - ./turnserver.conf:/etc/coturn/server.conf + - ./coturn-docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh + # Content of turn-secret.conf: + # static-auth-secret=someSecret + - ../turn-secret.conf:/etc/coturn/secret.conf + - ../turn-cert.pem:/etc/coturn/cert.pem + - ../turn-pkey.pem:/etc/coturn/pkey.pem + postgres: container_name: synapse_postgres image: postgres:alpine @@ -20,10 +51,14 @@ services: # command: generate restart: always user: '991:991' + command: > + run + --config-path=/data/homeserver.yaml + --config-path=/data/secret.yaml environment: - # SYNAPSE_SERVER_NAME: viyurz.fr - # SYNAPSE_REPORT_STATS: "yes" - # SYNAPSE_HTTP_PORT: 8008 + SYNAPSE_SERVER_NAME: viyurz.fr + SYNAPSE_REPORT_STATS: "yes" + SYNAPSE_HTTP_PORT: 8008 TZ: "Europe/Paris" networks: - synapse @@ -32,6 +67,9 @@ services: volumes: - /mnt/synapsedata:/data - ./homeserver.yaml:/data/homeserver.yaml + # Content of turn-secret.yaml: + # turn_shared_secret: "someSecret" + - ../turn-secret.yaml:/data/secret.yaml networks: synapse: diff --git a/synapse/homeserver.yaml b/synapse/homeserver.yaml index f63d37f..b72afb1 100644 --- a/synapse/homeserver.yaml +++ b/synapse/homeserver.yaml @@ -65,4 +65,7 @@ url_preview_ip_range_blacklist: - 'ff00::/8' - 'fec0::/10' +turn_uris: [ "turn:turn.viyurz.fr?transport=udp", "turn:turn.viyurz.fr?transport=tcp" ] +turn_user_lifetime: 86400000 +turn_allow_guests: true # vim:ft=yaml diff --git a/synapse/turnserver.conf b/synapse/turnserver.conf new file mode 100644 index 0000000..19cd756 --- /dev/null +++ b/synapse/turnserver.conf @@ -0,0 +1,59 @@ +verbose +fingerprint + +listening-port=3478 +tls-listening-port=5349 + +use-auth-secret +realm=turn.viyurz.fr + +# Lower and upper bounds of the UDP relay endpoints: +# (default values are 49152 and 65535) +# +min-port=49152 +max-port=49200 + +# TLS certificates, including intermediate certs. +# For Let's Encrypt certificates, use `fullchain.pem` here. +cert=/etc/coturn/cert.pem + +# TLS private key file +pkey=/etc/coturn/pkey.pem + +# Do not allow an TLS/DTLS version of protocol +# +#no-tlsv1 +#no-tlsv1_1 +#no-tlsv1_2 + +# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay. +no-tcp-relay + +# don't let the relay ever try to connect to private IP address ranges within your network (if any) +# given the turn server is likely behind your firewall, remember to include any privileged public IPs too. +denied-peer-ip=10.0.0.0-10.255.255.255 +denied-peer-ip=192.168.0.0-192.168.255.255 +denied-peer-ip=172.16.0.0-172.31.255.255 + +# recommended additional local peers to block, to mitigate external access to internal services. +# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability +no-multicast-peers +denied-peer-ip=0.0.0.0-0.255.255.255 +denied-peer-ip=100.64.0.0-100.127.255.255 +denied-peer-ip=127.0.0.0-127.255.255.255 +denied-peer-ip=169.254.0.0-169.254.255.255 +denied-peer-ip=192.0.0.0-192.0.0.255 +denied-peer-ip=192.0.2.0-192.0.2.255 +denied-peer-ip=192.88.99.0-192.88.99.255 +denied-peer-ip=198.18.0.0-198.19.255.255 +denied-peer-ip=198.51.100.0-198.51.100.255 +denied-peer-ip=203.0.113.0-203.0.113.255 +denied-peer-ip=240.0.0.0-255.255.255.255 + +# special case the turn server itself so that client->TURN->TURN->client flows work +# this should be one of the turn server's listening IPs +#allowed-peer-ip=10.0.0.1 + +# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS. +user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user. +total-quota=1200