add coturn

This commit is contained in:
Viyurz 2023-12-08 12:22:33 +01:00
parent 68fabec9ee
commit 226700ea0a
6 changed files with 127 additions and 3 deletions

View file

@ -18,6 +18,10 @@ table inet filter {
# SSH
tcp dport 995 limit rate 15/minute accept
# TURN
tcp dport { 3478, 5349 } limit rate 5/second accept
udp dport { 3478, 5349, 49152-49200 } limit rate 5/second accept
# Allow ICMP
meta l4proto icmp limit rate 1/second accept
meta l4proto ipv6-icmp limit rate 1/second accept

View file

@ -1,6 +1,8 @@
80/443 -> NGINX reverse proxy
995 -> SSH
3478 -> coturn
3735 -> Etebase
5349 -> coturn
5432 -> Syncthing
8008 -> Synapse
8080 -> Nextcloud AIO
@ -11,3 +13,4 @@
8443 -> stdisco
11000 -> Nextcloud
22000 -> Syncthing
49152-49200/udp -> coturn

View file

@ -0,0 +1,17 @@
#!/bin/bash
# If command starts with an option, prepend it with a `turnserver` binary.
if [ "${1:0:1}" == '-' ]; then
set -- turnserver "$@"
fi
# Evaluate each argument separately to avoid mixing them up in a single `eval`.
expanded=()
for i in "$@"; do
expanded+=("$(eval "echo $i")")
done
cp /etc/coturn/server.conf /tmp/turnserver.conf
cat /etc/coturn/secret.conf >> /tmp/turnserver.conf
exec "${expanded[@]}"

View file

@ -1,4 +1,35 @@
services:
coturn:
container_name: synapse_coturn
image: coturn/coturn:alpine
restart: always
user: '1003:1003'
command:
- "--log-file=stdout"
- "-c"
- "/tmp/turnserver.conf"
environment:
- DETECT_EXTERNAL_IP=yes
- DETECT_RELAY_IP=yes
- DETECT_EXTERNAL_IPV6=yes
- DETECT_RELAY_IPV6=yes
ports:
- 3478:3478
- 3478:3478/udp
- 5349:5349
- 5349:5349/udp
- 49152-49200:49152-49200/udp
tmpfs:
- /var/lib/coturn
volumes:
- ./turnserver.conf:/etc/coturn/server.conf
- ./coturn-docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh
# Content of turn-secret.conf:
# static-auth-secret=someSecret
- ../turn-secret.conf:/etc/coturn/secret.conf
- ../turn-cert.pem:/etc/coturn/cert.pem
- ../turn-pkey.pem:/etc/coturn/pkey.pem
postgres:
container_name: synapse_postgres
image: postgres:alpine
@ -20,10 +51,14 @@ services:
# command: generate
restart: always
user: '991:991'
command: >
run
--config-path=/data/homeserver.yaml
--config-path=/data/secret.yaml
environment:
# SYNAPSE_SERVER_NAME: viyurz.fr
# SYNAPSE_REPORT_STATS: "yes"
# SYNAPSE_HTTP_PORT: 8008
SYNAPSE_SERVER_NAME: viyurz.fr
SYNAPSE_REPORT_STATS: "yes"
SYNAPSE_HTTP_PORT: 8008
TZ: "Europe/Paris"
networks:
- synapse
@ -32,6 +67,9 @@ services:
volumes:
- /mnt/synapsedata:/data
- ./homeserver.yaml:/data/homeserver.yaml
# Content of turn-secret.yaml:
# turn_shared_secret: "someSecret"
- ../turn-secret.yaml:/data/secret.yaml
networks:
synapse:

View file

@ -65,4 +65,7 @@ url_preview_ip_range_blacklist:
- 'ff00::/8'
- 'fec0::/10'
turn_uris: [ "turn:turn.viyurz.fr?transport=udp", "turn:turn.viyurz.fr?transport=tcp" ]
turn_user_lifetime: 86400000
turn_allow_guests: true
# vim:ft=yaml

59
synapse/turnserver.conf Normal file
View file

@ -0,0 +1,59 @@
verbose
fingerprint
listening-port=3478
tls-listening-port=5349
use-auth-secret
realm=turn.viyurz.fr
# Lower and upper bounds of the UDP relay endpoints:
# (default values are 49152 and 65535)
#
min-port=49152
max-port=49200
# TLS certificates, including intermediate certs.
# For Let's Encrypt certificates, use `fullchain.pem` here.
cert=/etc/coturn/cert.pem
# TLS private key file
pkey=/etc/coturn/pkey.pem
# Do not allow an TLS/DTLS version of protocol
#
#no-tlsv1
#no-tlsv1_1
#no-tlsv1_2
# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
no-tcp-relay
# don't let the relay ever try to connect to private IP address ranges within your network (if any)
# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
# recommended additional local peers to block, to mitigate external access to internal services.
# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
# special case the turn server itself so that client->TURN->TURN->client flows work
# this should be one of the turn server's listening IPs
#allowed-peer-ip=10.0.0.1
# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
total-quota=1200