add coturn

2023-12-08 12:22:33 +01:00 · 2023-12-08 12:22:33 +01:00 · 226700ea0a
commit 226700ea0a
parent 68fabec9ee
6 changed files with 127 additions and 3 deletions
--- a/nftables.conf
+++ b/nftables.conf
@ -18,6 +18,10 @@ table inet filter {
 		# SSH
 		tcp dport 995 limit rate 15/minute accept

+		# TURN
+		tcp dport { 3478, 5349 } limit rate 5/second accept
+		udp dport { 3478, 5349, 49152-49200 } limit rate 5/second accept
+
 		# Allow ICMP
 		meta l4proto icmp limit rate 1/second accept
 		meta l4proto ipv6-icmp limit rate 1/second accept
--- a/ports.txt
+++ b/ports.txt
@ -1,6 +1,8 @@
 80/443 -> NGINX reverse proxy
 995 -> SSH
+3478 -> coturn
 3735 -> Etebase
+5349 -> coturn
 5432 -> Syncthing
 8008 -> Synapse
 8080 -> Nextcloud AIO
@ -11,3 +13,4 @@
 8443 -> stdisco
 11000 -> Nextcloud
 22000 -> Syncthing
+49152-49200/udp -> coturn
--- a/synapse/coturn-docker-entrypoint.sh
+++ b/synapse/coturn-docker-entrypoint.sh
@ -0,0 +1,17 @@
+#!/bin/bash
+
+# If command starts with an option, prepend it with a `turnserver` binary.
+if [ "${1:0:1}" == '-' ]; then
+  set -- turnserver "$@"
+fi
+
+# Evaluate each argument separately to avoid mixing them up in a single `eval`.
+expanded=()
+for i in "$@"; do
+  expanded+=("$(eval "echo $i")")
+done
+
+cp /etc/coturn/server.conf /tmp/turnserver.conf
+cat /etc/coturn/secret.conf >> /tmp/turnserver.conf
+
+exec "${expanded[@]}"
--- a/synapse/docker-compose.yaml
+++ b/synapse/docker-compose.yaml
@ -1,4 +1,35 @@
 services:
+  coturn:
+    container_name: synapse_coturn
+    image: coturn/coturn:alpine
+    restart: always
+    user: '1003:1003'
+    command: 
+      - "--log-file=stdout"
+      - "-c"
+      - "/tmp/turnserver.conf"
+    environment:
+      - DETECT_EXTERNAL_IP=yes
+      - DETECT_RELAY_IP=yes
+      - DETECT_EXTERNAL_IPV6=yes
+      - DETECT_RELAY_IPV6=yes
+    ports:
+      - 3478:3478
+      - 3478:3478/udp
+      - 5349:5349
+      - 5349:5349/udp
+      - 49152-49200:49152-49200/udp
+    tmpfs:
+      - /var/lib/coturn
+    volumes:
+      - ./turnserver.conf:/etc/coturn/server.conf
+      - ./coturn-docker-entrypoint.sh:/usr/local/bin/docker-entrypoint.sh
+      # Content of turn-secret.conf:
+      # static-auth-secret=someSecret
+      - ../turn-secret.conf:/etc/coturn/secret.conf
+      - ../turn-cert.pem:/etc/coturn/cert.pem
+      - ../turn-pkey.pem:/etc/coturn/pkey.pem
+
  postgres:
    container_name: synapse_postgres
    image: postgres:alpine
@ -20,10 +51,14 @@ services:
    # command: generate
    restart: always
    user: '991:991'
+    command: >
+      run
+      --config-path=/data/homeserver.yaml
+      --config-path=/data/secret.yaml
    environment:
-      # SYNAPSE_SERVER_NAME: viyurz.fr
-      # SYNAPSE_REPORT_STATS: "yes"
-      # SYNAPSE_HTTP_PORT: 8008
+      SYNAPSE_SERVER_NAME: viyurz.fr
+      SYNAPSE_REPORT_STATS: "yes"
+      SYNAPSE_HTTP_PORT: 8008
      TZ: "Europe/Paris"
    networks:
      - synapse
@ -32,6 +67,9 @@ services:
    volumes:
      - /mnt/synapsedata:/data
      - ./homeserver.yaml:/data/homeserver.yaml
+      # Content of turn-secret.yaml:
+      # turn_shared_secret: "someSecret"
+      - ../turn-secret.yaml:/data/secret.yaml

 networks:
  synapse:
--- a/synapse/homeserver.yaml
+++ b/synapse/homeserver.yaml
@ -65,4 +65,7 @@ url_preview_ip_range_blacklist:
  - 'ff00::/8'
  - 'fec0::/10'

+turn_uris: [ "turn:turn.viyurz.fr?transport=udp", "turn:turn.viyurz.fr?transport=tcp" ]
+turn_user_lifetime: 86400000
+turn_allow_guests: true
 # vim:ft=yaml
--- a/synapse/turnserver.conf
+++ b/synapse/turnserver.conf
@ -0,0 +1,59 @@
+verbose
+fingerprint
+
+listening-port=3478
+tls-listening-port=5349
+
+use-auth-secret
+realm=turn.viyurz.fr
+
+# Lower and upper bounds of the UDP relay endpoints:
+# (default values are 49152 and 65535)
+#
+min-port=49152
+max-port=49200
+
+# TLS certificates, including intermediate certs.
+# For Let's Encrypt certificates, use `fullchain.pem` here.
+cert=/etc/coturn/cert.pem
+
+# TLS private key file
+pkey=/etc/coturn/pkey.pem
+
+# Do not allow an TLS/DTLS version of protocol
+#
+#no-tlsv1
+#no-tlsv1_1
+#no-tlsv1_2
+
+# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
+no-tcp-relay
+
+# don't let the relay ever try to connect to private IP address ranges within your network (if any)
+# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+
+# recommended additional local peers to block, to mitigate external access to internal services.
+# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
+no-multicast-peers
+denied-peer-ip=0.0.0.0-0.255.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+denied-peer-ip=240.0.0.0-255.255.255.255
+
+# special case the turn server itself so that client->TURN->TURN->client flows work
+# this should be one of the turn server's listening IPs
+#allowed-peer-ip=10.0.0.1
+
+# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
+user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
+total-quota=1200