Coturn working

servers/ansible/playbook.yaml

@@ -58,6 +58,10 @@
       ansible.posix.synchronize:
         src: ../stalwart/
         dest: /etc/stalwart
+    - name: Copy coturn config
+      ansible.posix.synchronize:
+        src: ../coturn/
+        dest: /etc/coturn
     # Pull mautrix config:
     # rsync --rsync-path="sudo rsync" -r -t -z -P --include "*/" --include="*.yaml" --exclude="*" ansible@213.32.25.24:/var/opt/mautrix/ ./mautrix
     - name: Copy mautrix config

servers/containers/conduwuit-testing.container

@@ -55,6 +55,10 @@ Environment="CONDUWUIT_WELL_KNOWN={ \
 client=https://matrix.pissing.dev, \
 server=matrix.pissing.dev:443 \
 }"
+
+Environment="CONDUWUIT_TURN_URIS=[\"turns:coturn.ellis.link?transport=udp\",\"turns:coturn.ellis.link?transport=tcp\",\"turn:coturn.ellis.link?transport=udp\",\"turn:coturn.ellis.link?transport=tcp\"]"
+Environment="CONDUWUIT_TURN_SECRET=qjRh55G51K7V0ZqB7Z8ZEkxZjBLJMgkwEs8acFjx"
+
 # Environment="CONDUWUIT_SENTRY=true"
 # Environment="CONDUWUIT_SENTRY_ENDPOINT=https://c885d1475cef5c54bbd32b1512e0ae20@o4507835405369344.ingest.de.sentry.io/4508059491696720"
 

servers/containers/conduwuit.container

@@ -54,8 +54,8 @@ client=https://matrix.ellis.link, \
 server=matrix.ellis.link:443 \
 }"
 
-# Environment="CONDUWUIT_TURN_URIS=[\"turns:coturn.ellis.link?transport=udp\",\"turns:coturn.ellis.link?transport=tcp\"]"
-# Environment="CONDUWUIT_TURN_SECRET=qjRh55G51K7V0ZqB7Z8ZEkxZjBLJMgkwEs8acFjx"
+Environment="CONDUWUIT_TURN_URIS=[\"turns:coturn.ellis.link?transport=udp\",\"turns:coturn.ellis.link?transport=tcp\",\"turn:coturn.ellis.link?transport=udp\",\"turn:coturn.ellis.link?transport=tcp\"]"
+Environment="CONDUWUIT_TURN_SECRET=qjRh55G51K7V0ZqB7Z8ZEkxZjBLJMgkwEs8acFjx"
 
 Environment="CONDUWUIT_SENTRY=true"
 Environment="CONDUWUIT_SENTRY_ENDPOINT=https://c885d1475cef5c54bbd32b1512e0ae20@o4507835405369344.ingest.de.sentry.io/4508059491696720"

servers/containers/coturn.container

@@ -10,38 +10,35 @@ After=network-online.target
 ContainerName=coturn
 NoNewPrivileges=true
 Image=docker.io/coturn/coturn:latest
-ReadOnly=true
+# ReadOnly=true
 AutoUpdate=registry
-Network=web.network
+# Network=web.network
 
+Volume=/etc/coturn/turnserver.conf:/etc/coturn/turnserver.conf:ro,z
+Volume=traefik-certs.volume:/data/certs:ro,U
+# TODO: TURN TLS
 PublishPort=0.0.0.0:60006-65535:60006-65535/udp
 PublishPort=[::]:60006-65535:60006-65535/udp
-# PublishPort=0.0.0.0:3478:3478
-# PublishPort=[::]:3478:3478
-# PublishPort=0.0.0.0:3478:3478/udp
-# PublishPort=[::]:3478:3478/udp
-# PublishPort=0.0.0.0:5349:5349
-# PublishPort=[::]:5349:5349
-# PublishPort=0.0.0.0:5349:5349/udp
-# PublishPort=[::]:5349:5349/udp
+PublishPort=0.0.0.0:3478:3478
+PublishPort=[::]:3478:3478
+PublishPort=0.0.0.0:3478:3478/udp
+PublishPort=[::]:3478:3478/udp
+PublishPort=0.0.0.0:5349:5349
+PublishPort=[::]:5349:5349
+PublishPort=0.0.0.0:5349:5349/udp
+PublishPort=[::]:5349:5349/udp
 
-Exec= --realm coturn.ellis.link \
---tls-listening-port=443 \
---listening-ip=0.0.0.0 \
---min-port=60006 \
---max-port=65535 \
---use-auth-secret \
---static-auth-secret=qjRh55G51K7V0ZqB7Z8ZEkxZjBLJMgkwEs8acFjx
-Label="traefik.enable=true"
+
+Label="traefik.enable=false"
 Label="traefik.http.routers.coturn.rule=Host(`coturn.ellis.link`)"
 
-Label="traefik.http.routers.coturn.entrypoints=https"
+# Label="traefik.http.routers.coturn.entrypoints=https"
 
-Label="traefik.http.routers.coturn.middlewares=default@file"
+# Label="traefik.http.routers.coturn.middlewares=default@file"
 
 Label="homepage.group=Services"
 Label="homepage.name=coturn"
-Label="homepage.href=https://coturn.ellis.link"
+# Label="homepage.href=https://coturn.ellis.link"
 
 # Label="kuma.coturn.http.name=Uptime Kuma"
 # Label=kuma.__web='"coturn.ellis.link"'
@@ -60,4 +57,4 @@ TimeoutStartSec=2m
 StartLimitBurst=5
 
 [Install]
-# WantedBy=default.target
+WantedBy=default.target

servers/coturn/turnserver.conf

@@ -0,0 +1,45 @@
+realm=coturn.ellis.link 
+min-port=60006 
+max-port=65535 
+use-auth-secret 
+static-auth-secret=qjRh55G51K7V0ZqB7Z8ZEkxZjBLJMgkwEs8acFjx
+listening-ip=0.0.0.0
+
+#public ipv4 and ipv6 addresses
+external-ip=213.32.25.24
+external-ip=2001:41d0:1004:3918::1
+# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
+no-tcp-relay
+
+cert=/data/certs/coturn.ellis.link/cert.pem
+# TLS private key file
+pkey=/data/certs/coturn.ellis.link/key.pem
+
+# don't let the relay ever try to connect to private IP address ranges within your network (if any)
+# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
+denied-peer-ip=10.0.0.0-10.255.255.255
+denied-peer-ip=192.168.0.0-192.168.255.255
+denied-peer-ip=172.16.0.0-172.31.255.255
+
+# recommended additional local peers to block, to mitigate external access to internal services.
+# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
+no-multicast-peers
+denied-peer-ip=0.0.0.0-0.255.255.255
+denied-peer-ip=100.64.0.0-100.127.255.255
+denied-peer-ip=127.0.0.0-127.255.255.255
+denied-peer-ip=169.254.0.0-169.254.255.255
+denied-peer-ip=192.0.0.0-192.0.0.255
+denied-peer-ip=192.0.2.0-192.0.2.255
+denied-peer-ip=192.88.99.0-192.88.99.255
+denied-peer-ip=198.18.0.0-198.19.255.255
+denied-peer-ip=198.51.100.0-198.51.100.255
+denied-peer-ip=203.0.113.0-203.0.113.255
+denied-peer-ip=240.0.0.0-255.255.255.255
+
+# special case the turn server itself so that client->TURN->TURN->client flows work
+# this should be one of the turn server's listening IPs
+allowed-peer-ip=0.0.0.0
+
+# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
+user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
+total-quota=1200