From 4143350ca234cb9d0f65a968a8a9c0210e2a8cb1 Mon Sep 17 00:00:00 2001 From: richvdh Date: Thu, 23 Dec 2021 10:43:18 +0000 Subject: [PATCH] deploy: c500bf37d660b08efb48501b7690dc4448b39eca --- develop/print.html | 69 ++++++++++++++++++++++++++++++---------- develop/searchindex.js | 2 +- develop/searchindex.json | 2 +- develop/turn-howto.html | 69 ++++++++++++++++++++++++++++++---------- 4 files changed, 108 insertions(+), 34 deletions(-) diff --git a/develop/print.html b/develop/print.html index b722ffd325..ba20ac7409 100644 --- a/develop/print.html +++ b/develop/print.html @@ -1180,8 +1180,8 @@ TURN server.

The following sections describe how to install coturn (which implements the TURN REST API) and integrate it with synapse.

Requirements

For TURN relaying with coturn to work, it must be hosted on a server/endpoint with a public IP.

-

Hosting TURN behind a NAT (even with appropriate port forwarding) is known to cause issues -and to often not work.

+

Hosting TURN behind NAT requires port forwaring and for the NAT gateway to have a public IP. +However, even with appropriate configuration, NAT is known to cause issues and to often not work.

coturn setup

Initial installation

The TURN daemon coturn is available from a variety of sources such as native package managers, or installation from source.

@@ -1250,7 +1250,23 @@ denied-peer-ip=10.0.0.0-10.255.255.255 denied-peer-ip=192.168.0.0-192.168.255.255 denied-peer-ip=172.16.0.0-172.31.255.255 +# recommended additional local peers to block, to mitigate external access to internal services. +# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability +no-multicast-peers +denied-peer-ip=0.0.0.0-0.255.255.255 +denied-peer-ip=100.64.0.0-100.127.255.255 +denied-peer-ip=127.0.0.0-127.255.255.255 +denied-peer-ip=169.254.0.0-169.254.255.255 +denied-peer-ip=192.0.0.0-192.0.0.255 +denied-peer-ip=192.0.2.0-192.0.2.255 +denied-peer-ip=192.88.99.0-192.88.99.255 +denied-peer-ip=198.18.0.0-198.19.255.255 +denied-peer-ip=198.51.100.0-198.51.100.255 +denied-peer-ip=203.0.113.0-203.0.113.255 +denied-peer-ip=240.0.0.0-255.255.255.255 + # special case the turn server itself so that client->TURN->TURN->client flows work +# this should be one of the turn server's listening IPs allowed-peer-ip=10.0.0.1 # consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS. @@ -1268,7 +1284,7 @@ cert=/path/to/fullchain.pem # TLS private key file pkey=/path/to/privkey.pem -

In this case, replace the turn: schemes in the turn_uri settings below +

In this case, replace the turn: schemes in the turn_uris settings below with turns:.

We recommend that you only try to set up TLS/DTLS once you have set up a basic installation and got it working.

@@ -1280,16 +1296,24 @@ traffic (remember to allow both TCP and UDP traffic), and ports 49152-65535 for the UDP relay.)

  • -

    We do not recommend running a TURN server behind NAT, and are not aware of -anyone doing so successfully.

    -

    If you want to try it anyway, you will at least need to tell coturn its -external IP address:

    -
    external-ip=192.88.99.1
    +

    If your TURN server is behind NAT, the NAT gateway must have an external, +publicly-reachable IP address. You must configure coturn to advertise that +address to connecting clients:

    +
    external-ip=EXTERNAL_NAT_IPv4_ADDRESS
     
    -

    ... and your NAT gateway must forward all of the relayed ports directly -(eg, port 56789 on the external IP must be always be forwarded to port -56789 on the internal IP).

    -

    If you get this working, let us know!

    +

    You may optionally limit the TURN server to listen only on the local +address that is mapped by NAT to the external address:

    +
    listening-ip=INTERNAL_TURNSERVER_IPv4_ADDRESS
    +
    +

    If your NAT gateway is reachable over both IPv4 and IPv6, you may +configure coturn to advertise each available address:

    +
    external-ip=EXTERNAL_NAT_IPv4_ADDRESS
    +external-ip=EXTERNAL_NAT_IPv6_ADDRESS
    +
    +

    When advertising an external IPv6 address, ensure that the firewall and +network settings of the system running your TURN server are configured to +accept IPv6 traffic, and that the TURN server is listening on the local +IPv6 address that is mapped by NAT to the external IPv6 address.

  • (Re)start the turn server:

    @@ -1357,10 +1381,6 @@ connecting". Unfortunately, troubleshooting this can be tricky.

    Here are a few things to try: