synapse_ynh/conf/turnserver.conf

use-auth-secret
static-auth-secret={{ turnserver_pwd }}
cli-password={{ turnserver_cli_pwd }}
realm={{ domain }}

tls-listening-port={{ port_turnserver_tls }}
alt-tls-listening-port={{ port_turnserver_alt_tls }}
min-port=49153
max-port=49193
cli-port={{ port_cli }}

cert=/etc/yunohost/certs/{{ domain }}/crt.pem
pkey=/etc/yunohost/certs/{{ domain }}/key.pem
dh-file=/etc/ssl/private/dh2048.pem

{% if enable_dtls_for_audio_video_turn_call == 'true' %}
# Block clear communication
no-udp
no-tcp
{% endif %}

# Block old protocols
no-sslv2
no-sslv3
no-tlsv1
no-tlsv1_1

log-file=/var/log/matrix-{{ app }}/turnserver.log
pidfile=/run/coturn-{{ app }}/turnserver.pid
simple-log

# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
total-quota=1200

# recommended additional local peers to block, to mitigate external access to internal services.
# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=127.0.0.0-127.255.255.255

# Max time 12h
max-allocate-lifetime=43200

{%- for ip in turn_external_ip.strip(',').split(',') %}
external-ip={{ ip }}
{%- endfor %}
First commit 2017-02-13 20:43:41 +01:00			`use-auth-secret`
Use jinja template for complexe config file 2024-04-04 23:47:08 +02:00			`static-auth-secret={{ turnserver_pwd }}`
Fix turnserver config 2024-06-22 17:39:59 +02:00			`cli-password={{ turnserver_cli_pwd }}`
Use jinja template for complexe config file 2024-04-04 23:47:08 +02:00			`realm={{ domain }}`
First commit 2017-02-13 20:43:41 +01:00
Use jinja template for complexe config file 2024-04-04 23:47:08 +02:00			`tls-listening-port={{ port_turnserver_tls }}`
			`alt-tls-listening-port={{ port_turnserver_alt_tls }}`
Use a port range wich don't contain the upnp service 2018-06-20 19:22:25 +02:00			`min-port=49153`
			`max-port=49193`
Use jinja template for complexe config file 2024-04-04 23:47:08 +02:00			`cli-port={{ port_cli }}`
First commit 2017-02-13 20:43:41 +01:00
Use jinja template for complexe config file 2024-04-04 23:47:08 +02:00			`cert=/etc/yunohost/certs/{{ domain }}/crt.pem`
			`pkey=/etc/yunohost/certs/{{ domain }}/key.pem`
Fix dh_file path on turnserver config 2020-05-20 22:08:14 +02:00			`dh-file=/etc/ssl/private/dh2048.pem`
First commit 2017-02-13 20:43:41 +01:00
Use jinja template for complexe config file 2024-04-04 23:47:08 +02:00			`{% if enable_dtls_for_audio_video_turn_call == 'true' %}`
			`# Block clear communication`
			`no-udp`
			`no-tcp`
			`{% endif %}`
Improve coturn config 2024-03-09 01:51:57 +01:00
			`# Block old protocols`
First commit 2017-02-13 20:43:41 +01:00			`no-sslv2`
Full upgrade - Add multi instance support - Remove offical helper in common.sh - Improve turnserver config - Update checkprocess - Check synapse is fully started before the end script - Use helper nginx ynh_add_nginx_config 2018-01-19 22:05:39 +01:00			`no-sslv3`
Update Turnserver config - Add full relay support (turn) : - Open ports range (49152 - 49192) - Set external-ip (for nat) - Enable stun mode - Improve log management - Improve security 2018-05-06 00:35:58 +02:00			`no-tlsv1`
Fix and improve coturn config 2020-05-20 23:41:04 +02:00			`no-tlsv1_1`
Update Turnserver config - Add full relay support (turn) : - Open ports range (49152 - 49192) - Set external-ip (for nat) - Enable stun mode - Improve log management - Improve security 2018-05-06 00:35:58 +02:00
Use jinja template for complexe config file 2024-04-04 23:47:08 +02:00			`log-file=/var/log/matrix-{{ app }}/turnserver.log`
			`pidfile=/run/coturn-{{ app }}/turnserver.pid`
Update Turnserver config - Add full relay support (turn) : - Open ports range (49152 - 49192) - Set external-ip (for nat) - Enable stun mode - Improve log management - Improve security 2018-05-06 00:35:58 +02:00			`simple-log`
Implement group permission support and use new helper for config file 2020-12-15 22:25:29 +01:00
Remplement TLS/DTLS for calls 2024-02-26 22:35:05 +01:00			`# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.`
			`user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.`
			`total-quota=1200`

Improve coturn config 2024-03-09 01:51:57 +01:00			`# recommended additional local peers to block, to mitigate external access to internal services.`
			`# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability`
			`no-multicast-peers`
			`denied-peer-ip=0.0.0.0-0.255.255.255`
			`denied-peer-ip=127.0.0.0-127.255.255.255`

Remplement TLS/DTLS for calls 2024-02-26 22:35:05 +01:00			`# Max time 12h`
			`max-allocate-lifetime=43200`

Use jinja template for complexe config file 2024-04-04 23:47:08 +02:00			`{%- for ip in turn_external_ip.strip(',').split(',') %}`
			`external-ip={{ ip }}`
			`{%- endfor %}`