Update Turnserver config

- Add full relay support (turn) : - Open ports range (49152 - 49192) - Set external-ip (for nat) - Enable stun mode - Improve log management - Improve security
2024-09-03 20:26:38 +02:00 · 2018-05-06 00:35:58 +02:00 · 2018-05-06 00:35:58 +02:00 · 1af31cfdf0
commit 1af31cfdf0
parent 2ccf1b0108
5 changed files with 56 additions and 5 deletions
--- a/conf/turnserver.conf
+++ b/conf/turnserver.conf
@ -2,10 +2,11 @@ lt-cred-mech
 use-auth-secret
 static-auth-secret=__TURNPWD__
 realm=__DOMAIN__
-no-stun

 tls-listening-port=__TLS_PORT__
 alt-tls-listening-port=__TLS_ALT_PORT__
+min-port=49152
+max-port=49192
 cli-port=__CLI_PORT__

 cert=/etc/yunohost/certs/__DOMAIN__/crt.pem
@ -14,8 +15,14 @@ dh-file=/etc/matrix-__APP__/dh.pem

 no-sslv2
 no-sslv3
-no-udp
-no-tcp
+no-tlsv1
+
+no-loopback-peers
+no-multicast-peers

 log-file=/var/log/matrix-__APP__/turnserver.log
 pidfile=/var/run/coturn-__APP__/turnserver.pid
+simple-log
+
+external-ip=__IPV4__,__IPV6__
+
--- a/scripts/install
+++ b/scripts/install
@ -76,6 +76,7 @@ cli_port=$(ynh_find_port 5766)
 yunohost firewall allow TCP $synapse_tls_port > /dev/null 2>&1
 yunohost firewall allow Both $turnserver_tls_port > /dev/null 2>&1
 yunohost firewall allow Both $turnserver_alt_tls_port > /dev/null 2>&1
+yunohost firewall allow Both '49152:49192' > /dev/null 2>&1

 # Store opened ports
 ynh_app_setting_set $app synapse_port $port
@ -250,6 +251,23 @@ ynh_replace_string __TLS_PORT__ $turnserver_tls_port "$coturn_config_path"
 ynh_replace_string __TLS_ALT_PORT__ $turnserver_alt_tls_port "$coturn_config_path"
 ynh_replace_string __CLI_PORT__ $cli_port "$coturn_config_path"

+# Get public IP and set as external IP for coturn
+public_ip4="$(curl ip.yunohost.org)"
+public_ip6="$(curl ipv6.yunohost.org)"
+if ynh_validate_ip4 "$public_ip4"
+then
+    ynh_replace_string '__IPV4__' "$public_ip4" "$coturn_config_path"
+else
+    ynh_replace_string '__IPV4__,' "" "$coturn_config_path"
+fi
+
+if ynh_valide_ip6 "$public_ip6"
+then
+    ynh_replace_string '__IPV6__' "$public_ip6" "$coturn_config_path"
+else
+    ynh_replace_string ',__IPV6__' "" "$coturn_config_path"
+fi
+
 ynh_store_file_checksum "$coturn_config_path"

 #=================================================
--- a/scripts/remove
+++ b/scripts/remove
@ -58,6 +58,7 @@ closeport() {
 closeport $synapse_tls_port
 closeport $turnserver_tls_port
 closeport $turnserver_alt_tls_port
+closeport '49152:49192'

 #=================================================
 # SETUP SSOWAT
--- a/scripts/restore
+++ b/scripts/restore
@ -80,6 +80,7 @@ adduser turnserver ssl-cert
 yunohost firewall allow TCP $synapse_tls_port > /dev/null 2>&1
 yunohost firewall allow Both $turnserver_tls_port > /dev/null 2>&1
 yunohost firewall allow Both $turnserver_alt_tls_port > /dev/null 2>&1
+yunohost firewall allow Both '49152:49192' > /dev/null 2>&1

 #=================================================
 # SETUP SSOWAT
--- a/scripts/upgrade
+++ b/scripts/upgrade
@ -204,6 +204,15 @@ test -e /etc/matrix-$app/dh.pem || \
    cp /etc/yunohost/certs/$domain/dh.pem /etc/matrix-$app/dh.pem || \
        openssl dhparam -out /etc/matrix-$app/dh.pem 2048 > /dev/null

+#=================================================
+# MIGRATION 4 : FIX TURNSERVER CONFIG
+#=================================================
+
+if ! yunohost firewall list | grep -q "\- 49152:49192$"
+then
+    yunohost firewall allow Both 49152:49192 > /dev/null 2>&1
+fi
+
 #=================================================
 # STANDARD UPGRADE STEPS
 #=================================================
@ -221,8 +230,6 @@ ynh_add_nginx_config

 coturn_config_path="/etc/matrix-$app/coturn.conf"

-ynh_backup_if_checksum_is_different "$coturn_config_path"
-
 cp ../conf/turnserver.conf "$coturn_config_path"

 ynh_replace_string __APP__ $app "$coturn_config_path"
@ -232,6 +239,23 @@ ynh_replace_string __TLS_PORT__ $turnserver_tls_port "$coturn_config_path"
 ynh_replace_string __TLS_ALT_PORT__ $turnserver_alt_tls_port "$coturn_config_path"
 ynh_replace_string __CLI_PORT__ $cli_port "$coturn_config_path"

+# Get public IP and set as external IP for coturn
+public_ip4="$(curl ip.yunohost.org)"
+public_ip6="$(curl ipv6.yunohost.org)"
+if ynh_validate_ip4 "$public_ip4"
+then
+    ynh_replace_string '__IPV4__' "$public_ip4" "$coturn_config_path"
+else
+    ynh_replace_string '__IPV4__,' "" "$coturn_config_path"
+fi
+
+if ynh_valide_ip6 "$public_ip6"
+then
+    ynh_replace_string '__IPV6__' "$public_ip6" "$coturn_config_path"
+else
+    ynh_replace_string ',__IPV6__' "" "$coturn_config_path"
+fi
+
 ynh_store_file_checksum "$coturn_config_path"

 #=================================================