Update Turnserver config

- Add full relay support (turn) :
 - Open ports range (49152 - 49192)
 - Set external-ip (for nat)
- Enable stun mode
- Improve log management
- Improve security

conf/turnserver.conf

@@ -2,10 +2,11 @@ lt-cred-mech
 use-auth-secret
 static-auth-secret=__TURNPWD__
 realm=__DOMAIN__
-no-stun
 
 tls-listening-port=__TLS_PORT__
 alt-tls-listening-port=__TLS_ALT_PORT__
+min-port=49152
+max-port=49192
 cli-port=__CLI_PORT__
 
 cert=/etc/yunohost/certs/__DOMAIN__/crt.pem
@@ -14,8 +15,14 @@ dh-file=/etc/matrix-__APP__/dh.pem
 
 no-sslv2
 no-sslv3
-no-udp
+no-tlsv1
-no-tcp
+
+no-loopback-peers
+no-multicast-peers
 
 log-file=/var/log/matrix-__APP__/turnserver.log
 pidfile=/var/run/coturn-__APP__/turnserver.pid
+simple-log
+
+external-ip=__IPV4__,__IPV6__
+

scripts/install

@@ -76,6 +76,7 @@ cli_port=$(ynh_find_port 5766)
 yunohost firewall allow TCP $synapse_tls_port > /dev/null 2>&1
 yunohost firewall allow Both $turnserver_tls_port > /dev/null 2>&1
 yunohost firewall allow Both $turnserver_alt_tls_port > /dev/null 2>&1
+yunohost firewall allow Both '49152:49192' > /dev/null 2>&1
 
 # Store opened ports
 ynh_app_setting_set $app synapse_port $port
@@ -250,6 +251,23 @@ ynh_replace_string __TLS_PORT__ $turnserver_tls_port "$coturn_config_path"
 ynh_replace_string __TLS_ALT_PORT__ $turnserver_alt_tls_port "$coturn_config_path"
 ynh_replace_string __CLI_PORT__ $cli_port "$coturn_config_path"
 
+# Get public IP and set as external IP for coturn
+public_ip4="$(curl ip.yunohost.org)"
+public_ip6="$(curl ipv6.yunohost.org)"
+if ynh_validate_ip4 "$public_ip4"
+then
+    ynh_replace_string '__IPV4__' "$public_ip4" "$coturn_config_path"
+else
+    ynh_replace_string '__IPV4__,' "" "$coturn_config_path"
+fi
+
+if ynh_valide_ip6 "$public_ip6"
+then
+    ynh_replace_string '__IPV6__' "$public_ip6" "$coturn_config_path"
+else
+    ynh_replace_string ',__IPV6__' "" "$coturn_config_path"
+fi
+
 ynh_store_file_checksum "$coturn_config_path"
 
 #=================================================

scripts/remove

@@ -58,6 +58,7 @@ closeport() {
 closeport $synapse_tls_port
 closeport $turnserver_tls_port
 closeport $turnserver_alt_tls_port
+closeport '49152:49192'
 
 #=================================================
 # SETUP SSOWAT

scripts/restore

@@ -80,6 +80,7 @@ adduser turnserver ssl-cert
 yunohost firewall allow TCP $synapse_tls_port > /dev/null 2>&1
 yunohost firewall allow Both $turnserver_tls_port > /dev/null 2>&1
 yunohost firewall allow Both $turnserver_alt_tls_port > /dev/null 2>&1
+yunohost firewall allow Both '49152:49192' > /dev/null 2>&1
 
 #=================================================
 # SETUP SSOWAT

scripts/upgrade

@@ -204,6 +204,15 @@ test -e /etc/matrix-$app/dh.pem || \
     cp /etc/yunohost/certs/$domain/dh.pem /etc/matrix-$app/dh.pem || \
         openssl dhparam -out /etc/matrix-$app/dh.pem 2048 > /dev/null
 
+#=================================================
+# MIGRATION 4 : FIX TURNSERVER CONFIG
+#=================================================
+
+if ! yunohost firewall list | grep -q "\- 49152:49192$"
+then
+    yunohost firewall allow Both 49152:49192 > /dev/null 2>&1
+fi
+
 #=================================================
 # STANDARD UPGRADE STEPS
 #=================================================
@@ -221,8 +230,6 @@ ynh_add_nginx_config
 
 coturn_config_path="/etc/matrix-$app/coturn.conf"
 
-ynh_backup_if_checksum_is_different "$coturn_config_path"
-
 cp ../conf/turnserver.conf "$coturn_config_path"
 
 ynh_replace_string __APP__ $app "$coturn_config_path"
@@ -232,6 +239,23 @@ ynh_replace_string __TLS_PORT__ $turnserver_tls_port "$coturn_config_path"
 ynh_replace_string __TLS_ALT_PORT__ $turnserver_alt_tls_port "$coturn_config_path"
 ynh_replace_string __CLI_PORT__ $cli_port "$coturn_config_path"
 
+# Get public IP and set as external IP for coturn
+public_ip4="$(curl ip.yunohost.org)"
+public_ip6="$(curl ipv6.yunohost.org)"
+if ynh_validate_ip4 "$public_ip4"
+then
+    ynh_replace_string '__IPV4__' "$public_ip4" "$coturn_config_path"
+else
+    ynh_replace_string '__IPV4__,' "" "$coturn_config_path"
+fi
+
+if ynh_valide_ip6 "$public_ip6"
+then
+    ynh_replace_string '__IPV6__' "$public_ip6" "$coturn_config_path"
+else
+    ynh_replace_string ',__IPV6__' "" "$coturn_config_path"
+fi
+
 ynh_store_file_checksum "$coturn_config_path"
 
 #=================================================