From c1c4a0def1ea70debb4cac707f0efc58b9e6d135 Mon Sep 17 00:00:00 2001 From: steveseguin Date: Sun, 12 Jan 2025 18:41:28 -0500 Subject: [PATCH] verifying new turn instucts --- turnserver.md | 30 +++++++++++++++++--------- turnserver_basic.conf | 1 - turnserver_install.sh.sample | 42 ++++++++++++++++++++++++++++-------- 3 files changed, 53 insertions(+), 20 deletions(-) diff --git a/turnserver.md b/turnserver.md index 9bd77a820..47a3b7a59 100644 --- a/turnserver.md +++ b/turnserver.md @@ -53,16 +53,17 @@ stale-nonce=600 # Nonce timeout in seconds realm=turn.example.com # Your server's domain server-name=turn.example.com no-multicast-peers # Security measure -dh2066 # Strong DH params no-stdout-log # Disable stdout logging ``` ## SSL/TLS Support (Optional) -The installer can configure SSL/TLS support which: +The installer configures SSL/TLS support which: - Enables TURNS (TURN over TLS) on port 443 - Automatically obtains and renews SSL certificates via certbot +- Generates secure DH parameters for improved TLS security - Configures automatic certificate reload without server restart +- Sets up proper file permissions for security ## Testing Your Server @@ -130,9 +131,16 @@ sudo systemctl status coturn - Manual fix: `sudo setcap cap_net_bind_service=+ep /usr/bin/turnserver` 2. **SSL certificate errors (701)** - - Verify certificate permissions - - Check certificate paths in configuration - - Ensure certificates are readable by turnserver user + - Verify certificate permissions: `sudo chown -R turnserver:turnserver /etc/letsencrypt/live/your-domain/` + - Check DH parameters: `sudo ls -l /etc/turnserver/dhparam.pem` + - Ensure all SSL files are readable by turnserver user + - Verify cipher suite compatibility in config + +3. **TLS connection failures** + - Check firewall rules for both TCP and UDP on port 443 + - Verify TLS certificate paths in configuration + - Ensure DH parameters are properly generated + - Check logs: `sudo journalctl -u coturn -n 50` ## Production Considerations @@ -146,11 +154,13 @@ sudo systemctl status coturn - Watch for high CPU/memory usage - Track active connections -3. **Security** - - Regularly update credentials - - Monitor for abuse - - Keep coturn and SSL certificates up to date - +2. **Security** + - Regularly rotate TURN credentials + - Monitor for unusual traffic patterns + - Keep coturn, OpenSSL, and certificates up to date + - Use strong cipher suites for TLS connections + - Maintain proper file permissions + ## Support For issues or questions: diff --git a/turnserver_basic.conf b/turnserver_basic.conf index b5042b870..416768ec1 100644 --- a/turnserver_basic.conf +++ b/turnserver_basic.conf @@ -11,6 +11,5 @@ realm=turn.vdo.ninja server-name=turn.vdo.ninja no-multicast-peers stale-nonce=600 -dh2066 no-stdout-log #verbose diff --git a/turnserver_install.sh.sample b/turnserver_install.sh.sample index c0fb21439..fb9fdd05d 100644 --- a/turnserver_install.sh.sample +++ b/turnserver_install.sh.sample @@ -8,6 +8,12 @@ fi configure_ssl() { local DOMAIN=$1 + # Generate DH params first + if [ ! -f /etc/turnserver/dhparam.pem ]; then + mkdir -p /etc/turnserver + openssl dhparam -out /etc/turnserver/dhparam.pem 2066 + fi + # Check if port 80 is in use if netstat -tuln | grep ':80 '; then echo "Warning: Port 80 is in use. Stopping potentially conflicting services..." @@ -46,11 +52,24 @@ configure_ssl() { # Update turnserver.conf with SSL settings cat >> /etc/turnserver.conf << EOL +# SSL Configuration cert=/etc/letsencrypt/live/${DOMAIN}/fullchain.pem pkey=/etc/letsencrypt/live/${DOMAIN}/privkey.pem -tls-listening-port=443 +dh-file=/etc/turnserver/dhparam.pem + +# Cipher Suite +cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" EOL + # Set proper permissions + chown -R turnserver:turnserver /etc/turnserver + chmod 700 /etc/turnserver + chmod 600 /etc/turnserver/dhparam.pem + + # Also ensure proper permissions for SSL certs + chown -R turnserver:turnserver /etc/letsencrypt/live/${DOMAIN}/ + chmod -R 700 /etc/letsencrypt/live/${DOMAIN}/ + # Create renewal hook mkdir -p /etc/letsencrypt/renewal-hooks/deploy cat > /etc/letsencrypt/renewal-hooks/deploy/coturn-reload << EOL @@ -70,7 +89,7 @@ install_coturn() { # Install required packages apt-get update - apt-get install coturn curl dnsutils -y + apt-get install coturn curl dnsutils openssl -y # Configure system limits echo "fs.file-max = 65535" >> /etc/sysctl.conf @@ -82,20 +101,25 @@ install_coturn() { # Generate base turnserver configuration cat > /etc/turnserver.conf << EOL +# Listening Ports listening-port=3478 -alt-listening-port=0 +alt-listening-port=3479 +tls-listening-port=443 + +# Authentication fingerprint lt-cred-mech -# STUN/TURN configuration -stun-port=3478 -min-port=49152 -max-port=65535 user=${USERNAME}:${PASSWORD} stale-nonce=600 + +# Server Configuration realm=${DOMAIN} server-name=${DOMAIN} +min-port=49152 +max-port=65535 + +# Security no-multicast-peers -dh2066 no-stdout-log EOL @@ -152,7 +176,7 @@ echo "Installation complete!" echo "----------------------------------------" echo "Domain: $DOMAIN" echo "Username: $USERNAME" -echo "STUN/TURN ports: 3478 (default)" +echo "STUN/TURN ports: 3478 (default), 3479 (alt)" if [ "${ENABLE_SSL,,}" = "y" ]; then echo "TLS enabled on port 443" echo "SSL certificates will automatically renew via certbot"