From 6f06a8a8e8006bd66048a041f64d2fcf8dd4d098 Mon Sep 17 00:00:00 2001 From: steveseguin Date: Sun, 12 Jan 2025 19:20:02 -0500 Subject: [PATCH] fine turning turnserver install script --- turnserver.md | 33 ++++++--------- turnserver_basic.conf | 3 -- turnserver_install.sh.sample | 80 +++++++++++++++++++----------------- 3 files changed, 55 insertions(+), 61 deletions(-) diff --git a/turnserver.md b/turnserver.md index 47a3b7a..0695a09 100644 --- a/turnserver.md +++ b/turnserver.md @@ -49,7 +49,6 @@ listening-port=3478 # Standard STUN/TURN port fingerprint # Required for WebRTC lt-cred-mech # Long-term credential mechanism user=username:password # Authentication credentials -stale-nonce=600 # Nonce timeout in seconds realm=turn.example.com # Your server's domain server-name=turn.example.com no-multicast-peers # Security measure @@ -58,12 +57,10 @@ no-stdout-log # Disable stdout logging ## SSL/TLS Support (Optional) -The installer configures SSL/TLS support which: +The installer can configure SSL/TLS support which: - Enables TURNS (TURN over TLS) on port 443 - Automatically obtains and renews SSL certificates via certbot -- Generates secure DH parameters for improved TLS security - Configures automatic certificate reload without server restart -- Sets up proper file permissions for security ## Testing Your Server @@ -96,6 +93,9 @@ sudo ufw allow 3478/udp # Default TURN/STUN UDP sudo ufw allow 443/tcp # TURN TLS sudo ufw allow 443/udp # TURN TLS/DTLS +# If using Certbot for SSL renewals +sudo ufw allow 80/tcp # HTTP + # Media relay ports sudo ufw allow 49152:65535/tcp # TCP relay ports sudo ufw allow 49152:65535/udp # UDP relay ports @@ -131,16 +131,9 @@ sudo systemctl status coturn - Manual fix: `sudo setcap cap_net_bind_service=+ep /usr/bin/turnserver` 2. **SSL certificate errors (701)** - - Verify certificate permissions: `sudo chown -R turnserver:turnserver /etc/letsencrypt/live/your-domain/` - - Check DH parameters: `sudo ls -l /etc/turnserver/dhparam.pem` - - Ensure all SSL files are readable by turnserver user - - Verify cipher suite compatibility in config - -3. **TLS connection failures** - - Check firewall rules for both TCP and UDP on port 443 - - Verify TLS certificate paths in configuration - - Ensure DH parameters are properly generated - - Check logs: `sudo journalctl -u coturn -n 50` + - Verify certificate permissions + - Check certificate paths in configuration + - Ensure certificates are readable by turnserver user ## Production Considerations @@ -154,13 +147,11 @@ sudo systemctl status coturn - Watch for high CPU/memory usage - Track active connections -2. **Security** - - Regularly rotate TURN credentials - - Monitor for unusual traffic patterns - - Keep coturn, OpenSSL, and certificates up to date - - Use strong cipher suites for TLS connections - - Maintain proper file permissions - +3. **Security** + - Regularly update credentials + - Monitor for abuse + - Keep coturn and SSL certificates up to date + ## Support For issues or questions: diff --git a/turnserver_basic.conf b/turnserver_basic.conf index 416768e..ab6785e 100644 --- a/turnserver_basic.conf +++ b/turnserver_basic.conf @@ -3,13 +3,10 @@ listening-port=3478 alt-listening-port=0 fingerprint -no-stun lt-cred-mech user=vdoninja:somepasswordwhere -stale-nonce=600 realm=turn.vdo.ninja server-name=turn.vdo.ninja no-multicast-peers -stale-nonce=600 no-stdout-log #verbose diff --git a/turnserver_install.sh.sample b/turnserver_install.sh.sample index fb9fdd0..201c610 100644 --- a/turnserver_install.sh.sample +++ b/turnserver_install.sh.sample @@ -5,14 +5,23 @@ if [ "$EUID" -ne 0 ]; then exit 1 fi -configure_ssl() { +setup_permissions() { local DOMAIN=$1 - # Generate DH params first - if [ ! -f /etc/turnserver/dhparam.pem ]; then - mkdir -p /etc/turnserver - openssl dhparam -out /etc/turnserver/dhparam.pem 2066 - fi + # Create secure directory for coturn certs + mkdir -p /etc/coturn/certs + + # Copy certificates with proper permissions + cp /etc/letsencrypt/live/${DOMAIN}/fullchain.pem /etc/coturn/certs/ + cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/coturn/certs/ + + # Set proper ownership and permissions + chown -R turnserver:turnserver /etc/coturn/certs + chmod 600 /etc/coturn/certs/*.pem +} + +configure_ssl() { + local DOMAIN=$1 # Check if port 80 is in use if netstat -tuln | grep ':80 '; then @@ -52,28 +61,22 @@ configure_ssl() { # Update turnserver.conf with SSL settings cat >> /etc/turnserver.conf << EOL -# SSL Configuration -cert=/etc/letsencrypt/live/${DOMAIN}/fullchain.pem -pkey=/etc/letsencrypt/live/${DOMAIN}/privkey.pem -dh-file=/etc/turnserver/dhparam.pem - -# Cipher Suite -cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" +cert=/etc/coturn/certs/fullchain.pem +pkey=/etc/coturn/certs/privkey.pem +tls-listening-port=443 EOL - # Set proper permissions - chown -R turnserver:turnserver /etc/turnserver - chmod 700 /etc/turnserver - chmod 600 /etc/turnserver/dhparam.pem + # Setup permissions after getting certificates + setup_permissions "$DOMAIN" - # Also ensure proper permissions for SSL certs - chown -R turnserver:turnserver /etc/letsencrypt/live/${DOMAIN}/ - chmod -R 700 /etc/letsencrypt/live/${DOMAIN}/ - - # Create renewal hook + # Update the renewal hook to copy new certs mkdir -p /etc/letsencrypt/renewal-hooks/deploy cat > /etc/letsencrypt/renewal-hooks/deploy/coturn-reload << EOL #!/bin/bash +cp /etc/letsencrypt/live/${DOMAIN}/fullchain.pem /etc/coturn/certs/ +cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/coturn/certs/ +chown turnserver:turnserver /etc/coturn/certs/*.pem +chmod 600 /etc/coturn/certs/*.pem systemctl --signal=SIGUSR2 kill coturn EOL chmod +x /etc/letsencrypt/renewal-hooks/deploy/coturn-reload @@ -89,7 +92,7 @@ install_coturn() { # Install required packages apt-get update - apt-get install coturn curl dnsutils openssl -y + apt-get install coturn curl dnsutils -y # Configure system limits echo "fs.file-max = 65535" >> /etc/sysctl.conf @@ -101,30 +104,33 @@ install_coturn() { # Generate base turnserver configuration cat > /etc/turnserver.conf << EOL -# Listening Ports listening-port=3478 -alt-listening-port=3479 -tls-listening-port=443 - -# Authentication +alt-listening-port=0 fingerprint lt-cred-mech -user=${USERNAME}:${PASSWORD} -stale-nonce=600 - -# Server Configuration -realm=${DOMAIN} -server-name=${DOMAIN} min-port=49152 max-port=65535 - -# Security +user=${USERNAME}:${PASSWORD} +stale-nonce=600 +realm=${DOMAIN} +server-name=${DOMAIN} no-multicast-peers no-stdout-log EOL # Set proper permissions for binding to privileged ports setcap cap_net_bind_service=+ep /usr/bin/turnserver + + # Configure journald log limits + mkdir -p /etc/systemd/journald.conf.d/ + cat > /etc/systemd/journald.conf.d/coturn.conf << EOL +[Journal] +SystemMaxUse=50M +RuntimeMaxUse=50M +EOL + + # Restart journald to apply changes + systemctl restart systemd-journald # Start services systemctl daemon-reload @@ -176,7 +182,7 @@ echo "Installation complete!" echo "----------------------------------------" echo "Domain: $DOMAIN" echo "Username: $USERNAME" -echo "STUN/TURN ports: 3478 (default), 3479 (alt)" +echo "STUN/TURN ports: 3478 (default)" if [ "${ENABLE_SSL,,}" = "y" ]; then echo "TLS enabled on port 443" echo "SSL certificates will automatically renew via certbot"