fine turning turnserver install script

turnserver.md

@@ -49,7 +49,6 @@ listening-port=3478        # Standard STUN/TURN port
 fingerprint               # Required for WebRTC
 lt-cred-mech             # Long-term credential mechanism
 user=username:password    # Authentication credentials
-stale-nonce=600          # Nonce timeout in seconds
 realm=turn.example.com   # Your server's domain
 server-name=turn.example.com
 no-multicast-peers       # Security measure
@@ -58,12 +57,10 @@ no-stdout-log           # Disable stdout logging
 
 ## SSL/TLS Support (Optional)
 
-The installer configures SSL/TLS support which:
+The installer can configure SSL/TLS support which:
 - Enables TURNS (TURN over TLS) on port 443
 - Automatically obtains and renews SSL certificates via certbot
-- Generates secure DH parameters for improved TLS security
 - Configures automatic certificate reload without server restart
-- Sets up proper file permissions for security
 
 ## Testing Your Server
 
@@ -96,6 +93,9 @@ sudo ufw allow 3478/udp  # Default TURN/STUN UDP
 sudo ufw allow 443/tcp   # TURN TLS
 sudo ufw allow 443/udp   # TURN TLS/DTLS
 
+# If using Certbot for SSL renewals
+sudo ufw allow 80/tcp   # HTTP
+
 # Media relay ports
 sudo ufw allow 49152:65535/tcp  # TCP relay ports
 sudo ufw allow 49152:65535/udp  # UDP relay ports
@@ -131,16 +131,9 @@ sudo systemctl status coturn
    - Manual fix: `sudo setcap cap_net_bind_service=+ep /usr/bin/turnserver`
 
 2. **SSL certificate errors (701)**
-   - Verify certificate permissions: `sudo chown -R turnserver:turnserver /etc/letsencrypt/live/your-domain/`
+   - Verify certificate permissions
-   - Check DH parameters: `sudo ls -l /etc/turnserver/dhparam.pem`
+   - Check certificate paths in configuration
-   - Ensure all SSL files are readable by turnserver user
+   - Ensure certificates are readable by turnserver user
-   - Verify cipher suite compatibility in config
-
-3. **TLS connection failures**
-   - Check firewall rules for both TCP and UDP on port 443
-   - Verify TLS certificate paths in configuration
-   - Ensure DH parameters are properly generated
-   - Check logs: `sudo journalctl -u coturn -n 50`
 
 ## Production Considerations
 
@@ -154,13 +147,11 @@ sudo systemctl status coturn
    - Watch for high CPU/memory usage
    - Track active connections
 
-2. **Security**
+3. **Security**
-   - Regularly rotate TURN credentials
+   - Regularly update credentials
-   - Monitor for unusual traffic patterns
+   - Monitor for abuse
-   - Keep coturn, OpenSSL, and certificates up to date
+   - Keep coturn and SSL certificates up to date
-   - Use strong cipher suites for TLS connections
+
-   - Maintain proper file permissions
-   
 ## Support
 
 For issues or questions:

turnserver_basic.conf

@@ -3,13 +3,10 @@
 listening-port=3478
 alt-listening-port=0
 fingerprint
-no-stun
 lt-cred-mech
 user=vdoninja:somepasswordwhere
-stale-nonce=600
 realm=turn.vdo.ninja
 server-name=turn.vdo.ninja
 no-multicast-peers
-stale-nonce=600
 no-stdout-log
 #verbose

turnserver_install.sh.sample

@@ -5,14 +5,23 @@ if [ "$EUID" -ne 0 ]; then
     exit 1
 fi
 
-configure_ssl() {
+setup_permissions() {
     local DOMAIN=$1
     
-    # Generate DH params first
+    # Create secure directory for coturn certs
-    if [ ! -f /etc/turnserver/dhparam.pem ]; then
+    mkdir -p /etc/coturn/certs
-        mkdir -p /etc/turnserver
+    
-        openssl dhparam -out /etc/turnserver/dhparam.pem 2066
+    # Copy certificates with proper permissions
-    fi
+    cp /etc/letsencrypt/live/${DOMAIN}/fullchain.pem /etc/coturn/certs/
+    cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/coturn/certs/
+    
+    # Set proper ownership and permissions
+    chown -R turnserver:turnserver /etc/coturn/certs
+    chmod 600 /etc/coturn/certs/*.pem
+}
+
+configure_ssl() {
+    local DOMAIN=$1
     
     # Check if port 80 is in use
     if netstat -tuln | grep ':80 '; then
@@ -52,28 +61,22 @@ configure_ssl() {
     
     # Update turnserver.conf with SSL settings
     cat >> /etc/turnserver.conf << EOL
-# SSL Configuration
+cert=/etc/coturn/certs/fullchain.pem
-cert=/etc/letsencrypt/live/${DOMAIN}/fullchain.pem
+pkey=/etc/coturn/certs/privkey.pem
-pkey=/etc/letsencrypt/live/${DOMAIN}/privkey.pem
+tls-listening-port=443
-dh-file=/etc/turnserver/dhparam.pem
-
-# Cipher Suite
-cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 EOL
     
-    # Set proper permissions
+    # Setup permissions after getting certificates
-    chown -R turnserver:turnserver /etc/turnserver
+    setup_permissions "$DOMAIN"
-    chmod 700 /etc/turnserver
-    chmod 600 /etc/turnserver/dhparam.pem
     
-    # Also ensure proper permissions for SSL certs
+    # Update the renewal hook to copy new certs
-    chown -R turnserver:turnserver /etc/letsencrypt/live/${DOMAIN}/
-    chmod -R 700 /etc/letsencrypt/live/${DOMAIN}/
-    
-    # Create renewal hook
     mkdir -p /etc/letsencrypt/renewal-hooks/deploy
     cat > /etc/letsencrypt/renewal-hooks/deploy/coturn-reload << EOL
 #!/bin/bash
+cp /etc/letsencrypt/live/${DOMAIN}/fullchain.pem /etc/coturn/certs/
+cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/coturn/certs/
+chown turnserver:turnserver /etc/coturn/certs/*.pem
+chmod 600 /etc/coturn/certs/*.pem
 systemctl --signal=SIGUSR2 kill coturn
 EOL
     chmod +x /etc/letsencrypt/renewal-hooks/deploy/coturn-reload
@@ -89,7 +92,7 @@ install_coturn() {
     
     # Install required packages
     apt-get update
-    apt-get install coturn curl dnsutils openssl -y
+    apt-get install coturn curl dnsutils -y
     
     # Configure system limits
     echo "fs.file-max = 65535" >> /etc/sysctl.conf
@@ -101,30 +104,33 @@ install_coturn() {
     
     # Generate base turnserver configuration
     cat > /etc/turnserver.conf << EOL
-# Listening Ports
 listening-port=3478
-alt-listening-port=3479
+alt-listening-port=0
-tls-listening-port=443
-
-# Authentication
 fingerprint
 lt-cred-mech
-user=${USERNAME}:${PASSWORD}
-stale-nonce=600
-
-# Server Configuration
-realm=${DOMAIN}
-server-name=${DOMAIN}
 min-port=49152
 max-port=65535
-
+user=${USERNAME}:${PASSWORD}
-# Security
+stale-nonce=600
+realm=${DOMAIN}
+server-name=${DOMAIN}
 no-multicast-peers
 no-stdout-log
 EOL
     
     # Set proper permissions for binding to privileged ports
     setcap cap_net_bind_service=+ep /usr/bin/turnserver
+    
+    # Configure journald log limits
+    mkdir -p /etc/systemd/journald.conf.d/
+    cat > /etc/systemd/journald.conf.d/coturn.conf << EOL
+[Journal]
+SystemMaxUse=50M
+RuntimeMaxUse=50M
+EOL
+
+    # Restart journald to apply changes
+    systemctl restart systemd-journald
 
     # Start services
     systemctl daemon-reload
@@ -176,7 +182,7 @@ echo "Installation complete!"
 echo "----------------------------------------"
 echo "Domain: $DOMAIN"
 echo "Username: $USERNAME"
-echo "STUN/TURN ports: 3478 (default), 3479 (alt)"
+echo "STUN/TURN ports: 3478 (default)"
 if [ "${ENABLE_SSL,,}" = "y" ]; then
     echo "TLS enabled on port 443"
     echo "SSL certificates will automatically renew via certbot"