fine turning turnserver install script

2026-05-01 11:05:24 +00:00 · 2025-01-12 19:20:02 -05:00
parent c1c4a0def1
commit 6f06a8a8e8
3 changed files with 55 additions and 61 deletions
--- a/turnserver.md
+++ b/turnserver.md
@@ -49,7 +49,6 @@ listening-port=3478        # Standard STUN/TURN port
 fingerprint               # Required for WebRTC
 lt-cred-mech             # Long-term credential mechanism
 user=username:password    # Authentication credentials
-stale-nonce=600          # Nonce timeout in seconds
 realm=turn.example.com   # Your server's domain
 server-name=turn.example.com
 no-multicast-peers       # Security measure
@@ -58,12 +57,10 @@ no-stdout-log           # Disable stdout logging

 ## SSL/TLS Support (Optional)

-The installer configures SSL/TLS support which:
+The installer can configure SSL/TLS support which:
 - Enables TURNS (TURN over TLS) on port 443
 - Automatically obtains and renews SSL certificates via certbot
- Generates secure DH parameters for improved TLS security
 - Configures automatic certificate reload without server restart
- Sets up proper file permissions for security

 ## Testing Your Server

@@ -96,6 +93,9 @@ sudo ufw allow 3478/udp  # Default TURN/STUN UDP
 sudo ufw allow 443/tcp   # TURN TLS
 sudo ufw allow 443/udp   # TURN TLS/DTLS

+# If using Certbot for SSL renewals
+sudo ufw allow 80/tcp   # HTTP
+
 # Media relay ports
 sudo ufw allow 49152:65535/tcp  # TCP relay ports
 sudo ufw allow 49152:65535/udp  # UDP relay ports
@@ -131,16 +131,9 @@ sudo systemctl status coturn
   - Manual fix: `sudo setcap cap_net_bind_service=+ep /usr/bin/turnserver`

 2. **SSL certificate errors (701)**
-   - Verify certificate permissions: `sudo chown -R turnserver:turnserver /etc/letsencrypt/live/your-domain/`
-   - Check DH parameters: `sudo ls -l /etc/turnserver/dhparam.pem`
-   - Ensure all SSL files are readable by turnserver user
-   - Verify cipher suite compatibility in config
-
-3. **TLS connection failures**
-   - Check firewall rules for both TCP and UDP on port 443
-   - Verify TLS certificate paths in configuration
-   - Ensure DH parameters are properly generated
-   - Check logs: `sudo journalctl -u coturn -n 50`
+   - Verify certificate permissions
+   - Check certificate paths in configuration
+   - Ensure certificates are readable by turnserver user

 ## Production Considerations

@@ -154,12 +147,10 @@ sudo systemctl status coturn
   - Watch for high CPU/memory usage
   - Track active connections

-2. **Security**
-   - Regularly rotate TURN credentials
-   - Monitor for unusual traffic patterns
-   - Keep coturn, OpenSSL, and certificates up to date
-   - Use strong cipher suites for TLS connections
-   - Maintain proper file permissions
+3. **Security**
+   - Regularly update credentials
+   - Monitor for abuse
+   - Keep coturn and SSL certificates up to date

 ## Support

--- a/turnserver_basic.conf
+++ b/turnserver_basic.conf
@@ -3,13 +3,10 @@
 listening-port=3478
 alt-listening-port=0
 fingerprint
-no-stun
 lt-cred-mech
 user=vdoninja:somepasswordwhere
-stale-nonce=600
 realm=turn.vdo.ninja
 server-name=turn.vdo.ninja
 no-multicast-peers
-stale-nonce=600
 no-stdout-log
 #verbose
--- a/turnserver_install.sh.sample
+++ b/turnserver_install.sh.sample
@@ -5,14 +5,23 @@ if [ "$EUID" -ne 0 ]; then
    exit 1
 fi

-configure_ssl() {
+setup_permissions() {
    local DOMAIN=$1
    
-    # Generate DH params first
-    if [ ! -f /etc/turnserver/dhparam.pem ]; then
-        mkdir -p /etc/turnserver
-        openssl dhparam -out /etc/turnserver/dhparam.pem 2066
-    fi
+    # Create secure directory for coturn certs
+    mkdir -p /etc/coturn/certs
+    
+    # Copy certificates with proper permissions
+    cp /etc/letsencrypt/live/${DOMAIN}/fullchain.pem /etc/coturn/certs/
+    cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/coturn/certs/
+    
+    # Set proper ownership and permissions
+    chown -R turnserver:turnserver /etc/coturn/certs
+    chmod 600 /etc/coturn/certs/*.pem
+}
+
+configure_ssl() {
+    local DOMAIN=$1
    
    # Check if port 80 is in use
    if netstat -tuln | grep ':80 '; then
@@ -52,28 +61,22 @@ configure_ssl() {
    
    # Update turnserver.conf with SSL settings
    cat >> /etc/turnserver.conf << EOL
-# SSL Configuration
-cert=/etc/letsencrypt/live/${DOMAIN}/fullchain.pem
-pkey=/etc/letsencrypt/live/${DOMAIN}/privkey.pem
-dh-file=/etc/turnserver/dhparam.pem
-
-# Cipher Suite
-cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
+cert=/etc/coturn/certs/fullchain.pem
+pkey=/etc/coturn/certs/privkey.pem
+tls-listening-port=443
 EOL
    
-    # Set proper permissions
-    chown -R turnserver:turnserver /etc/turnserver
-    chmod 700 /etc/turnserver
-    chmod 600 /etc/turnserver/dhparam.pem
+    # Setup permissions after getting certificates
+    setup_permissions "$DOMAIN"
    
-    # Also ensure proper permissions for SSL certs
-    chown -R turnserver:turnserver /etc/letsencrypt/live/${DOMAIN}/
-    chmod -R 700 /etc/letsencrypt/live/${DOMAIN}/
-    
-    # Create renewal hook
+    # Update the renewal hook to copy new certs
    mkdir -p /etc/letsencrypt/renewal-hooks/deploy
    cat > /etc/letsencrypt/renewal-hooks/deploy/coturn-reload << EOL
 #!/bin/bash
+cp /etc/letsencrypt/live/${DOMAIN}/fullchain.pem /etc/coturn/certs/
+cp /etc/letsencrypt/live/${DOMAIN}/privkey.pem /etc/coturn/certs/
+chown turnserver:turnserver /etc/coturn/certs/*.pem
+chmod 600 /etc/coturn/certs/*.pem
 systemctl --signal=SIGUSR2 kill coturn
 EOL
    chmod +x /etc/letsencrypt/renewal-hooks/deploy/coturn-reload
@@ -89,7 +92,7 @@ install_coturn() {
    
    # Install required packages
    apt-get update
-    apt-get install coturn curl dnsutils openssl -y
+    apt-get install coturn curl dnsutils -y
    
    # Configure system limits
    echo "fs.file-max = 65535" >> /etc/sysctl.conf
@@ -101,24 +104,16 @@ install_coturn() {
    
    # Generate base turnserver configuration
    cat > /etc/turnserver.conf << EOL
-# Listening Ports
 listening-port=3478
-alt-listening-port=3479
-tls-listening-port=443
-
-# Authentication
+alt-listening-port=0
 fingerprint
 lt-cred-mech
-user=${USERNAME}:${PASSWORD}
-stale-nonce=600
-
-# Server Configuration
-realm=${DOMAIN}
-server-name=${DOMAIN}
 min-port=49152
 max-port=65535
-
-# Security
+user=${USERNAME}:${PASSWORD}
+stale-nonce=600
+realm=${DOMAIN}
+server-name=${DOMAIN}
 no-multicast-peers
 no-stdout-log
 EOL
@@ -126,6 +121,17 @@ EOL
    # Set proper permissions for binding to privileged ports
    setcap cap_net_bind_service=+ep /usr/bin/turnserver
    
+    # Configure journald log limits
+    mkdir -p /etc/systemd/journald.conf.d/
+    cat > /etc/systemd/journald.conf.d/coturn.conf << EOL
+[Journal]
+SystemMaxUse=50M
+RuntimeMaxUse=50M
+EOL
+
+    # Restart journald to apply changes
+    systemctl restart systemd-journald
+
    # Start services
    systemctl daemon-reload
    systemctl enable coturn
@@ -176,7 +182,7 @@ echo "Installation complete!"
 echo "----------------------------------------"
 echo "Domain: $DOMAIN"
 echo "Username: $USERNAME"
-echo "STUN/TURN ports: 3478 (default), 3479 (alt)"
+echo "STUN/TURN ports: 3478 (default)"
 if [ "${ENABLE_SSL,,}" = "y" ]; then
    echo "TLS enabled on port 443"
    echo "SSL certificates will automatically renew via certbot"