turn server install guide improved

2026-05-01 11:05:24 +00:00 · 2025-01-12 18:07:19 -05:00
parent b17ab24bdc
commit 80c170dd69
5 changed files with 270 additions and 238 deletions
--- a/turnserver_install.sh.sample
+++ b/turnserver_install.sh.sample
@@ -0,0 +1,159 @@
+#!/bin/bash
+
+if [ "$EUID" -ne 0 ]; then
+    echo "Please run as root or with sudo"
+    exit 1
+fi
+
+configure_ssl() {
+    local DOMAIN=$1
+    
+    # Check if port 80 is in use
+    if netstat -tuln | grep ':80 '; then
+        echo "Warning: Port 80 is in use. Stopping potentially conflicting services..."
+        systemctl stop nginx 2>/dev/null || true
+        systemctl stop apache2 2>/dev/null || true
+    fi
+    
+    # Install certbot if needed
+    if ! command -v certbot >/dev/null; then
+        apt-get install certbot -y
+    fi
+    
+    # Verify domain points to this server
+    LOCAL_IP=$(curl -s https://api.ipify.org)
+    DOMAIN_IP=$(dig +short "$DOMAIN")
+    
+    echo "Verifying domain configuration..."
+    echo "Server IP: $LOCAL_IP"
+    echo "Domain IP: $DOMAIN_IP"
+    
+    if [ "$LOCAL_IP" != "$DOMAIN_IP" ]; then
+        echo "Warning: Domain $DOMAIN does not point to this server's IP ($LOCAL_IP)"
+        read -p "Continue anyway? (y/N): " CONTINUE
+        if [ "${CONTINUE,,}" != "y" ]; then
+            return 1
+        fi
+    fi
+    
+    # Try to get the cert
+    if ! certbot certonly --standalone --preferred-challenges http -d "$DOMAIN"; then
+        echo "Failed to obtain SSL certificate. Trying alternative method..."
+        if ! certbot certonly --standalone --preferred-challenges tls-alpn-01 -d "$DOMAIN"; then
+            return 1
+        fi
+    fi
+    
+    # Update turnserver.conf with SSL settings
+    cat >> /etc/turnserver.conf << EOL
+cert=/etc/letsencrypt/live/${DOMAIN}/fullchain.pem
+pkey=/etc/letsencrypt/live/${DOMAIN}/privkey.pem
+tls-listening-port=443
+EOL
+    
+    # Create renewal hook
+    mkdir -p /etc/letsencrypt/renewal-hooks/deploy
+    cat > /etc/letsencrypt/renewal-hooks/deploy/coturn-reload << EOL
+#!/bin/bash
+systemctl --signal=SIGUSR2 kill coturn
+EOL
+    chmod +x /etc/letsencrypt/renewal-hooks/deploy/coturn-reload
+    
+    return 0
+}
+
+# Main installation function
+install_coturn() {
+    local DOMAIN=$1
+    local USERNAME=$2
+    local PASSWORD=$3
+    
+    # Install required packages
+    apt-get update
+    apt-get install coturn curl dnsutils -y
+    
+    # Configure system limits
+    echo "fs.file-max = 65535" >> /etc/sysctl.conf
+    sysctl -p
+    ulimit -n 65535
+    
+    # Enable TURN server
+    echo "TURNSERVER_ENABLED=1" > /etc/default/coturn
+    
+    # Generate base turnserver configuration
+    cat > /etc/turnserver.conf << EOL
+listening-port=3478
+alt-listening-port=0
+fingerprint
+lt-cred-mech
+# STUN/TURN configuration
+stun-port=3478
+min-port=49152
+max-port=65535
+user=${USERNAME}:${PASSWORD}
+stale-nonce=600
+realm=${DOMAIN}
+server-name=${DOMAIN}
+no-multicast-peers
+dh2066
+no-stdout-log
+EOL
+    
+    # Set proper permissions for binding to privileged ports
+    setcap cap_net_bind_service=+ep /usr/bin/turnserver
+
+    # Start services
+    systemctl daemon-reload
+    systemctl enable coturn
+    systemctl start coturn
+}
+
+# Main script execution
+echo "TURN Server Installation and Configuration"
+echo "----------------------------------------"
+
+# Get or verify domain
+while true; do
+    read -p "Enter your domain (e.g., turn.example.com): " DOMAIN
+    echo "Verifying domain..."
+    if dig +short "$DOMAIN" >/dev/null; then
+        break
+    else
+        echo "Warning: Domain $DOMAIN does not appear to be configured. Please verify DNS settings."
+        read -p "Try a different domain? (Y/n): " RETRY
+        if [ "${RETRY,,}" = "n" ]; then
+            break
+        fi
+    fi
+done
+
+read -p "Enter username for TURN: " USERNAME
+read -s -p "Enter password for TURN: " PASSWORD
+echo
+
+# Install base TURN server
+install_coturn "$DOMAIN" "$USERNAME" "$PASSWORD"
+
+# Configure SSL if desired
+read -p "Do you want to enable SSL/TLS support? (y/N): " ENABLE_SSL
+if [ "${ENABLE_SSL,,}" = "y" ]; then
+    if ! configure_ssl "$DOMAIN"; then
+        echo "SSL configuration failed. You can retry SSL setup later by running:"
+        echo "certbot delete"
+        echo "certbot certonly --standalone -d $DOMAIN"
+        echo "Then restart coturn: systemctl restart coturn"
+    fi
+fi
+
+# Display status
+systemctl status coturn
+
+echo "Installation complete!"
+echo "----------------------------------------"
+echo "Domain: $DOMAIN"
+echo "Username: $USERNAME"
+echo "STUN/TURN ports: 3478 (default)"
+if [ "${ENABLE_SSL,,}" = "y" ]; then
+    echo "TLS enabled on port 443"
+    echo "SSL certificates will automatically renew via certbot"
+fi