This is an old revision of the document!
turn server
From wikipedia; Traversal Using Relays around NAT (TURN) is a protocol that assists in traversal of network address translators (NAT) or firewalls for multimedia applications. It may be used with the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). It is most useful for clients on networks masqueraded by symmetric NAT devices. TURN does not aid in running servers on well known ports in the private network through a NAT; it supports the connection of a user behind a NAT to only a single peer, as in telephony, for example.
So a turn server is needed to allow end to end communication where public IP communication end points are obfuscated, such as where local IP address are behind NAT. To primary purpose of NAT is to increase the effective usability of IPv4 which has limited available public addresses by using a designated ranges of local IPv4 addresses that that do not have direct public addressability. The local addresses can only be publicly accessed via a local router that performs NAT, subject to firewall rules. It is claimed that the obfuscation of the local IP addresses provide additional security. This was not the primary purpose of NAT and is at best a secondary benefit. I believe that NAT provides minimal security benefits. The key security is the firewall setup which does not allow unsolicited access to the local area network address space. Interestingly IPv6 is not limited by address space available and hence does not require NAT for this reason. If NAT is not used with IPv6 LAN then the local address area is directly accessible from the public network, subject to the router and firewall setup. In this case a TURN server would not be required. NAT can still be used with IPv6 if wanted, in which case the TURN server would be required.
Coturn
--- services: coturn_server: image: coturn/coturn:4.5.2 container_name: coturn restart: always # always | unless-stopped | no | on-failure [:max-retries] volumes: - ./config/turnserver.conf:/etc/coturn/turnserver.conf - ../mail/.config/certificates:/etc/certs - ./config/log:/var/log networks: macnet1: ipv4_address: 192.168.1.97 proxy: # cap_add: # - NET_ADMIN networks: macnet1: external: true proxy: external: true
# TURN server name and realm realm=kptree.net server-name=turnserver # Use fingerprint in TURN message fingerprint # IPs the TURN server listens to listening-ip=0.0.0.0 # External IP-Address of the TURN server external-ip=202.7.254.38 # Main listening port listening-port=3478 # Further ports that are open for communication min-port=32769 max-port=65535 # Log file path log-file=/var/log/turnserver.log # Enable verbose logging verbose # Specify the user for the TURN authentification #user=kpts:kpts84871670 static-auth-secret=kpts84871670 # Enable long-term credential mechanism #lt-cred-mech # SSL certificates #cert=/etc/letsencrypt/live/<DOMAIN>/cert.pem #pkey=/etc/letsencrypt/live/<DOMAIN>/privkey.pem cert=/etc/certs/kptree.net.cer pkey=/etc/certs/kptree.net.key # 443 for TURN over TLS, which can bypass firewalls #tls-listening-port=443 # If running coturn version older than 4.5.2, uncomment these rules and ensure # that you have listening-ip set to ipv4 addresses only. # Prevent Loopback bypass https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p #denied-peer-ip=0.0.0.0-0.255.255.255 #denied-peer-ip=127.0.0.0-127.255.255.255 #denied-peer-ip=::1
resources
- Nextcloud HowTo: Setup Nextcloud Talk with TURN server
- CoturnConfig Wiki - Claims will be supersede and points to github page, circulous….