===== Setting up a Coturn TURN server =====
\\
==== Firewall ====
The following ports have to be opened in your firewall:
3478/tcp+udp (TURN)
3479/tcp+udp (TURN)
5349/tcp+udp (TURNS)
5350/tcp+udp (TURNS)
49152:65535/tcp+udp (Relay ports)
If you use ''ufw'', this can be done with a single command:
sudo ufw allow turnserver
sudo ufw reload
----
\\
==== SSL certificate ====
First, generate an SSL certificate for your subdomain, and create a post-renewal hook for ''certbot''.\\
Coturn does not run as ''root'', so it cannot read from ''/etc/letsencrypt/live/''.
\\
=== Certificate generation ===
sudo certbot certonly -d turn.quietlife.nl
\\
=== Post-renewal hook ===
First create a directory readable by Coturn:
sudo mkdir -p /etc/coturn/certs
sudo chown -R turnserver:turnserver /etc/coturn
Then create the script ''certbot'' should run after renewing the certificate:
#!/bin/sh
cp /etc/letsencrypt/live/turn.quietlife.nl/fullchain.pem /etc/coturn/certs/
cp /etc/letsencrypt/live/turn.quietlife.nl/privkey.pem /etc/coturn/certs/
chown turnserver:turnserver /etc/coturn/certs/*
chmod 600 /etc/coturn/certs/*
systemctl restart coturn.service
Then make the script executable:
sudo chmod +x /etc/letsencrypt/renewal-hooks/post/coturn.sh
Finally run it manually once:
sudo sh /etc/letsencrypt/renewal-hooks/post/coturn.sh
----
\\
==== Installation ====
sudo apt install coturn
\\
==== Configuration ====
You will have to set a number of options in ''/etc/turnserver.conf''. There are a lot of commented examples in the default file, so these are only the lines you have to add or change:
listening-ip=93.119.10.240
listening-ip=2a01:7c8:bb09:3dc::1
use-auth-secret
static-auth-secret=dddddddddddddddddddddddddddddddddddddddddddddddddd
realm=turn.quietlife.nl
user-quota=12
total-quota=1200
no-tcp-relay
cert=/etc/coturn/certs/fullchain.pem
pkey=/etc/coturn/certs/privkey.pem
syslog
no-multicast-peers
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
allowed-peer-ip=93.119.10.240
allowed-peer-ip=2a01:7c8:bb09:3dc::1
no-cli
no-rfc5780
no-stun-backward-compatibility
response-origin-only-with-rfc5780
Make sure that you change ''listening-ip'' and ''allowed-peer-ip'' to the external IP address(es) of your server, and that you set ''realm'' to the subdomain you want to use. For ''static-auth-secret'', generate a random string.
Then restart Coturn:
sudo systemctl restart coturn.service
\\
----