Coturn TURN Server for Debian ------------------------------ 1) The turnserver has reasonable default option values and can work in many simple environments without extra configuration. But more complex meaningful usage requires setting options specific to your particular environment. For example, WebRTC requires long-term credentials and some extra stuff. To set the turnserver parameters: a) Edit /etc/turnserver.conf file. b) For user accounts settings, the default SQLite TURN database location is /var/db/turndb. If you do not set any database and if you do not set any TURN server database options, then the TURN server will try to create an empty SQLite database in that default location. Or you can set up PostgreSQL or MySQL or Redis database for user accounts. Use /usr/share/coturn/schema.sql as SQL database schema, or use /usr/share/coturn/schema.userdb.redis as Redis database schema explanation for the user authentication data, and (optionally) use /usr/share/coturn/schema.stats.redis as Redis database schema explanation for status and statistics data. 2) You can start/stop the turnserver "manually", using the "/usr/bin/turnserver" executable with appropriate options (see the documentation). If you want the turnserver to be an automatically started system service, then you have to un-comment the line "TURNSERVER_ENABLED=1" in the /etc/default/coturn file. 3) If you are using UFW, then run the command after the installation: $ ufw add turnserver You can inspect and adjust the UFW turnserver settings in the file /etc/ufw/applications.d/turnserver. 4) For additional information, run: $ man turnserver $ man turnadmin $ man turnutils 5) During installation, no TURN user accounts are created. Coturn does not recognize UNIX accounts and requires accounts to be defined in it's own config file. By default, the TURN server uses anonymous access. 6) Systemd: In some configurations you may need to add the After=network-online.target line to the/etc/systemd/system/coturn.service.d/network.conf or simillar systemd config file. 7) Non privileged ports If you plan to use any privileged ports(ports<1024 e.g. 80 or 443) add the following for non root privileged port binding to /etc/systemd/system/coturn.service.d/capability.conf. (After it reload config "systemctl daemon-reload") [Service] AmbientCapabilities=CAP_NET_BIND_SERVICE Or alternatively create nftables/iptables port forwarding nat rules. iptables -t nat -A PREROUTING -p udp -m udp --dport 80 -j REDIRECT --to-ports 3478 iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3478 iptables -t nat -A PREROUTING -p udp -m udp --dport 443 -j REDIRECT --to-ports 5349 iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 5349 Traditional STUN doesn't require an account. For TURN relay purposes, several accounting options are possible: - anonymous access (the default option); - traditional long-term credentials mechanism (see RFC5766); - TURN REST API shared-secret-based long-term credentials mechanism (see TURN REST API docs); - Third-party authorization extension for the long-term credentials mechanism; If you are installing the TURN server for WebRTC usage, then you must set the long term credentials mechanism option and add user accounts - either with the default SQLite database, or with PostgreSQL database, or with MySQL database, or with Redis database. Optionally, you can add TURN REST API on top of long-term credentials mechanism. Please see the README.* files for details. -- Mészáros Mihály Tue, 27 Nov 2018 12:32:02 +0000 -- Oleg Moskalenko Wed, 29 Oct 2014 11:47:00 -0700