Skip to content
This repository has been archived by the owner on Mar 1, 2024. It is now read-only.

Commit

Permalink
Security updates for default turn server configuration. (#196)
Browse files Browse the repository at this point in the history 
* Adding more secure configuration to turn server
* Updated so CoTurn config will work inside docker
* Whitelist TURN local ip so we can still connect when signalling and CoTURN are colocated on the same machine
  • Loading branch information
@gingernaz
gingernaz authored Apr 13, 2023
1 parent c280c06 commit aa1b0fa
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 5 deletions.
2 changes: 1 addition & 1 deletion SignallingWebServer/platform_scripts/bash/Start_TURNServer.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ echo ""
# Hmm, plain text
realm="PixelStreaming"
process="turnserver"
arguments="-p ${turnport} -r $realm -X $publicip -E $localip -L $localip --no-cli --no-tls --no-dtls --pidfile /var/run/turnserver.pid -f -a -v -n -u ${turnusername}:${turnpassword}"
arguments="-c turnserver.conf --allowed-peer-ip=$localip -p ${turnport} -r $realm -X $publicip -E $localip -L $localip --no-cli --no-tls --no-dtls --pidfile /var/run/turnserver.pid -f -a -v -u ${turnusername}:${turnpassword}"

# Add arguments passed to script to arguments for executable
arguments+=" ${cirruscmd}"
Expand Down
8 changes: 6 additions & 2 deletions SignallingWebServer/platform_scripts/bash/docker-start-turn.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ turnusername="PixelStreamingUser"
turnpassword="AnotherTURNintheroad"
realm="PixelStreaming"
process="turnserver"
arguments="-p ${turnport} -r $realm -X $publicip -E $localip -L $localip --no-cli --no-tls --no-dtls --pidfile /var/run/turnserver.pid -f -a -v -n -u ${turnusername}:${turnpassword}"
arguments="-c /turnconfig/turnserver.conf --allowed-peer-ip=$localip -p ${turnport} -r $realm -X $publicip -E $localip -L $localip --no-cli --no-tls --no-dtls --pidfile /var/run/turnserver.pid -f -a -v -u ${turnusername}:${turnpassword}"

# Add arguments passed to script to arguments for executable
arguments+=" ${cirruscmd}"
Expand All @@ -31,12 +31,16 @@ echo "Running: ${process} ${arguments}"
# Get the docker image
docker pull coturn/coturn

# Copy the turn setup config to a path we can use as a volume
mkdir -p turnconfig
cp ../../turnserver.conf turnconfig/

# Start the TURN server
#docker run --name coturn_latest --network host -it --entrypoint /bin/bash coturn/coturn
#docker run --name coturn_latest --network host --rm -a stdin -a stdout -a stderr --entrypoint "sudo mkdir -p /var/run" coturn/coturn ""
#docker run --name coturn_latest --network host --rm -a stdin -a stdout -a stderr --entrypoint "/bin/ls" coturn/coturn "/var/"

docker run --name coturn_latest --network host --rm -a stdin -a stdout -a stderr --entrypoint "${process}" coturn/coturn "${arguments}"
docker run --name coturn_latest --network host --rm -a stdin -a stdout -a stderr -v $PWD/turnconfig:/turnconfig --entrypoint "${process}" coturn/coturn "${arguments}"

#docker run --name coturn_latest --network host --rm -a stdin -a stdout -a stderr --entrypoint "/bin/bash" coturn/coturn "ls -latr /var/run/"
#docker run --name coturn_latest --network host --rm -a stdin -a stdout -a stderr --entrypoint "sudo chown ubuntu:ubuntu /var/run/turnserver.pid | sudo chmod +x /var/run/turnserver.pid | ${process}" coturn/coturn "${arguments}"
4 changes: 2 additions & 2 deletions SignallingWebServer/platform_scripts/cmd/Start_TURNServer.ps1
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ print_parameters
#$LocalIp = Invoke-WebRequest -Uri "http://169.254.169.254/latest/meta-data/local-ipv4"
$LocalIP = (Test-Connection -ComputerName (hostname) -Count 1 | Select IPV4Address).IPV4Address.IPAddressToString

Write-Output "Private IP: $LocalIp"
Write-Output "Private IP: $LocalIP"

$TurnPort="19303"
$Pos = $global:TurnServer.LastIndexOf(":")
Expand All @@ -24,7 +24,7 @@ $TurnUsername = "PixelStreamingUser"
$TurnPassword = "AnotherTURNintheroad"
$Realm = "PixelStreaming"
$ProcessExe = ".\turnserver.exe"
$Arguments = "-p $TurnPort -r $Realm -X $PublicIP -E $LocalIP -L $LocalIP --no-cli --no-tls --no-dtls --pidfile `"C:\coturn.pid`" -f -a -v -n -u $TurnUsername`:$TurnPassword"
$Arguments = "-c ..\..\..\turnserver.conf --allowed-peer-ip=$LocalIP -p $TurnPort -r $Realm -X $PublicIP -E $LocalIP -L $LocalIP --no-cli --no-tls --no-dtls --pidfile `"C:\coturn.pid`" -f -a -v -u $TurnUsername`:$TurnPassword"

# Add arguments passed to script to Arguments for executable
$Arguments += $args
Expand Down
15 changes: 15 additions & 0 deletions SignallingWebServer/turnserver.conf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255

0 comments on commit aa1b0fa

Please sign in to comment.