diff options
| author | Joas Schilling <coding@schilljs.com> | 2019-09-02 13:17:35 +0300 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2019-09-02 13:17:35 +0300 |
| commit | 1914daa535068366e8d7d9cd44bcacdb9cf9dcb2 (patch) | |
| tree | fc7cf89add76b9dd09d56de5608000dc7af755e0 /docs/TURN.md | |
| parent | 46cf3ba168a26a8fdafd470bc650208e81d515dd (diff) | |
More formating
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'docs/TURN.md')
| -rw-r--r-- | docs/TURN.md | 50 |
1 files changed, 26 insertions, 24 deletions
diff --git a/docs/TURN.md b/docs/TURN.md index 6deacd560..bde60a1b5 100644 --- a/docs/TURN.md +++ b/docs/TURN.md @@ -1,7 +1,7 @@ ### Background The configuration of Nextcloud Talk mainly depends on your desired usage: -- As long as it shall be used only **within one local network**, besides the app, nothing else should be required. Just verify that all browsers support the underlying [WebRTC](https://en.wikipedia.org/wiki/WebRTC) protocol - all famous ones do on current versions - and you should be good to go. Browser support can be tested e.g. here: https://test.webrtc.org/ +- As long as it shall be used only **within one local network**, besides the app, nothing else should be required. Just verify that all browsers support the underlying [WebRTC](https://en.wikipedia.org/wiki/WebRTC) protocol - all famous ones do on current versions - and you should be good to go. Browser support can be tested e.g. here: [https://test.webrtc.org/](https://test.webrtc.org/) - Talk tries to establish a direct [peer-to-peer (P2P)](https://en.wikipedia.org/wiki/Peer-to-peer) connection, thus on connections **beyond the local network** (behind a [NAT](https://en.wikipedia.org/wiki/Network_address_translation) or router), clients do not only need to know each others public IP, but the participants local IPs as well. Processing this, is the job of a [STUN](https://en.wikipedia.org/wiki/STUN) server. As there is one preconfigured for Nextcloud Talk, still nothing else needs to be done. @@ -75,29 +75,31 @@ See the following discussions why **(D)TLS** for TURN has no real security benef When using (D)TLS, you need to provide the path to your certificate and key files, and it is highly recommended to adjust the cipher list: ``` - tls-listening-port=<yourChosenPortNumber> - fingerprint - lt-cred-mech # Only on coTURN below v4.5.0.8! - use-auth-secret - static-auth-secret=<yourChosen/GeneratedSecret> - realm=your.domain.org - total-quota=100 - bps-capacity=0 - stale-nonce - cert=/path/to/your/cert.pem - pkey=/path/to/your/privkey.pem - cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5" - no-loopback-peers - no-multicast-peers # Only on coTURN below v4.5.1.0! +tls-listening-port=<yourChosenPortNumber> +fingerprint +lt-cred-mech # Only on coTURN below v4.5.0.8! +use-auth-secret +static-auth-secret=<yourChosen/GeneratedSecret> +realm=your.domain.org +total-quota=100 +bps-capacity=0 +stale-nonce +cert=/path/to/your/cert.pem +pkey=/path/to/your/privkey.pem +cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5" +no-loopback-peers +no-multicast-peers # Only on coTURN below v4.5.1.0! ``` - Note that `listening-port`, `alt-listening-port`, `tls-listening-port` and `alt-tls-listening-port` can all be used for (D)TLS and plain text connections. It depends on the client request protocol only, TURN vs _TURNS_ (TURN over TLS). Hence there is usually no point to setup more then one port. Also Nextcloud Talk can only be configured to use a single port. - A working cipher example is provided above, that is also used within most other guides. But it makes totally sense to **use the cipher-list from your Nextcloud webserver** to have the same compatibility versus security versus performance for both. - If you want it damn secure, you can also configure a custom [Diffie-Hellman](https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange) file and/or disable TLSv1.0 + TLSv1.1. But again, it does not make much sense to handle it different here than for the webserver. Just decide how much compatibility you need and security/performance you want and configure webserver + coTURN the same: - dh-file=/path/to/your/dh.pem - no-tlsv1 - no-tlsv1_1 +``` +dh-file=/path/to/your/dh.pem +no-tlsv1 +no-tlsv1_1 +``` #### 3. Continue with general coTURN configuration @@ -105,12 +107,12 @@ When using (D)TLS, you need to provide the path to your certificate and key file - The following settings can be used to adjust the **logging behaviour**. On SBCs with SDcards you may want to adjust this, as by default coTURN logs very verbose. The config file explains everything very well: - ``` - no-stdout-log - log-file=... - syslog - simple-log - ``` +``` +no-stdout-log +log-file=... +syslog +simple-log +``` - `sudo systemctl restart coturn` or corresponding restart method |