diff options
author | Daniel Calviño Sánchez <danxuliu@gmail.com> | 2021-06-17 00:45:08 +0300 |
---|---|---|
committer | Daniel Calviño Sánchez <danxuliu@gmail.com> | 2021-06-17 20:06:24 +0300 |
commit | 71a82ec05feb8d838869a72d657e5d1435155ae9 (patch) | |
tree | 3890220899621450e2f65033edac81dd3d990747 /docs | |
parent | c614a75345b010ce2c5488fbc5786282ec09e7fc (diff) |
Add section about configuring the TURN server on internal networks
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Diffstat (limited to 'docs')
-rw-r--r-- | docs/TURN.md | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/docs/TURN.md b/docs/TURN.md index d02b03b5e..cbce349d9 100644 --- a/docs/TURN.md +++ b/docs/TURN.md @@ -120,6 +120,31 @@ simple-log - `sudo systemctl restart coturn` or corresponding restart method +##### TURN server and internal networks + +If your TURN server has access to an internal network you should prevent access to the local/internal IPs from the TURN server, except those that are actually needed (like the High Performance Backend if you are using it) by setting the [`denied-peer-ip` and `allowed-peer-ip` parameters](https://github.com/coturn/coturn/blob/upstream/4.5.1.3/README.turnserver#L523-L537). For example: +``` +allowed-peer-ip={IP_ADDRESS_OF_THE_HIGH_PERFORMANCE_BACKEND} +denied-peer-ip=0.0.0.0-0.255.255.255 +denied-peer-ip=10.0.0.0-10.255.255.255 +denied-peer-ip=100.64.0.0-100.127.255.255 +denied-peer-ip=127.0.0.0-127.255.255.255 +denied-peer-ip=169.254.0.0-169.254.255.255 +denied-peer-ip=172.16.0.0-172.31.255.255 +denied-peer-ip=192.0.0.0-192.0.0.255 +denied-peer-ip=192.0.2.0-192.0.2.255 +denied-peer-ip=192.88.99.0-192.88.99.255 +denied-peer-ip=192.168.0.0-192.168.255.255 +denied-peer-ip=198.18.0.0-198.19.255.255 +denied-peer-ip=198.51.100.0-198.51.100.255 +denied-peer-ip=203.0.113.0-203.0.113.255 +denied-peer-ip=240.0.0.0-255.255.255.255 +``` + +Otherwise [a malicious user could access services in that internal network through your TURN server](https://www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/). + +Alternatively you could of course prevent access to that internal network from the TURN server by means of a firewall. + #### 4. Configure Nextcloud Talk to use your TURN server - Go to Nextcloud admin panel > Talk settings. Btw. if you already have your own TURN server, you can and may want to use it as STUN server as well: |