====== Service TURN ======

^ Paramètre ^ Valeur ^
| **FQDN** | turn.chapril.org |
| **Port** | 3478 (tcp/udp) |
| **Secret** | Voir le [[admin:procedures:configuration_password_store|pass]] |

Un serveur Turn est un relais qui pallie l'impossibilité d'établir des liaisons pair à pair, notamment pour le trafic SIP ou WebRTC.

Voir :
  * https://www.bortzmeyer.org/8656.html
  * https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT

<note important>C'est un service qui prend le flux à sa charge ; dit autrement qui consomme de la ressource. Il n'est pas accessible en open bar. Le secret est dans le [[admin:procedures:configuration_password_store|pass]].
</note>
===== Compte rendu d'installation =====

==== DNS ====

On ajoute un enregistrement dans les zones chapril et chapril-int. On n'oublie pas le serial.
==== Installation de coturn ====

L'installation consiste essentiellement à suivre ce tuto : https://help.nextcloud.com/t/howto-setup-nextcloud-talk-with-turn-server/30794

Donc :
  * apt install coturn
  * configuration du service :<code conf /etc/turnserver.conf>
listening-port=3478
fingerprint
use-auth-secret
static-auth-secret=XXXXXXXXXXXXXXXXXXXXX
realm=turn.chapril.org
total-quota=100
bps-capacity=0
no-stdout-log
log-file=/var/log/turn.log
syslog
simple-log
no-multicast-peers
no-cli
</code>
  * systemctl restart coturn
==== Firewall ====

=== Sur la VM ===

On déclare un service turn:
<code conf /etc/firehol/services/turn.conf>
#FHVER: 1:213
# La premiere ligne ci dessus est nécessaire !!
server_turn_ports="tcp/3478 udp/3478"
client_turn_ports="default"
</code>

Et on ajoute l'ouverture du service dans firehol-ext2me.conf et firehol-lan2me.conf
   server turn accept

=== Sur les hyperviseurs ===

On déclare un service turn:
<code conf /etc/firehol/services/turn.conf>
#FHVER: 1:213
# La premiere ligne ci dessus est nécessaire !!
server_turn_ports="tcp/3478 udp/3478"
client_turn_ports="default"
</code>

Et on ajoute le service turn dans la liste des services à ouvrir et (pour IPv4) à rediriger vers la [[admin:machines_virtuelles:allo|VM allo]] :
<code>
    ["turn"]='(  "3478" "tcp udp" "192.168.1.64" "2a01:4f8:10b:c41::64" "2a01:4f8:10b:c42::64")'
</code>
==== Test ====

Coturn fourni un utilitaire de test, malheureusement il n'est pas packagé séparément. On installe donc un coturn minimal sur sa station de travail et on le désactive :
<code>
sudo apt install coturn --no-install-recommends
sudo systemctl disable coturn
sudo systemctl stop coturn
</code>

Une fois installé on teste le service :
<code>
$ turnutils_uclient -v turn.chapril.org -W XXXXXXXXXXXXXXXXX -t
0: IPv4. Connected from: 192.168.8.101:59510
0: IPv4. Connected to: 88.99.233.240:3478
0: allocate sent
0: allocate response received: 
0: allocate sent
0: allocate response received: 
0: success
0: IPv4. Received relay addr: 192.168.1.64:52198
0: clnet_allocate: rtv=2985305615676396384
0: refresh sent
0: refresh response received: 
0: success
0: IPv4. Connected from: 192.168.8.101:59512
0: IPv4. Connected to: 88.99.233.240:3478
0: IPv4. Connected from: 192.168.8.101:59514
0: IPv4. Connected to: 88.99.233.240:3478
0: allocate sent
0: allocate response received: 
0: allocate sent
0: allocate response received: 
0: success
0: IPv4. Received relay addr: 192.168.1.64:52199
0: clnet_allocate: rtv=0
0: refresh sent
0: refresh response received: 
0: success
0: allocate sent
0: allocate response received: 
0: allocate sent
0: allocate response received: 
0: success
0: IPv4. Received relay addr: 192.168.1.64:54112
0: clnet_allocate: rtv=14986022966068701615
0: refresh sent
0: refresh response received: 
0: success
0: channel bind sent
1: cb response received: 
1: success: 0x69e2
1: channel bind sent
1: cb response received: 
1: success: 0x69e2
1: channel bind sent
1: cb response received: 
1: success: 0x40dd
1: channel bind sent
1: cb response received: 
1: success: 0x40dd
1: channel bind sent
1: cb response received: 
1: success: 0x6c59
1: Total connect time is 2
1: start_mclient: msz=2, tot_send_msgs=0, tot_recv_msgs=0, tot_send_bytes ~ 0, tot_recv_bytes ~ 0
2: start_mclient: msz=2, tot_send_msgs=0, tot_recv_msgs=0, tot_send_bytes ~ 0, tot_recv_bytes ~ 0
3: start_mclient: msz=2, tot_send_msgs=0, tot_recv_msgs=0, tot_send_bytes ~ 0, tot_recv_bytes ~ 0
4: start_mclient: msz=2, tot_send_msgs=0, tot_recv_msgs=0, tot_send_bytes ~ 0, tot_recv_bytes ~ 0
5: start_mclient: msz=2, tot_send_msgs=5, tot_recv_msgs=0, tot_send_bytes ~ 500, tot_recv_bytes ~ 0

...
</code>
==== Monitoring ====

C'est un peu un ovni à monitorer. On monitore la présence du process et la capacité à ouvrir une connexion TCP depuis l'extérieur.