====== Service TURN ======
^ Paramètre ^ Valeur ^
| **FQDN** | turn.chapril.org |
| **Port** | 3478 (tcp/udp) |
| **Secret** | Voir le [[admin:procedures:configuration_password_store|pass]] |
Un serveur Turn est un relais qui pallie l'impossibilité d'établir des liaisons pair à pair, notamment pour le trafic SIP ou WebRTC.
Voir :
* https://www.bortzmeyer.org/8656.html
* https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT
C'est un service qui prend le flux à sa charge ; dit autrement qui consomme de la ressource. Il n'est pas accessible en open bar. Le secret est dans le [[admin:procedures:configuration_password_store|pass]].
===== Compte rendu d'installation =====
==== DNS ====
On ajoute un enregistrement dans les zones chapril et chapril-int. On n'oublie pas le serial.
==== Installation de coturn ====
L'installation consiste essentiellement à suivre ce tuto : https://help.nextcloud.com/t/howto-setup-nextcloud-talk-with-turn-server/30794
Donc :
* apt install coturn
* configuration du service :
listening-port=3478
fingerprint
use-auth-secret
static-auth-secret=XXXXXXXXXXXXXXXXXXXXX
realm=turn.chapril.org
total-quota=100
bps-capacity=0
no-stdout-log
log-file=/var/log/turn.log
syslog
simple-log
no-multicast-peers
no-cli
* systemctl restart coturn
==== Firewall ====
=== Sur la VM ===
On déclare un service turn:
#FHVER: 1:213
# La premiere ligne ci dessus est nécessaire !!
server_turn_ports="tcp/3478 udp/3478"
client_turn_ports="default"
Et on ajoute l'ouverture du service dans firehol-ext2me.conf et firehol-lan2me.conf
server turn accept
=== Sur les hyperviseurs ===
On déclare un service turn:
#FHVER: 1:213
# La premiere ligne ci dessus est nécessaire !!
server_turn_ports="tcp/3478 udp/3478"
client_turn_ports="default"
Et on ajoute le service turn dans la liste des services à ouvrir et (pour IPv4) à rediriger vers la [[admin:machines_virtuelles:allo|VM allo]] :
["turn"]='( "3478" "tcp udp" "192.168.1.64" "2a01:4f8:10b:c41::64" "2a01:4f8:10b:c42::64")'
==== Test ====
Coturn fourni un utilitaire de test, malheureusement il n'est pas packagé séparément. On installe donc un coturn minimal sur sa station de travail et on le désactive :
sudo apt install coturn --no-install-recommends
sudo systemctl disable coturn
sudo systemctl stop coturn
Une fois installé on teste le service :
$ turnutils_uclient -v turn.chapril.org -W XXXXXXXXXXXXXXXXX -t
0: IPv4. Connected from: 192.168.8.101:59510
0: IPv4. Connected to: 88.99.233.240:3478
0: allocate sent
0: allocate response received:
0: allocate sent
0: allocate response received:
0: success
0: IPv4. Received relay addr: 192.168.1.64:52198
0: clnet_allocate: rtv=2985305615676396384
0: refresh sent
0: refresh response received:
0: success
0: IPv4. Connected from: 192.168.8.101:59512
0: IPv4. Connected to: 88.99.233.240:3478
0: IPv4. Connected from: 192.168.8.101:59514
0: IPv4. Connected to: 88.99.233.240:3478
0: allocate sent
0: allocate response received:
0: allocate sent
0: allocate response received:
0: success
0: IPv4. Received relay addr: 192.168.1.64:52199
0: clnet_allocate: rtv=0
0: refresh sent
0: refresh response received:
0: success
0: allocate sent
0: allocate response received:
0: allocate sent
0: allocate response received:
0: success
0: IPv4. Received relay addr: 192.168.1.64:54112
0: clnet_allocate: rtv=14986022966068701615
0: refresh sent
0: refresh response received:
0: success
0: channel bind sent
1: cb response received:
1: success: 0x69e2
1: channel bind sent
1: cb response received:
1: success: 0x69e2
1: channel bind sent
1: cb response received:
1: success: 0x40dd
1: channel bind sent
1: cb response received:
1: success: 0x40dd
1: channel bind sent
1: cb response received:
1: success: 0x6c59
1: Total connect time is 2
1: start_mclient: msz=2, tot_send_msgs=0, tot_recv_msgs=0, tot_send_bytes ~ 0, tot_recv_bytes ~ 0
2: start_mclient: msz=2, tot_send_msgs=0, tot_recv_msgs=0, tot_send_bytes ~ 0, tot_recv_bytes ~ 0
3: start_mclient: msz=2, tot_send_msgs=0, tot_recv_msgs=0, tot_send_bytes ~ 0, tot_recv_bytes ~ 0
4: start_mclient: msz=2, tot_send_msgs=0, tot_recv_msgs=0, tot_send_bytes ~ 0, tot_recv_bytes ~ 0
5: start_mclient: msz=2, tot_send_msgs=5, tot_recv_msgs=0, tot_send_bytes ~ 500, tot_recv_bytes ~ 0
...
==== Monitoring ====
C'est un peu un ovni à monitorer. On monitore la présence du process et la capacité à ouvrir une connexion TCP depuis l'extérieur.