====== Service TURN ======

^ Paramètre ^ Valeur ^
| **FQDN** | turn.chapril.org |
| **Port** | 3478 (tcp/udp) |
| **Secret** | Voir le [[admin:procedures:configuration_password_store|pass]] |

Un serveur TURN est un relais qui pallie l'impossibilité d'établir des liaisons pair à pair, notamment pour le trafic SIP ou WebRTC.

Voir :
  * https://www.bortzmeyer.org/8656.html ;
  * https://en.wikipedia.org/wiki/Traversal_Using_Relays_around_NAT.

<note important>
C'est un service qui prend le flux à sa charge ; dit autrement qui consomme de la ressource.
Il n'est pas accessible en //open bar//.
Le secret est dans le [[admin:procedures:configuration_password_store|pass]].
</note>

===== Compte rendu d'installation =====

==== DNS ====

On ajoute un enregistrement dans les zones DNS ''chapril'' et ''chapril-int''.
On n'oublie pas le //serial//.

==== Installation de Coturn ====

L'installation consiste essentiellement à suivre ce tutoriel : https://help.nextcloud.com/t/howto-setup-nextcloud-talk-with-turn-server/30794.

Donc on installe Coturn :
<code bash>
apt install coturn
</code>

On configure le service :
<code - /etc/turnserver.conf>
listening-port=3478
fingerprint
use-auth-secret
static-auth-secret=XXXXXXXXXXXXXXXXXXXXX
realm=turn.chapril.org
total-quota=100
bps-capacity=0
no-stdout-log
log-file=/var/log/turn.log
syslog
simple-log
no-multicast-peers
no-cli
</code>

On redémarre de //daemon// :
<code bash>
systemctl restart coturn
</code>

==== Firewall ====

=== Sur la VM ===

On déclare un service TURN :
<code bash /etc/firehol/services/turn.conf>
#FHVER: 1:213
# La premiere ligne ci dessus est nécessaire !!
server_turn_ports="tcp/3478 udp/3478"
client_turn_ports="default"
</code>

Et on ajoute l'ouverture du service dans ''firehol-ext2me.conf'' et ''firehol-lan2me.conf''
<code bash>
server turn accept
</code>

=== Sur les hyperviseurs ===

On déclare un service TURN :
<code bash /etc/firehol/services/turn.conf>
#FHVER: 1:213
# La premiere ligne ci dessus est nécessaire !!
server_turn_ports="tcp/3478 udp/3478"
client_turn_ports="default"
</code>

Et on ajoute le service TURN dans la liste des services à ouvrir et (pour IPv4) à rediriger vers la [[admin:machines_virtuelles:allo|VM Allo]] :
<code>
    ["turn"]='(  "3478" "tcp udp" "192.168.1.64" "2a01:4f8:10b:c41::64" "2a01:4f8:10b:c42::64")'
</code>

==== Test ====

Coturn fourni un utilitaire de test.
Malheureusement il n'est pas //packagé// séparément.
On installe donc un Coturn minimal sur sa station de travail et on le désactive :
<code bash>
sudo apt install coturn --no-install-recommends
sudo systemctl disable coturn
sudo systemctl stop coturn
</code>

Une fois installé on teste le service :
<code bash>
turnutils_uclient -v turn.chapril.org -W XXXXXXXXXXXXXXXXX -t
</code>
<code>
0: IPv4. Connected from: 192.168.8.101:59510
0: IPv4. Connected to: 88.99.233.240:3478
0: allocate sent
0: allocate response received: 
0: allocate sent
0: allocate response received: 
0: success
0: IPv4. Received relay addr: 192.168.1.64:52198
0: clnet_allocate: rtv=2985305615676396384
0: refresh sent
0: refresh response received: 
0: success
0: IPv4. Connected from: 192.168.8.101:59512
0: IPv4. Connected to: 88.99.233.240:3478
0: IPv4. Connected from: 192.168.8.101:59514
0: IPv4. Connected to: 88.99.233.240:3478
0: allocate sent
0: allocate response received: 
0: allocate sent
0: allocate response received: 
0: success
0: IPv4. Received relay addr: 192.168.1.64:52199
0: clnet_allocate: rtv=0
0: refresh sent
0: refresh response received: 
0: success
0: allocate sent
0: allocate response received: 
0: allocate sent
0: allocate response received: 
0: success
0: IPv4. Received relay addr: 192.168.1.64:54112
0: clnet_allocate: rtv=14986022966068701615
0: refresh sent
0: refresh response received: 
0: success
0: channel bind sent
1: cb response received: 
1: success: 0x69e2
1: channel bind sent
1: cb response received: 
1: success: 0x69e2
1: channel bind sent
1: cb response received: 
1: success: 0x40dd
1: channel bind sent
1: cb response received: 
1: success: 0x40dd
1: channel bind sent
1: cb response received: 
1: success: 0x6c59
1: Total connect time is 2
1: start_mclient: msz=2, tot_send_msgs=0, tot_recv_msgs=0, tot_send_bytes ~ 0, tot_recv_bytes ~ 0
2: start_mclient: msz=2, tot_send_msgs=0, tot_recv_msgs=0, tot_send_bytes ~ 0, tot_recv_bytes ~ 0
3: start_mclient: msz=2, tot_send_msgs=0, tot_recv_msgs=0, tot_send_bytes ~ 0, tot_recv_bytes ~ 0
4: start_mclient: msz=2, tot_send_msgs=0, tot_recv_msgs=0, tot_send_bytes ~ 0, tot_recv_bytes ~ 0
5: start_mclient: msz=2, tot_send_msgs=5, tot_recv_msgs=0, tot_send_bytes ~ 500, tot_recv_bytes ~ 0

...
</code>

==== Monitoring ====

C'est un peu un OVNI à superviser.
On supervise la présence du processus et la capacité à ouvrir une connexion TCP depuis l'extérieur.