Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
Matrix
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Code
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Build
Pipelines
Jobs
Pipeline schedules
Artifacts
Deploy
Container Registry
Model registry
Operate
Environments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Terms and privacy
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
TeDomum
Matrix
Commits
e0ff6625
Commit
e0ff6625
authored
8 years ago
by
Matthew Hodgson
Browse files
Options
Downloads
Patches
Plain Diff
add setting (on by default) to support TURN for guests
parent
3b2dd1b3
No related branches found
Branches containing commit
No related tags found
Tags containing commit
No related merge requests found
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
docs/turn-howto.rst
+34
-4
34 additions, 4 deletions
docs/turn-howto.rst
synapse/config/voip.py
+8
-0
8 additions, 0 deletions
synapse/config/voip.py
synapse/rest/client/v1/voip.py
+4
-1
4 additions, 1 deletion
synapse/rest/client/v1/voip.py
with
46 additions
and
5 deletions
docs/turn-howto.rst
+
34
−
4
View file @
e0ff6625
...
...
@@ -50,14 +50,37 @@ You may be able to setup coturn via your package manager, or set it up manually
pwgen -s 64 1
5. Ensure youe firewall allows traffic into the TURN server on
5. Consider your security settings. TURN lets users request a relay
which will connect to arbitrary IP addresses and ports. At the least
we recommend:
# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
no-tcp-relay
# don't let the relay ever try to connect to private IP address ranges within your network (if any)
# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
# special case the turn server itself so that client->TURN->TURN->client flows work
allowed-peer-ip=10.0.0.1
# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
total-quota=1200
Ideally coturn should refuse to relay traffic which isn't SRTP;
see https://github.com/matrix-org/synapse/issues/2009
6. Ensure your firewall allows traffic into the TURN server on
the ports you've configured it to listen on (remember to allow
both TCP and UDP
if you've enabled both).
both TCP and UDP
TURN traffic)
6
. If you've configured coturn to support TLS/DTLS, generate or
7
. If you've configured coturn to support TLS/DTLS, generate or
import your private key and certificate.
7
. Start the turn server::
8
. Start the turn server::
bin/turnserver -o
...
...
@@ -83,12 +106,19 @@ Your home server configuration file needs the following extra keys:
to refresh credentials. The TURN REST API specification recommends
one day (86400000).
4. "turn_allow_guests": Whether to allow guest users to use the TURN
server. This is enabled by default, as otherwise VoIP will not
work reliably for guests. However, it does introduce a security risk
as it lets guests connect to arbitrary endpoints without having gone
through a CAPTCHA or similar to register a real account.
As an example, here is the relevant section of the config file for
matrix.org::
turn_uris: [ "turn:turn.matrix.org:3478?transport=udp", "turn:turn.matrix.org:3478?transport=tcp" ]
turn_shared_secret: n0t4ctuAllymatr1Xd0TorgSshar3d5ecret4obvIousreAsons
turn_user_lifetime: 86400000
turn_allow_guests: True
Now, restart synapse::
...
...
This diff is collapsed.
Click to expand it.
synapse/config/voip.py
+
8
−
0
View file @
e0ff6625
...
...
@@ -23,6 +23,7 @@ class VoipConfig(Config):
self
.
turn_username
=
config
.
get
(
"
turn_username
"
)
self
.
turn_password
=
config
.
get
(
"
turn_password
"
)
self
.
turn_user_lifetime
=
self
.
parse_duration
(
config
[
"
turn_user_lifetime
"
])
self
.
turn_allow_guests
=
config
.
get
(
"
turn_allow_guests
"
)
or
True
def
default_config
(
self
,
**
kwargs
):
return
"""
\
...
...
@@ -41,4 +42,11 @@ class VoipConfig(Config):
# How long generated TURN credentials last
turn_user_lifetime:
"
1h
"
# Whether guests should be allowed to use the TURN server.
# This is defaults to True, otherwise VoIP will be unreliable for guests.
# However, it does introduce a slight security risk as it allows users to
# connect to arbitrary endpoints without having first signed up for a
# valid account (e.g. by passing a CAPTCHA).
turn_allow_guests: True
"""
This diff is collapsed.
Click to expand it.
synapse/rest/client/v1/voip.py
+
4
−
1
View file @
e0ff6625
...
...
@@ -28,7 +28,10 @@ class VoipRestServlet(ClientV1RestServlet):
@defer.inlineCallbacks
def
on_GET
(
self
,
request
):
requester
=
yield
self
.
auth
.
get_user_by_req
(
request
)
requester
=
yield
self
.
auth
.
get_user_by_req
(
request
,
self
.
hs
.
config
.
turn_allow_guests
)
turnUris
=
self
.
hs
.
config
.
turn_uris
turnSecret
=
self
.
hs
.
config
.
turn_shared_secret
...
...
This diff is collapsed.
Click to expand it.
Preview
0%
Loading
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Save comment
Cancel
Please
register
or
sign in
to comment
