Skip to content
This repository has been archived by the owner on Mar 22, 2023. It is now read-only.

Commit

Permalink
Add allowed and denied peer to turnserver.conf
Browse files Browse the repository at this point in the history 
Following [1] and [2] the TURN-Server can be used to access the network behind the TURN-Server or the server can be abused to relay attacks in the internet. To workaround those problems `denied-peer-ip` and `allowed-peer-ip` setting should be used.

[1] https://www.rtcsec.com/post/2020/04/how-we-abused-slacks-turn-servers-to-gain-access-to-internal-services/
[2] https://www.rtcsec.com/post/2021/01/details-about-cve-2020-26262-bypass-of-coturns-default-access-control-protection/
  • Loading branch information
@symptog
symptog committed Feb 11, 2021
1 parent 062678d commit 2a95fde
Showing 1 changed file with 26 additions and 6 deletions.
32 changes: 26 additions & 6 deletions _posts/2019-02-14-setup-turn-server.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,19 +104,21 @@ $ sudo chmod 0755 /etc/letsencrypt/renewal-hooks/deploy/coturn

Use the file below for `/etc/turnserver.conf` and make the following changes:

* Replace `<turn.example.com>` with the hostname of your TURN server, and
* Replace `<example.com>` with the realm of your TURN server, and
* Replace `<secret_value>` to a random value for a shared secret (you can generate one by running `openssl rand -hex 16`)
* Replace `<IP>` with the external IP of your TURN server
* Replace `<turn.example.com>` with the hostname of your TURN server.
* Replace `<example.com>` with the realm of your TURN server.
* Replace `<secret_value>` to a random value for a shared secret (you can generate one by running `openssl rand -hex 16`).
* Replace `<IP>` with the external IP of your TURN server.
* Replace `<bbb_server_ip>` with the IP Address of your BigBlueButton-Server.
* Repeat `allowed-peer-ip=<ip_address>` for each IPv4 and IPv6 for every BigBlueButton-Server and any other TURN-Server.

This configuration file assumes your TURN server is not behind NAT and has a public IP address.

```ini
listening-port=3478
tls-listening-port=443

listening-ip=$IP
relay-ip=$IP
listening-ip=<IP>
relay-ip=<IP>

# If the server is behind NAT, you need to specify the external IP address.
# If there is only one external address, specify it like this:
Expand All @@ -127,6 +129,24 @@ relay-ip=$IP
#external-ip=172.17.19.131/10.0.0.11
#external-ip=172.17.18.132/10.0.0.12

# Flag that can be used to disallow peers on well-known broadcast addresses
# (224.0.0.0 and above, and FFXX:*). This is an extra security measure.
#
no-multicast-peers

# Option to allow or ban specific ip addresses or ranges of ip addresses.
# If an ip address is specified as both allowed and denied, then the ip address is
# considered to be allowed. This is useful when you wish to ban a range of ip
# addresses, except for a few specific ips within that range.
#
# This can be used when you do not want users of the turn server to be able to access
# machines reachable by the turn server, but would otherwise be unreachable from the
# internet (e.g. when the turn server is sitting behind a NAT)
denied-peer-ip=0.0.0.0-255.255.255.255
denied-peer-ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
allowed-peer-ip=<IP>
allowed-peer-ip=<bbb_server_ip>

min-port=32769
max-port=65535
verbose
Expand Down

0 comments on commit 2a95fde

Please sign in to comment.