49 lines
2 KiB
Text
49 lines
2 KiB
Text
# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
|
|
no-tcp-relay
|
|
|
|
# don't let the relay ever try to connect to private IP address ranges within your network (if any)
|
|
# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
|
|
denied-peer-ip=10.0.0.0-10.255.255.255
|
|
denied-peer-ip=192.168.0.0-192.168.255.255
|
|
denied-peer-ip=172.16.0.0-172.31.255.255
|
|
|
|
# recommended additional local peers to block, to mitigate external access to internal services.
|
|
# https://www.rtcsec.com/article/slack-webrtc-turn-compromise-and-bug-bounty/#how-to-fix-an-open-turn-relay-to-address-this-vulnerability
|
|
no-multicast-peers
|
|
denied-peer-ip=0.0.0.0-0.255.255.255
|
|
denied-peer-ip=100.64.0.0-100.127.255.255
|
|
denied-peer-ip=127.0.0.0-127.255.255.255
|
|
denied-peer-ip=169.254.0.0-169.254.255.255
|
|
denied-peer-ip=192.0.0.0-192.0.0.255
|
|
denied-peer-ip=192.0.2.0-192.0.2.255
|
|
denied-peer-ip=192.88.99.0-192.88.99.255
|
|
denied-peer-ip=198.18.0.0-198.19.255.255
|
|
denied-peer-ip=198.51.100.0-198.51.100.255
|
|
denied-peer-ip=203.0.113.0-203.0.113.255
|
|
denied-peer-ip=240.0.0.0-255.255.255.255
|
|
|
|
# special case the turn server itself so that client->TURN->TURN->client flows work
|
|
# this should be one of the turn server's listening IPs
|
|
#allowed-peer-ip=10.0.0.1
|
|
|
|
# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
|
|
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
|
|
total-quota=1200
|
|
|
|
|
|
use-auth-secret
|
|
static-auth-secret=
|
|
realm=turn.m00.se
|
|
|
|
syslog
|
|
|
|
# TLS certificates, including intermediate certs.
|
|
# For Let's Encrypt certificates, use `fullchain.pem` here.
|
|
cert=/etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org-directory/turn.m00.se/turn.m00.se.crt
|
|
|
|
# TLS private key file
|
|
pkey=/etc/ssl/caddy/acme/acme-v02.api.letsencrypt.org-directory/turn.m00.se/turn.m00.se.key
|
|
|
|
# Ensure the configuration lines that disable TLS/DTLS are commented-out or removed
|
|
#no-tls
|
|
#no-dtls
|