verifying new turn instucts

Author: steveseguin

turnserver.md

@@ -53,16 +53,17 @@ stale-nonce=600          # Nonce timeout in seconds
 realm=turn.example.com   # Your server's domain
 server-name=turn.example.com
 no-multicast-peers       # Security measure
-dh2066                   # Strong DH params
 no-stdout-log           # Disable stdout logging
 ```
 
 ## SSL/TLS Support (Optional)
 
-The installer can configure SSL/TLS support which:
+The installer configures SSL/TLS support which:
 - Enables TURNS (TURN over TLS) on port 443
 - Automatically obtains and renews SSL certificates via certbot
+- Generates secure DH parameters for improved TLS security
 - Configures automatic certificate reload without server restart
+- Sets up proper file permissions for security
 
 ## Testing Your Server
 
@@ -130,9 +131,16 @@ sudo systemctl status coturn
    - Manual fix: `sudo setcap cap_net_bind_service=+ep /usr/bin/turnserver`
 
 2. **SSL certificate errors (701)**
-   - Verify certificate permissions
-   - Check certificate paths in configuration
-   - Ensure certificates are readable by turnserver user
+   - Verify certificate permissions: `sudo chown -R turnserver:turnserver /etc/letsencrypt/live/your-domain/`
+   - Check DH parameters: `sudo ls -l /etc/turnserver/dhparam.pem`
+   - Ensure all SSL files are readable by turnserver user
+   - Verify cipher suite compatibility in config
+
+3. **TLS connection failures**
+   - Check firewall rules for both TCP and UDP on port 443
+   - Verify TLS certificate paths in configuration
+   - Ensure DH parameters are properly generated
+   - Check logs: `sudo journalctl -u coturn -n 50`
 
 ## Production Considerations
 
@@ -146,11 +154,13 @@ sudo systemctl status coturn
    - Watch for high CPU/memory usage
    - Track active connections
 
-3. **Security**
-   - Regularly update credentials
-   - Monitor for abuse
-   - Keep coturn and SSL certificates up to date
-
+2. **Security**
+   - Regularly rotate TURN credentials
+   - Monitor for unusual traffic patterns
+   - Keep coturn, OpenSSL, and certificates up to date
+   - Use strong cipher suites for TLS connections
+   - Maintain proper file permissions
+   
 ## Support
 
 For issues or questions:

turnserver_basic.conf

@@ -11,6 +11,5 @@ realm=turn.vdo.ninja
 server-name=turn.vdo.ninja
 no-multicast-peers
 stale-nonce=600
-dh2066
 no-stdout-log
 #verbose

turnserver_install.sh.sample

@@ -8,6 +8,12 @@ fi
 configure_ssl() {
     local DOMAIN=$1
 
+    # Generate DH params first
+    if [ ! -f /etc/turnserver/dhparam.pem ]; then
+        mkdir -p /etc/turnserver
+        openssl dhparam -out /etc/turnserver/dhparam.pem 2066
+    fi
+    
     # Check if port 80 is in use
     if netstat -tuln | grep ':80 '; then
         echo "Warning: Port 80 is in use. Stopping potentially conflicting services..."
@@ -46,11 +52,24 @@ configure_ssl() {
 
     # Update turnserver.conf with SSL settings
     cat >> /etc/turnserver.conf << EOL
+# SSL Configuration
 cert=/etc/letsencrypt/live/${DOMAIN}/fullchain.pem
 pkey=/etc/letsencrypt/live/${DOMAIN}/privkey.pem
-tls-listening-port=443
+dh-file=/etc/turnserver/dhparam.pem
+
+# Cipher Suite
+cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 EOL
 
+    # Set proper permissions
+    chown -R turnserver:turnserver /etc/turnserver
+    chmod 700 /etc/turnserver
+    chmod 600 /etc/turnserver/dhparam.pem
+    
+    # Also ensure proper permissions for SSL certs
+    chown -R turnserver:turnserver /etc/letsencrypt/live/${DOMAIN}/
+    chmod -R 700 /etc/letsencrypt/live/${DOMAIN}/
+    
     # Create renewal hook
     mkdir -p /etc/letsencrypt/renewal-hooks/deploy
     cat > /etc/letsencrypt/renewal-hooks/deploy/coturn-reload << EOL
@@ -70,7 +89,7 @@ install_coturn() {
 
     # Install required packages
     apt-get update
-    apt-get install coturn curl dnsutils -y
+    apt-get install coturn curl dnsutils openssl -y
 
     # Configure system limits
     echo "fs.file-max = 65535" >> /etc/sysctl.conf
@@ -82,20 +101,25 @@ install_coturn() {
 
     # Generate base turnserver configuration
     cat > /etc/turnserver.conf << EOL
+# Listening Ports
 listening-port=3478
-alt-listening-port=0
+alt-listening-port=3479
+tls-listening-port=443
+
+# Authentication
 fingerprint
 lt-cred-mech
-# STUN/TURN configuration
-stun-port=3478
-min-port=49152
-max-port=65535
 user=${USERNAME}:${PASSWORD}
 stale-nonce=600
+
+# Server Configuration
 realm=${DOMAIN}
 server-name=${DOMAIN}
+min-port=49152
+max-port=65535
+
+# Security
 no-multicast-peers
-dh2066
 no-stdout-log
 EOL
 
@@ -152,7 +176,7 @@ echo "Installation complete!"
 echo "----------------------------------------"
 echo "Domain: $DOMAIN"
 echo "Username: $USERNAME"
-echo "STUN/TURN ports: 3478 (default)"
+echo "STUN/TURN ports: 3478 (default), 3479 (alt)"
 if [ "${ENABLE_SSL,,}" = "y" ]; then
     echo "TLS enabled on port 443"
     echo "SSL certificates will automatically renew via certbot"