| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322 | .\" Text automatically generated by txt2man.TH TURN 1 "05 June 2021" "" "".SH GENERAL INFORMATIONThe \fBTURN Server\fP project contains the source code of a TURN server and TURN clientmessaging library. Also, some extra programs provided, for testing\-onlypurposes..PPSee the INSTALL file for the building instructions..PPAfter the build, you will have the following binary images:.TP.B1.\fIturnserver\fP: \fBTURN Server\fP relay.The compiled binary image of the \fBTURN Server\fP program is located in bin/ sub\-directory..TP.B2.\fIturnadmin\fP: TURN administration tool. See README.turnadmin and \fIturnadmin\fP man page..TP.B3.turnutils_uclient. See README.turnutils and \fIturnutils\fP man page..TP.B4.turnutils_peer. See README.turnutils and \fIturnutils\fP man page..TP.B5.turnutils_stunclient. See README.turnutils and \fIturnutils\fP man page..TP.B6.turnutils_rfc5769check. See README.turnutils and \fIturnutils\fP man page..PPIn the "examples/scripts" sub\-directory, you will find the examples of command lines to be usedto run the programs. The scripts are meant to be run from examples/ sub\-directory, for example:.PP$ cd examples$ ./scripts/secure_relay.sh.SH SYSTEMDIf the systemd development library is available, then it will notify systemd about the server status..SH RUNNING THE TURN SERVERTo run the coturn server as a daemon use:.PP.nf.fam C  $ turnserver \-o.fam T.fiNote that if you make any changes to the config file the server has to be restarted..PPOptions note: \fIturnserver\fP has long and short option names, for most options.Some options have only long form, some options have only short form. Their syntaxsomewhat different, if an argument is required:.PPThe short form must be used as this (for example):.PP.nf.fam C  $ turnserver \-L 12.34.56.78.fam T.fiThe long form equivalent must use the "=" character:.PP.nf.fam C  $ turnserver \-\-listening\-ip=12.34.56.78.fam T.fiIf this is a flag option (no argument required) then their usage are the same, for example:.PP.nf.fam C $ turnserver \-a.fam T.fiis equivalent to:.PP.nf.fam C $ turnserver \-\-lt\-cred\-mech.fam T.fi.SH =====================================.SS  NAME\fB\fBturnserver \fP\- a TURN relay server implementation.\fB.SS  SYNOPSIS.nf.fam C$ \fIturnserver\fP [\fB\-n\fP | \fB\-c\fP <config\-file> ] [\fIflags\fP] [ \fB\-\-userdb\fP=<userdb\-file> | \fB\-\-psql\-userdb\fP=<db\-conn\-string> | \fB\-\-mysql\-userdb\fP=<db\-conn\-string>  | \fB\-\-mongo\-userdb\fP=<db\-conn\-string>  | \fB\-\-redis\-userdb\fP=<db\-conn\-string> ] [\fB\-z\fP | \fB\-\-no\-auth\fP | \fB\-a\fP | \fB\-\-lt\-cred\-mech\fP ] [\fIoptions\fP]$ \fIturnserver\fP \fB\-h\fP.fam T.fi.fam T.fi.SS  DESCRIPTIONConfig file settings:.TP.B\fB\-n\fPDo not use configuration file, use only command line parameters..TP.B\fB\-c\fPConfiguration file name (default \- turnserver.conf).The format of config file can be seen inthe supplied examples/etc/turnserver.conf example file. Longnames of the \fIoptions\fP are used as the configurationitems names in the file. If not an absolute path is supplied,then the file is searched in the following directories:.RS.IP \(bu 3current directory.IP \(bu 3current directory etc/ sub\-directory.IP \(bu 3upper directory level etc/.IP \(bu 3/etc/.IP \(bu 3/usr/local/etc/.IP \(bu 3installation directory /etc.RE.PPUser database settings:.TP.B\fB\-b\fP, \fB\-\-db\fP, \fB\-\-userdb\fPSQLite user database file name (default \- /var/db/turndb or/usr/local/var/db/turndb or /var/lib/turn/turndb)..TP.B\fB\-e\fP, \fB\-\-psql\-userdb\fPUser database connection string for PostgreSQL.This database can be used for long\-term credentials mechanism,and it can store the secret valuefor secret\-based timed authentication in TURN REST API.The connection string format is like that:.RS.PP"host=<host> dbname=<dbname> user=<db\-user> password=<db\-user\-password> connect_timeout=<seconds>"(for 8.x or newer Postgres)..PPOr:.PP"postgresql://username:password@hostname:port/databasename"(for 9.x or newer Postgres)..PPSee the INSTALL file for more explanations and examples..PPAlso, see http://www.PostgreSQL.org for full PostgreSQL documentation..RE.TP.B\fB\-M\fP, \fB\-\-mysql\-userdb\fPUser database connection string for MySQL or MariaDB.This database can be used for long\-term credentials mechanism,and it can store the secret value forsecret\-based timed authentication in TURN REST API.The connection string format is like that:.RS.PP"host=<host> dbname=<dbname> user=<db\-user> password=<db\-user\-password> connect_timeout=<seconds> read_timeout=<seconds>".PPSee the INSTALL file for more explanations and examples..PPAlso, see http://www.mysql.org or http://mariadb.orgfor full MySQL documentation..PPOptional connection string parameters for the secure communications (SSL):ca, capath, cert, key, cipher(see http://dev.mysql.com/doc/refman/5.1/en/ssl\-options.html for thecommand \fIoptions\fP description)..RE.TP.B\fB\-\-secret\-key\-file\fPThis is the file path which contain secret key of aes encryption while using MySQL password encryption.If you want to use in the MySQL connection string the password in encrypted format,then set in this option the file path of the secret key. The key which is used to encrypt MySQL password.Warning: If this option is set, then MySQL password must be set in "mysql\-userdb" option in encrypted format!If you want to use cleartext password then do not set this option!.TP.B\fB\-J\fP, \fB\-\-mongo\-userdb\fPUser database connection string for MongoDB.This database can be used for long\-term credentials mechanism,and it can store the secret valuefor secret\-based timed authentication in TURN REST API.The connection string format is like that:.RS.PP"mongodb://username:password@host:port/database?\fIoptions\fP".PPSee the INSTALL file for more explanations and examples..PPAlso, see http://docs.mongodb.org/manual/for full MongoDB documentation..RE.TP.B\fB\-N\fP, \fB\-\-redis\-userdb\fPUser database connection string for Redis.This database can be used for long\-term credentials mechanism,and it can store the secretvalue for secret\-based timed authentication in TURN REST API.The connection string format is like that:.RS.PP"ip=<ip\-addr> dbname=<db\-number> password=<db\-password> connect_timeout=<seconds>".PPSee the INSTALL file for more explanations and examples..PPAlso, see http://redis.io for full Redis documentation..RE.PPFlags:.TP.B\fB\-v\fP, \fB\-\-verbose\fPModerate verbose mode..TP.B\fB\-V\fP, \fB\-\-Verbose\fPExtra verbose mode, very annoying and not recommended..TP.B\fB\-o\fP, \fB\-\-daemon\fPRun server as daemon..PP\fB\-\-no\-software\-attribute\fP Production mode: hide the software version..TP.B\fB\-f\fP, \fB\-\-fingerprint\fPUse fingerprints in the TURN messages. If an incoming requestcontains a fingerprint, then TURN server will always addfingerprints to the messages in this session, regardless of theper\-server setting..TP.B\fB\-a\fP, \fB\-\-lt\-cred\-mech\fPUse long\-term credentials mechanism (this one you need for WebRTC usage)..TP.B\fB\-z\fP, \fB\-\-no\-auth\fPDo not use any credentials mechanism, allow anonymous access.Opposite to \fB\-a\fP and \fB\-A\fP \fIoptions\fP. This is default option when noauthentication\-related \fIoptions\fP are set.By default, no credential mechanism is used \-any user is allowed..TP.B\fB\-\-use\-auth\-secret\fPTURN REST API flag.Flag that sets a special WebRTC authorization optionthat is based upon authentication secret. The feature purposeis to support "\fBTURN Server\fP REST API" as described inthe TURN REST API section below.This option uses timestamp as part of combined username:usercombo \-> "timestamp:username",turn user \-> usercombo,turn password \-> \fBbase64\fP(hmac(input_buffer = usercombo, key = shared\-secret)).This allows TURN credentials to be accounted for a specific user id.If you don't have a suitable id, the timestamp alone can be used.This option is just turns on secret\-based authentication.The actual value of the secret is defined either by option static\-auth\-secret,or can be found in the turn_secret table in the database..TP.B\fB\-\-oauth\fPSupport oAuth authentication, as in the third\-party STUN/TURN RFC 7635..TP.B\fB\-\-dh566\fPUse 566 bits predefined DH TLS key. Default size of the key is 2066..TP.B\fB\-\-dh1066\fPUse 1066 bits predefined DH TLS key. Default size of the key is 2066..TP.B\fB\-\-no\-tlsv1\fPSet TLSv1_1/DTLSv1.2 as a minimum supported protocol version.With openssl\-1.0.2 and below, do not allow TLSv1.2/DTLSv1.2 protocols..TP.B\fB\-\-no\-tlsv1_1\fPSet TLSv1_2/DTLSv1.2 as a minimum supported protocol version.With openssl\-1.0.2 and below, do not allow TLSv1.1 protocol..TP.B\fB\-\-no\-tlsv1_2\fPSet TLSv1_3/DTLSv1.2 as a minimum supported protocol version.With openssl\-1.0.2 and below, do not allow TLSv1.2/DTLSv1.2 protocols..TP.B\fB\-\-no\-udp\fPDo not start UDP client listeners..TP.B\fB\-\-no\-tcp\fPDo not start TCP client listeners..TP.B\fB\-\-no\-tls\fPDo not start TLS client listeners..TP.B\fB\-\-no\-dtls\fPDo not start DTLS client listeners..TP.B\fB\-\-no\-udp\-relay\fPDo not allow UDP relay endpoints defined in RFC 5766,use only TCP relay endpoints as defined in RFC 6062..TP.B\fB\-\-no\-tcp\-relay\fPDo not allow TCP relay endpoints defined in RFC 6062,use only UDP relay endpoints as defined in RFC 5766..TP.B\fB\-\-no\-stdout\-log\fPFlag to prevent stdout log messages.By default, all log messages are going to both stdout and tothe configured log file. With this option everything will be going tothe log file only (unless the log file itself is stdout)..TP.B\fB\-\-syslog\fPWith this flag, all log will be redirected to the system log (syslog)..TP.B\fB\-\-simple\-log\fPThis flag means that no log file rollover will be used, and the log filename will be constructed as\-is, without PID and date appendage.This option can be used, for example, together with the logrotate tool..TP.B\fB\-\-new\-log\-timestamp\fPEnable full ISO\-8601 timestamp in all logs..TP.B\fB\-\-new\-log\-timestamp\-format\fP<format>        Set timestamp format (in \fBstrftime\fP(1) format).TP.B\fB\-\-log\-binding\fPLog STUN binding request. It is now disabled by default to avoid DoS attacks..TP.B\fB\-\-secure\-stun\fPRequire authentication of the STUN Binding request.By default, the clients are allowed anonymous access to the STUN Binding functionality..TP.B\fB\-S\fP, \fB\-\-stun\-only\fPRun as STUN server only, all TURN requests will be ignored.Option to suppress TURN functionality, only STUN requests will be processed..TP.B\fB\-\-no\-stun\fPRun as TURN server only, all STUN requests will be ignored.Option to suppress STUN functionality, only TURN requests will be processed..TP.B\fB\-\-allow\-loopback\-peers\fPAllow peers on the loopback addresses (127.x.x.x and ::1).Allow it only for testing in a development environment!In production it adds a possible security vulnerability,and so due to security reasons, it is not allowedusing it together with empty cli\-password..TP.B\fB\-\-no\-multicast\-peers\fPDisallow peers on well\-known broadcast addresses(224.0.0.0 and above, and FFXX:*)..TP.B\fB\-\-mobility\fPMobility with ICE (MICE) specs support..TP.B\fB\-\-no\-cli\fPTurn OFF the CLI support. By default it is always ON.See also \fIoptions\fP \fB\-\-cli\-ip\fP and \fB\-\-cli\-port\fP..TP.B\fB\-\-server\-relay\fPServer relay. NON\-STANDARD AND DANGEROUS OPTION.Only for those applications when we want to runserver applications on the relay endpoints.This option eliminates the IP permissions checkon the packets incoming to the relay endpoints.See http://tools.ietf.org/search/rfc5766#section\-17.2.3 ..TP.B\fB\-\-udp\-self\-balance\fP(recommended for older Linuxes only)Automatically balance UDP traffic over auxiliary servers(if configured). The load balancing is using theALTERNATE\-SERVER mechanism. The TURN client must support300 ALTERNATE\-SERVER response for this functionality..TP.B\fB\-\-check\-origin\-consistency\fPThe flag that sets the origin consistencycheck: across the session, all requests must have the samemain ORIGIN attribute value (if the ORIGIN wasinitially used by the session)..TP.B\fB\-\-prometheus\fPEnable prometheus metrics. By default it isdisabled. Would listen on port 9641 under the path /metricsalso the path / on this port can be used as a health check.RS.TP.B\fB\-\-prometheus\-username\-labels\fPEnable labeling prometheus trafficmetrics with client usernames. Labeling with client usernames isdisabled by default, because this may cause memory leaks when usingauthentication with ephemeral usernames (e.g. TURN REST API)..RE.TP.B\fB\-\-prometheus\-port\fPPrometheus listener port (Default: 9641)..TP.B\fB\-h\fPHelp..PPOptions with values:.TP.B\fB\-\-stale\-nonce\fP[=<value>]Use extra security with nonce value havinglimited lifetime, in seconds (default 600 secs).Set it to 0 for unlimited nonce lifetime..TP.B\fB\-\-max\-allocate\-lifetime\fPSet the maximum value for the allocation lifetime.Default to 3600 secs..TP.B\fB\-\-channel\-lifetime\fPSet the lifetime for channel binding, default to 600 secs.This value MUST not be changed for production purposes..TP.B\fB\-\-permission\-lifetime\fPSet the value for the lifetime of the permission.Default to 300 secs.This MUST not be changed for production purposes..TP.B\fB\-d\fP, \fB\-\-listening\-device\fPListener interface device.(NOT RECOMMENDED. Optional functionality, Linux only).The \fIturnserver\fP process must have root privileges to bind thelistening endpoint to a device. If \fIturnserver\fP must run as aprocess without root privileges, then just do not use this setting..TP.B\fB\-L\fP, \fB\-\-listening\-ip\fPListener IP address of relay server.Multiple listeners can be specified, for example:\fB\-L\fP ip1 \fB\-L\fP ip2 \fB\-L\fP ip3If no \fBIP\fP(s) specified, then all IPv4 andIPv6 system IPs will be used for listening.The same \fBip\fP(s) can be used as both listening and relay \fBip\fP(s)..TP.B\fB\-p\fP, \fB\-\-listening\-port\fPTURN listener port for UDP and TCP listeners (Default: 3478).Note: actually, TLS & DTLS sessions can connect to the "plain" TCP & UDP\fBport\fP(s), too \- if allowed by configuration..TP.B\fB\-\-tls\-listening\-port\fPTURN listener port for TLS and DTLS listeners (Default: 5349).Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS\fBport\fP(s), too \- if allowed by configuration. The TURN server"automatically" recognizes the type of traffic. Actually, two listeningendpoints (the "plain" one and the "tls" one) are equivalent in terms offunctionality; but we keep both endpoints to satisfy the RFC 5766 specs.For secure TCP connections, we currently support SSL version 3 andTLS versions 1.0, 1.1, 1.2.For secure UDP connections, we support DTLS version 1..TP.B\fB\-\-alt\-listening\-port\fPAlternative listening port for UDP and TCP listeners;default (or zero) value means "listening port plus one".This is needed for STUN CHANGE_REQUEST \- in RFC 5780 senseor in old RFC 3489 sense \- for NAT behavior discovery). The \fBTURN Server\fPsupports CHANGE_REQUEST only if it is started with more than onelistening IP address of the same family (IPv4 or IPv6). The CHANGE_REQUESTis only supported by UDP protocol, other protocols are listeningon that endpoint only for "symmetry"..TP.B\fB\-\-alt\-tls\-listening\-port\fPAlternative listening port for TLS and DTLS protocols.Default (or zero) value means "TLS listening port plus one"..TP.B\fB\-\-tcp\-proxy\-port\fPSupport connections from TCP loadbalancer on this port. The loadbalancershould use the binary proxy protocol.(https://www.haproxy.org/download/1.8/doc/proxy\-protocol.txt).TP.B\fB\-\-aux\-server\fPAuxiliary STUN/TURN server listening endpoint.Aux servers have almost full TURN and STUN functionality.The (minor) limitations are:.RS.IP 1) 4Auxiliary servers do not have alternative ports andthey do not support STUN RFC 5780 functionality (CHANGE REQUEST)..IP 2) 4Auxiliary servers also are never returning ALTERNATIVE\-SERVER reply..RE.PPValid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.There may be multiple aux\-server \fIoptions\fP, each will be used for listeningto client requests..TP.B\fB\-i\fP, \fB\-\-relay\-device\fPRelay interface device for relay sockets(NOT RECOMMENDED. Optional, Linux only)..TP.B\fB\-E\fP, \fB\-\-relay\-ip\fPRelay address (the local IP address thatwill be used to relay the packets to thepeer). Multiple relay addresses may be used:\fB\-E\fP ip1 \fB\-E\fP ip2 \fB\-E\fP ip3The same \fBIP\fP(s) can be used as both listening \fBIP\fP(s) and relay \fBIP\fP(s).If no relay \fBIP\fP(s) specified, then the \fIturnserver\fP will apply thedefault policy: it will decide itself which relay addresses to beused, and it will always be using the client socket IP address asthe relay IP address of the TURN session (if the requested relayaddress family is the same as the family of the client socket)..TP.B\fB\-X\fP, \fB\-\-external\-ip\fP\fBTURN Server\fP public/private address mapping, if the server is behind NAT.In that situation, if a \fB\-X\fP is used in form "\fB\-X\fP <ip>" then that ip will be reportedas relay IP address of all allocations. This scenario works only in a simple casewhen one single relay address is be used, and no CHANGE_REQUEST functionality isrequired. That single relay address must be mapped by NAT to the 'external' IP.The "external\-ip" value, if not empty, is returned in XOR\-RELAYED\-ADDRESS field.For that 'external' IP, NAT must forward ports directly (relayed port 12345must be always mapped to the same 'external' port 12345).In more complex case when more than one IP address is involved,that option must be used several times, each entry musthave form "\fB\-X\fP <public\-ip/private\-ip>", to map all involved addresses.CHANGE_REQUEST (RFC5780 or RFC3489) NAT discovery STUN functionality will workcorrectly, if the addresses are mapped properly, even when the TURN server itselfis behind A NAT.By default, this value is empty, and no address mapping is used..TP.B\fB\-m\fP, \fB\-\-relay\-threads\fPNumber of the relay threads to handle the established connections(in addition to authentication thread and the listener thread).If explicitly set to 0 then application runs relay process in a single thread,in the same thread with the listener process (the authentication thread willstill be a separate thread). If not set, then a default optimal algorithmwill be employed (OS\-dependent). In the older Linux systems(before Linux kernel 3.9), the number of UDP threads is always one threadsper network listening endpoint \- unless "\fB\-m\fP 0" or "\fB\-m\fP 1" is set..TP.B\fB\-\-min\-port\fPLower bound of the UDP port range for relayendpoints allocation.Default value is 49152, according to RFC 5766..TP.B\fB\-\-max\-port\fPUpper bound of the UDP port range for relayendpoints allocation.Default value is 65535, according to RFC 5766..TP.B\fB\-u\fP, \fB\-\-user\fPLong\-term security mechanism credentials user account,in the column\-separated form username:key.Multiple user accounts may be used in the command line.The key is either the user password, orthe key is generatedby \fIturnadmin\fP command. In the second case,the key must be prepended with 0x symbols.The key is calculated over the user name,the user realm, and the user password.This setting may not be used with TURN REST API..TP.B\fB\-r\fP, \fB\-\-realm\fPThe default realm to be used for the users when no explicitorigin/realm relationship was found in the database, or if the TURNserver is not using any database (just the commands\-line settingsand the userdb file). Must be used with long\-term credentialsmechanism or with TURN REST API..TP.B\fB\-C\fP, \fB\-\-rest\-api\-separator\fPThis is the timestamp/username separator symbol(character) in TURN REST API. The default value is :..TP.B\fB\-q\fP, \fB\-\-user\-quota\fPPer\-user allocations quota: how many concurrentallocations a user can create. This option can also be setthrough the database, for a particular realm..TP.B\fB\-Q\fP, \fB\-\-total\-quota\fPTotal allocations quota: global limit on concurrent allocations.This option can also be set through the database, for a particular realm..TP.B\fB\-s\fP, \fB\-\-max\-bps\fPMax bytes\-per\-second bandwidth a TURN session is allowed to handle(input and output network streams are treated separately). Anything abovethat limit will be dropped or temporary suppressed (within theavailable buffer limits). This option can also be set through thedatabase, for a particular realm..TP.B\fB\-B\fP, \fB\-\-bps\-capacity\fPMaximum server capacity.Total bytes\-per\-second bandwidth the TURN server is allowed to allocatefor the sessions, combined (input and output network streams are treatedseparately)..TP.B\fB\-\-static\-auth\-secret\fPStatic authentication secret value (a string) for TURN REST API only.If not set, then the turn server will try to use the dynamic valuein turn_secret table in user database (if present). The database\-storedvalue can be changed on\-the\-fly by a separate program, so this is whythat other mode is dynamic. Multiple shared secrets can be used(both in the database and in the "static" fashion)..RS.TP.B\fB\-\-no\-auth\-pings\fPDisable periodic health checks to 'dynamic' auth secret tables..TP.B\fB\-\-no\-dynamic\-ip\-list\fPDo not use dynamic allowed/denied peer ip list..TP.B\fB\-\-no\-dynamic\-realms\fPDo not use dynamic realm assignment and \fIoptions\fP..RE.TP.B\fB\-\-server\-name\fPServer name used forthe oAuth authentication purposes.The default value is the realm name..TP.B\fB\-\-cert\fPCertificate file, PEM format. Same filesearch rules applied as for the configurationfile. If both \fB\-\-no\-tls\fP and \fB\-\-no\-dtls\fP \fIoptions\fPare specified, then this parameter is not needed.Default value is turn_server_cert.pem..TP.B\fB\-\-pkey\fPPrivate key file, PEM format. Same filesearch rules applied as for the configurationfile. If both \fB\-\-no\-tls\fP and \fB\-\-no\-dtls\fP \fIoptions\fPare specified, then this parameter is not needed.Default value is turn_server_pkey.pem..TP.B\fB\-\-pkey\-pwd\fPIf the private key file is encrypted, then this password to be used..TP.B\fB\-\-cipher\-list\fPAllowed OpenSSL cipher list for TLS/DTLS connections.Default value is "DEFAULT" for TLS/DTLS versions up to TLSv1.2/DTLSv1.2,and the library default ciphersuites for TLSv1.3..TP.B\fB\-\-CA\-file\fPCA file in OpenSSL format.Forces TURN server to verify the client SSL certificates.By default, no CA is set and no client certificate check is performed..TP.B\fB\-\-ec\-curve\-name\fPCurve name for EC ciphers, if supported by OpenSSLlibrary (TLS and DTLS). The default value is prime256v1,if pre\-OpenSSL 1.0.2 is used. With OpenSSL 1.0.2+,an optimal curve will be automatically calculated, if not definedby this option..TP.B\fB\-\-dh\-file\fPUse custom DH TLS key, stored in PEM format in the file.Flags \fB\-\-dh566\fP and \fB\-\-dh1066\fP are ignored when the DH key is taken from a file..TP.B\fB\-l\fP, \fB\-\-log\-file\fPOption to set the full path name of the log file.By default, the \fIturnserver\fP tries to open a log file in/var/log/\fIturnserver\fP, /var/log, /var/tmp, /tmp and . (current)directories (which file open operation succeedsfirst that file will be used). With this option you can set thedefinite log file name.The special names are "stdout" and "\-" \- they will force everythingto the stdout. Also, "syslog" name will redirect everything intothe system log (syslog), as if the option "\fB\-\-syslog\fP" was set.In the runtime, the logfile can be reset with the SIGHUP signalto the \fIturnserver\fP process..TP.B\fB\-\-alternate\-server\fPOption to set the "redirection" mode. The value of this optionwill be the address of the alternate server for UDP & TCP service in form of<ip>[:<port>]. The server will send this value in the attributeALTERNATE\-SERVER, with error 300, on ALLOCATE request, to the client.Client will receive only values with the same address familyas the client network endpoint address family.See RFC 5389 and RFC 5766 for ALTERNATE\-SERVER functionality description.The client must use the obtained value for subsequent TURN communications.If more than one \fB\-\-alternate\-server\fP \fIoptions\fP are provided, then the functionalitycan be more accurately described as "load\-balancing" than a mere "redirection".If the port number is omitted, then the default portnumber 3478 for the UDP/TCP protocols will be used.Colon (:) characters in IPv6 addresses may conflict with the syntax ofthe option. To alleviate this conflict, literal IPv6 addresses are enclosedin square brackets in such resource identifiers, for example:[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .Multiple alternate servers can be set. They will be used in theround\-robin manner. All servers in the pool are considered of equal weight andthe load will be distributed equally. For example, if we have 4 alternate servers,then each server will receive 25% of ALLOCATE requests. An alternate TURN serveraddress can be used more than one time with the alternate\-server option, so thiscan emulate "weighting" of the servers..TP.B\fB\-\-tls\-alternate\-server\fPOption to set alternative server for TLS & DTLS services in form of<ip>:<port>. If the port number is omitted, then the default portnumber 5349 for the TLS/DTLS protocols will be used. See theprevious option for the functionality description..TP.B\fB\-O\fP, \fB\-\-redis\-statsdb\fPRedis status and statistics database connection string, if used (default \- empty,no Redis stats DB used). This database keeps allocations status information, and it canbe also used for publishing and delivering traffic and allocation event notifications.This database option can be used independently of \fB\-\-redis\-userdb\fP option,and actually Redis can be used for status/statistics and SQLite or MySQL or MongoDB orPostgreSQL can be used for the user database.The connection string has the same parameters as redis\-userdb connection string..TP.B\fB\-\-max\-allocate\-timeout\fPMax time, in seconds, allowed for full allocation establishment.Default is 60 seconds..PP\fB\-\-denied\-peer\-ip\fP=<IPaddr[\fB\-IPaddr\fP]>.PP\fB\-\-allowed\-peer\-ip\fP=<IPaddr[\fB\-IPaddr\fP]> Options to ban or allow specific ip addresses or rangesof ip addresses. If an ip address is specified as both allowed and denied, thenthe ip address is considered to be allowed. This is useful when you wish to bana range of ip addresses, except for a few specific ips within that range.This can be used when you do not want users of the turn server to be able to accessmachines reachable by the turn server, but would otherwise be unreachable from theinternet (e.g. when the turn server is sitting behind a NAT). The 'white" and "black" peerIP ranges can also be dynamically changed in the database.The allowed/denied addresses (white/black lists) rules are very simple:.RS.IP 1) 4If there is no rule for an address, then it is allowed;.IP 2) 4If there is an "allowed" rule that fits the address then it is allowed \- no matter what;.IP 3) 4If there is no "allowed" rule that fits the address, and if there is a "denied" rule thatfits the address, then it is denied..RE.TP.B\fB\-\-pidfile\fPFile name to store the pid of the process.Default is /var/run/turnserver.pid (if superuser account is used) or/var/tmp/turnserver.pid ..TP.B\fB\-\-acme\-redirect\fP<URL>  Redirect ACME/RFC8555 (like Let's Encrypt challenge) requests, i.e.HTTP GET requests matching '^/.well\-known/acme\-challenge/(.*)'to <URL>$1 with $1 == (.*). No validation of <URL> will be done,so make sure you do not forget the trailing slash. If <URL> is an emptystring (the default value), no special handling of such requests will be done..TP.B\fB\-\-proc\-user\fPUser name to run the process. After the initialization, the \fIturnserver\fP processwill make an attempt to change the current user ID to that user..TP.B\fB\-\-proc\-group\fPGroup name to run the process. After the initialization, the \fIturnserver\fP processwill make an attempt to change the current group ID to that group..TP.B\fB\-K\fP, \fB\-\-keep\-address\-family\fPDeprecated and will be removed in favor of \fB\-\-allocation\-default\-address\-family\fP!!TURN server allocates address family according TURNClient <=> Server communication address family.!! It breaks RFC6156 section\-4.2 (violates default IPv4) !!.TP.B\fB\-A\fP \fB\-\-allocation\-default\-address\-family\fP=<ipv4|ipv6|keep>Default is IPv4TURN server allocates address family according TURN client requested address family.If address family not requested explicitly by the client, then it falls back to this default.The standard RFC explicitly define that this default must be IPv4, so use other option values with care!.TP.B\fB\-\-cli\-ip\fPLocal system IP address to be used for CLI management interface.The \fIturnserver\fP process can be accessed for management with telnet,at this IP address and on the CLI port (see the next parameter).Default value is 127.0.0.1. You can use telnet or putty (in telnet mode)to access the CLI management interface..TP.B\fB\-\-cli\-port\fPCLI management interface listening port. Default is 5766..TP.B\fB\-\-cli\-password\fPCLI access password. Default is empty (no password).For the security reasons, it is recommended to use the encryptedform of the password (see the \fB\-P\fP command in the \fIturnadmin\fPutility). The dollar signs in the encrypted form must be escaped..TP.B\fB\-\-cli\-max\-output\-sessions\fPMaximum number of output sessions in ps CLI command.This value can be changed on\-the\-fly in CLI. The default value is 256..TP.B\fB\-\-web\-admin\fPEnable Turn Web\-admin support. By default it is disabled..TP.B\fB\-\-web\-admin\-ip\fP=<IP>Local system IP address to be used for Web\-admin server endpoint. Default value is 127.0.0.1..TP.B\fB\-\-web\-admin\-port\fP=<port>Web\-admin server port. Default is 8080..TP.B\fB\-\-web\-admin\-listen\-on\-workers\fPEnable for web\-admin server to listens on STUN/TURN workers STUN/TURN ports.By default it is disabled for security reasons!(This behavior used to be the default behavior, and was enabled by default.).TP.B\fB\-\-ne\fP=[1|2|3]Set network engine type for the process (for internal purposes)..TP.B\fB\-\-no\-rfc5780\fPDisable RFC5780 (NAT behavior discovery).Originally, if there are more than one listener address from the sameaddress family, then by default the NAT behavior discovery feature enabled.This option disables this original behavior, because the NAT behavior discoveryadds attributes to response, and this increase the possibility of an amplification attack.Strongly encouraged to use this option to decrease gain factor in STUN binding responses..TP.B\fB\-\-no\-stun\-backward\-compatibility\fPDisable handling old STUN Binding requests and disable MAPPED\-ADDRESS attribute in binding response (use only the XOR\-MAPPED\-ADDRESS)..TP.B\fB\-\-response\-origin\-only\-with\-rfc5780\fPOnly send RESPONSE\-ORIGIN attribute in binding response if RFC5780 is enabled..RE.PP.SH ==================================.SH LOAD BALANCE AND PERFORMANCE TUNINGThis topic is covered in the wiki page:.PPhttps://github.com/coturn/coturn/wiki/turn_performance_and_load_balance.SH ===================================.SH WEBRTC USAGEThis is a set of notes for the WebRTC users:.IP 1) 4WebRTC uses long\-term authentication mechanism, so you have to use \fB\-a\fPoption (or \fB\-\-lt\-cred\-mech\fP). WebRTC relaying will not work with anonymousaccess. With \fB\-a\fP option, do not forget to set thedefault realm (\fB\-r\fP option). You will also have to set up the user accounts,for that you have a number of \fIoptions\fP:.PP.nf.fam C        a) command\-line options (\-u).        b) a database table (SQLite or PostgreSQL or MySQL or MongoDB). You will have to        set keys with turnadmin utility (see docs and wiki for turnadmin).        You cannot use open passwords in the database.        c) Redis key/value pair(s), if Redis is used. You key use either keys or        open passwords with Redis; see turndb/testredisdbsetup.sh file.        d) You also can use the TURN REST API. You will need shared secret(s) set        either  through the command line option, or through the config file, or through        the database table or Redis key/value pairs..fam T.fi.IP 2) 4Usually WebRTC uses fingerprinting (\fB\-f\fP)..IP 3) 4\fB\-v\fP option may be nice to see the connected clients..IP 4) 4\fB\-X\fP is needed if you are running your TURN server behind a NAT..IP 5) 4\fB\-\-min\-port\fP and \fB\-\-max\-port\fP may be needed if you want to limit the relay endpoints portsnumber range..SH ===================================.SH TURN REST APIIn WebRTC, the browser obtains the TURN connection information from the webserver. This information is a secure information \- because it contains thenecessary TURN credentials. As these credentials are transmitted over thepublic networks, we have a potential security breach..PPIf we have to transmit a valuable information over the public network,then this information has to have a limited lifetime. Then the guy whoobtains this information without permission will be able to performonly limited damage..PPThis is how the idea of TURN REST API \- time\-limited TURN credentials \-appeared. This security mechanism is based upon the long\-term credentialsmechanism. The main idea of the REST API is that the web server providesthe credentials to the client, but those credentials can be used onlylimited time by an application that has to create a TURN server connection..PPThe "classic" long\-term credentials mechanism (LTCM) is described here:.PPhttp://tools.ietf.org/html/rfc5389#section\-10.2.PPhttp://tools.ietf.org/html/rfc5389#section\-15.4.PPFor authentication, each user must know two things: the username and thepassword. Optionally, the user must supply the ORIGIN value, so that theserver can figure out the realm to be used for the user. The nonce andthe realm values are supplied by the TURN server. But LTCM is not sayinganything about the nature and about the persistence of the username andof the password; and this is used by the REST API..PPIn the TURN REST API, there is no persistent passwords for users. A user hasjust the username. The password is always temporary, and it is generated bythe web server on\-demand, when the user accesses the WebRTC page. And,actually, a temporary one\-time session only, username is provided to the user,too..PPThe temporary user is generated as:.PPtemporary\-username="timestamp" + ":" + "username".PPwhere username is the persistent user name, and the timestamp format is justseconds since 1970 \- the same value as \fBtime\fP(NULL) function returns..PPThe temporary password is obtained as HMAC\-SHA1 function over the temporaryusername, with shared secret as the HMAC key, and then the result is encoded:.PPtemporary\-password = \fBbase64_encode\fP(hmac\-sha1(shared\-secret, temporary\-username)).PPBoth the TURN server and the web server know the same shared secret. How theshared secret is distributed among the involved entities is left to the WebRTCdeployment details \- this is beyond the scope of the TURN REST API..PPSo, a timestamp is used for the temporary password calculation, and thistimestamp can be retrieved from the temporary username. This informationis valuable, but only temporary, while the timestamp is not expired. Withoutknowledge of the shared secret, a new temporary password cannot be generated..PPThis is all formally described in Justin's Uberti TURN REST API documentthat can be obtained following the link "TURN REST API" in the \fBTURN Server\fPproject's page https://github.com/coturn/coturn/..PPOnce the temporary username and password are obtained by the client (browser)application, then the rest is just 'classic" long\-term credentials mechanism.For developers, we are going to describe it step\-by\-step below:.RS.IP \(bu 3a new TURN client sends a request command to the TURN server. Optionally,it adds the ORIGIN field to it..IP \(bu 3TURN server sees that this is a new client and the message is notauthenticated..IP \(bu 3the TURN server generates a random nonce string, and return theerror 401 to the client, with nonce and realm included. If the ORIGINfield was present in the client request, it may affect the realm valuethat the server chooses for the client..IP \(bu 3the client sees the 401 error and it extracts two values fromthe error response: the nonce and the realm..IP \(bu 3the client uses username, realm and password to produce a key:.PP.nf.fam C         key = MD5(username ":" realm ":" SASLprep(password)).fam T.fi(SASLprep is described here: http://tools.ietf.org/html/rfc4013).IP \(bu 3the client forms a new request, adds username, realm and nonce to therequest. Then, the client calculates and adds the integrity field tothe request. This is the trickiest part of the process, and it isdescribed in the end of section 15.4:http://tools.ietf.org/html/rfc5389#section\-15.4.IP \(bu 3the client, optionally, adds the fingerprint field. This may be alsoa tricky procedure, described in section 15.5 of the same document.WebRTC usually uses fingerprinted TURN messages..IP \(bu 3the TURN server receives the request, reads the username..IP \(bu 3then the TURN server checks that the nonce and the realm in the requestare the valid ones..IP \(bu 3then the TURN server calculates the key..IP \(bu 3then the TURN server calculates the integrity field..IP \(bu 3then the TURN server compares the calculated integrity field with thereceived one \- they must be the same. If the integrity fields differ,then the request is rejected..RE.PPIn subsequent communications, the client may go with exactly the samesequence, but for optimization usually the client, having alreadyinformation about realm and nonce, pre\-calculates the integrity stringfor each request, so that the 401 error response becomes unnecessary.The TURN server may use "\fB\-\-stale\-nonce\fP" option for extra security: insome time, the nonce expires and the client will obtain 438 error responsewith the new nonce, and the client will have to start using the new nonce..PPIn subsequent communications, the server and the client will always assumethe same password \- the original password becomes the session parameter andis never expiring. So the password is not changing while the session is validand unexpired. So, if the session is properly maintained, it may go forever,even if the user password has been already changed (in the database). Thesession simply is using the old password. Once the session got disconnected,the client will have to use the new password to re\-connect (if the passwordhas been changed)..PPAn example when a new shared secret is generated every hour by the TURN serverbox and then supplied to the web server, remotely, is provided in the scriptexamples/scripts/restapi/shared_secret_maintainer.pl ..PPA very important thing is that the nonce must be totally random and it must bedifferent for different clients and different sessions..SH ===================================.SH DATABASESFor the user database, the \fIturnserver\fP has the following \fIoptions\fP:.IP 1) 4Users can be set in the command line, with multiple \fB\-u\fP or \fB\-\-user\fP \fIoptions\fP.Obviously, only a few users can be set that way, and their credentials are fixedfor the \fIturnserver\fP process lifetime..IP 2) 4Users can be stored in SQLite DB. The default SQLite database file is /var/db/turndbor /usr/local/var/db/turndb or /var/lib/turn/turndb..IP 3) 4Users can be stored in PostgreSQL database, if the \fIturnserver\fP was compiled with PostgreSQLsupport. Each time \fIturnserver\fP checks user credentials, it reads the database (asynchronously,of course, so that the current flow of packets is not delayed in any way), so any change in thedatabase content is immediately visible by the \fIturnserver\fP. This is the way if you need thebest scalability. The schema for the database can be found in schema.sql file.For long\-term credentials, you have to set the "keys" for the users; the "keys" are generatedby the \fIturnadmin\fP utility. For the key generation, you need username, password and the realm.All users in the database must use the same realm value; if down the road you will decideto change the realm name, then you will have to re\-generate all user keys (that can be donein a batch script). See the file turndb/testsqldbsetup.sql as an example..IP 4) 4The same is true for MySQL database. The same schema file is applicable.The same considerations are applicable..IP 5) 4The same is true for the Redis database, but the Redis database has a different schema \-it can be found (in the form of explanation) in schema.userdb.redis.Also, in Redis you can store both "keys" and open passwords (for long term credentials) \-the "open password" option is less secure but more convenient for low\-security environments.See the file turndb/testredisdbsetup.sh as an example..IP 6) 4If a database is used, then users can be divided into multiple independent realms. Each realmcan be administered separately, and each realm can have its own set of users and its ownperformance \fIoptions\fP (max\-bps, user\-quota, total\-quota)..IP 7) 4If you use MongoDB, the database will be setup for you automatically..IP 8) 4Of course, the \fIturnserver\fP can be used in non\-secure mode, when users are allowed to establishsessions anonymously. But in most cases (like WebRTC) that will not work..PPFor the status and statistics database, there are two choices:.IP 1) 4The simplest choice is not to use it. Do not set \fB\-\-redis\-statsdb\fP option, and this functionalitywill be simply ignored..IP 2) 4If you choose to use it, then set the \fB\-\-redis\-statsdb\fP option. This may be the same databaseas in \fB\-\-redis\-userdb\fP option, or it may be a different database. You may want to use differentdatabase for security or convenience reasons. Also, you can use different database managementsystems for the user database and for the ststus and statistics database. For example, you can useMySQL as the user database, and you can use redis for the statistics. Or you can use Redis for both..PPSo, we have 6 choices for the user management, and 2 choices for the statistics management. Thesetwo are totally independent. So, you have overall 6*2=12 ways to handle persistent information,choose any for your convenience..PPYou do not have to handle the database information "manually" \- the \fIturnadmin\fP program can handleeverything for you. For PostgreSQL and MySQL you will just have to create an empty databasewith schema.sql SQL script. With Redis, you do not have to do even that \- just run \fIturnadmin\fP andit will set the users for you (see the \fIturnadmin\fP manuals). If you are using SQLite, then the\fIturnserver\fP or \fIturnadmin\fP will initialize the empty database, for you, when started. TheTURN server installation process creates an empty initialized SQLite database in the defaultlocation (/var/db/turndb or /usr/local/var/db/turndb or /var/lib/turn/turndb, depending on the system)..SH =================================.SH ALPNThe server supports ALPNs "stun.turn" and "stun.nat\-discovery", whencompiled with OpenSSL 1.0.2 or newer. If the server receives a TLS/DTLSClientHello message that contains one or both of those ALPNs, then theserver chooses the first stun.* label and sends it back (in the ServerHello)in the ALPN extension field. If no stun.* label is found, then the serverdoes not include the ALPN information into the ServerHello..SH =================================.SH LIBRARIESIn the lib/ sub\-directory the build process will create TURN client messaging library.In the include/ sub\-directory, the necessary include files will be placed.The C++ wrapper for the messaging functionality is located in TurnMsgLib.h header.An example of C++ code can be found in stunclient.c file..SH =================================.SH DOCSAfter installation, run the command:.PP$ man \fIturnserver\fP.PPor in the project root directory:.PP$ man \fB\-M\fP man \fIturnserver\fP.PPto see the man page..PPIn the docs/html subdirectory of the original archive tree, you will find the client libraryreference. After the installation, it will be placed in PREFIX/share/doc/\fIturnserver\fP/html..SH =================================.SH LOGSWhen the \fBTURN Server\fP starts, it makes efforts to create a log file turn_<pid>.login the following directories:.RS.IP \(bu 3/var/log.IP \(bu 3/log/.IP \(bu 3/var/tmp.IP \(bu 3/tmp.IP \(bu 3current directory.RE.PPIf all efforts failed (due to the system permission settings) then alllog messages are sent only to the standard output of the process..PPThis behavior can be controlled by \fB\-\-log\-file\fP, \fB\-\-syslog\fP and \fB\-\-no\-stdout\-log\fP\fIoptions\fP..SH =================================.SH HTTPS MANAGEMENT INTERFACEThe \fIturnserver\fP process provides an HTTPS Web access as statistics and basicmanagement interface. The \fIturnserver\fP listens to incoming HTTPS adminconnections on the same ports as the main TURN/STUN listener. The Web adminpages are basic and self\-explanatory..PPTo make the HTTPS interface active, the database table admin_user must bepopulated with the admin user \fBaccount\fP(s). An admin user can be a superuser(if not assigned to a particular realm) or a restricted user (if assigned toa realm). The restricted admin users can perform only limited actions, withintheir corresponding realms..SH =================================.SH TELNET CLIThe \fIturnserver\fP process provides a telnet CLI access as statistics and basic managementinterface. By default, the \fIturnserver\fP starts a telnet CLI listener on IP 127.0.0.1 andport 5766. That can be changed by the command\-cline \fIoptions\fP of the \fIturnserver\fP process(see \fB\-\-cli\-ip\fP and \fB\-\-cli\-port\fP \fIoptions\fP). The full list of telnet CLI commands is providedin "help" command output in the telnet CLI..SH =================================.SH CLUSTERS\fBTURN Server\fP can be a part of the cluster installation. But, to support the "even port" functionality(RTP/RTCP streams pairs) the client requests from a particular IP must be delivered to the same\fBTURN Server\fP instance, so it requires some networking setup massaging for the cluster. The reason is thatthe RTP and RTCP relaying endpoints must be allocated on the same relay IP. It would be possibleto design a scheme with the application\-level requests forwarding (and we may do that later) butit would affect the performance..SH =================================.SH FILES/etc/turnserver.conf.PP/var/db/turndb.PP/usr/local/var/db/turndb.PP/var/lib/turn/turndb.PP/usr/local/etc/turnserver.conf.SH =================================.SH DIRECTORIES/usr/local/share/\fIturnserver\fP.PP/usr/local/share/doc/\fIturnserver\fP.PP/usr/local/share/examples/\fIturnserver\fP.SH =================================.SH STANDARDSobsolete STUN RFC 3489.PPnew STUN RFC 5389.SH TURN RFC 5766TURN\-TCP extension RFC 6062.PPTURN IPv6 extension RFC 6156.PPSTUN/TURN test vectors RFC 5769.PPSTUN NAT behavior discovery RFC 5780.SH =================================.SH SEE ALSO\fIturnadmin\fP, \fIturnutils\fP.SH ======================================.SS  WEB RESOURCESproject page:.PPhttps://github.com/coturn/coturn/.PPWiki page:.PPhttps://github.com/coturn/coturn/wiki.PPforum:.PPhttps://groups.google.com/forum/?fromgroups=#!forum/turn\-server\-project\-rfc5766\-turn\-server.SH ======================================.SS  AUTHORSSee the AUTHORS.md file in the coturn source distribution.
 |