FreedomBox

nik/FreedomBox

Fork 0

mirror of https://github.com/freedombox/FreedomBox.git synced 2026-01-28 08:03:36 +00:00

Commit Graph

Author	SHA1	Message	Date
Sunil Mohan Adapa	78d78d84a7	coturn: Use wildcard listening address to fix startup issues Fixes: #2069. Without a listening port, coturn will try to enumerate the non-local IP addresses and try to listen on them. If coturn is started before network is fully setup, it finds no usable IP addresses and fails. Furthermore, if IPs are added to the system, it does not automatically listen on them. A better approach as advised by systemd NetworkTarget documentation is to listen on a wildcard address. This does not require network to be online and works well for IP addresses being added/removed from the system. coturn is itself unable to make changes to its default listening behavior for backward compatibility. Tests: - Freshly install coturn. Observe that listening-ip is properly set in the configuration file. coturn is listening on 3478, 3479, 5349, 5350. coturn is listening on ::1 and * addresses instead of individual IP addresses. - Install coturn without the patch. Apply the patch and restart FreedomBox. coturn setup will run. listening-ips get added to the configuration file. The static-auth-secret is not changed from earlier. coturn will be restarted. coturn is listening on 3478, 3479, 5349, 5350. coturn is listening on ::1 and * addresses instead of individual IP addresses. - Install coturn without the patch. Disable coturn. Apply the patch and restart FreedomBox. coturn setup will run. coturn will not be enabled. coturn will be running after setup. - Functional tests pass. - All ports able to connect using netcat (nc command) with IPv4 (-4 option) and IPv6 (-6 option). Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>	2022-01-31 13:48:15 -05:00
Sunil Mohan Adapa	b4e6c03bd7	coturn: New app to manage Coturn TURN/STUN server - Shows URLs and shared secret that communication servers like matrix-synapse should be configured to. Later we will implement auto-configuring those servers. - Allow selecting domain for the sake of TLS/DTLS certificate installation. - Simplify systemd service file options. Drop log file and pid file support as they are not needed with systemd. Add security options. - Set custom configuration file by overriding systemd service file options so that we don't have a problem with conffile prompts. - Implement functional tests (and automatic diagnostics). - Custom icon selected from the Noun project as Coturn project does not have one. - Backup/restore configuration file and certificates. - Document some questions regarding configuration options. Tests performed: - App is not listed in the app page if 'advanced' flag is disabled. - App name, icon and short description shows up correctly in apps page. - App name, icon, short description, description, manual link, enable/disable button and diagnostics link show up currently in app page. - Verify that configuration used by coturn server is the FreedomBox configuration by checking the cert path in the log output. - PID file is not created in /var/run/turnserver/. It goes into /dev/null according to the log output. - No log file is created other than what is collected by systemd from command line. - systemctl show coturn.service shows all the intended restrictions such as NoNewPrivileges, Protect* options. - Run functional tests. - Ensure that backup of configuration file works by taking backup, changing the secret and restoring. During backup and restore coturn should be stopped and started as per logs. - Build Debian package. No warnings about the copyright file. - Enabling the app enables the service and runs it. - Disabling the app disables the service and stop it. - All diagnostics tests pass. - Diagnostic tests show firewall port coturn-freedombox for internal and external networks, service coturn, and each listening port for udp4, udp6, tcp4 and tcp6. - Information in the firewall page shows up properly. Enabling the app opens firewall ports, and disabling it closes them. - When the app is installed, if a cert domain is available, it will be used. When multiple domains are available, one of them is picked. - Status shows 4 URLs with the currently selected domain and secret key. - Changing domain to another domain succeeds and reflects in the status information. - When no domain is configured. Installing the app succeeds. No domain is shown in the list of domains. - When domain is changed, the certificates files in /etc/coturn/certs are overwritten. - Certificates have the ownership turnserver:turnserver. Public key is cert.pem has 644 permissions. Private is pkey.pem has 600 permissions. /etc/coturn/certs is owned by root:root. - Let's encrypt certificates are setup immediately after install. - Port forwarding information shows all ports except for relay ports. - Trying to create a user with username 'turnserver' throws an error. This happens even when coturn is not installed yet. - After installing coturn, the configuration file /etc/coturn/freedombox.conf is created with ownership root:turnserver and permissions 640. The directory /etc/coturn is created with ownership root:root and permissions 755. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> [jvalleroy: Fix copied form_valid comment] Signed-off-by: James Valleroy <jvalleroy@mailbox.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>	2020-05-02 18:51:23 -04:00

Author

SHA1

Message

Date

Sunil Mohan Adapa

78d78d84a7

coturn: Use wildcard listening address to fix startup issues

Fixes: #2069.

Without a listening port, coturn will try to enumerate the non-local IP
addresses and try to listen on them. If coturn is started before network is
fully setup, it finds no usable IP addresses and fails. Furthermore, if IPs are
added to the system, it does not automatically listen on them.

A better approach as advised by systemd NetworkTarget documentation is to listen
on a wildcard address. This does not require network to be online and works well
for IP addresses being added/removed from the system. coturn is itself unable to
make changes to its default listening behavior for backward compatibility.

Tests:

- Freshly install coturn. Observe that listening-ip is properly set in the
configuration file. coturn is listening on 3478, 3479, 5349, 5350. coturn is
listening on ::1 and * addresses instead of individual IP addresses.

- Install coturn without the patch. Apply the patch and restart FreedomBox.
coturn setup will run. listening-ips get added to the configuration file. The
static-auth-secret is not changed from earlier. coturn will be restarted. coturn
is listening on 3478, 3479, 5349, 5350. coturn is listening on ::1 and *
addresses instead of individual IP addresses.

- Install coturn without the patch. Disable coturn. Apply the patch and restart
FreedomBox. coturn setup will run. coturn will not be enabled. coturn will be
running after setup.

- Functional tests pass.

- All ports able to connect using netcat (nc command) with IPv4 (-4 option) and
IPv6 (-6 option).

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>

2022-01-31 13:48:15 -05:00

Sunil Mohan Adapa

b4e6c03bd7

coturn: New app to manage Coturn TURN/STUN server

- Shows URLs and shared secret that communication servers like matrix-synapse
should be configured to. Later we will implement auto-configuring those servers.

- Allow selecting domain for the sake of TLS/DTLS certificate installation.

- Simplify systemd service file options. Drop log file and pid file support as
they are not needed with systemd. Add security options.

- Set custom configuration file by overriding systemd service file options so
that we don't have a problem with conffile prompts.

- Implement functional tests (and automatic diagnostics).

- Custom icon selected from the Noun project as Coturn project does not have
one.

- Backup/restore configuration file and certificates.

- Document some questions regarding configuration options.

Tests performed:

- App is not listed in the app page if 'advanced' flag is disabled.

- App name, icon and short description shows up correctly in apps page.

- App name, icon, short description, description, manual link, enable/disable
button and diagnostics link show up currently in app page.

- Verify that configuration used by coturn server is the FreedomBox
configuration by checking the cert path in the log output.

- PID file is not created in /var/run/turnserver/. It goes into /dev/null
according to the log output.

- No log file is created other than what is collected by systemd from command
line.

- systemctl show coturn.service shows all the intended restrictions such as
NoNewPrivileges, Protect* options.

- Run functional tests.

- Ensure that backup of configuration file works by taking backup, changing the
secret and restoring. During backup and restore coturn should be stopped and
started as per logs.

- Build Debian package. No warnings about the copyright file.

- Enabling the app enables the service and runs it.

- Disabling the app disables the service and stop it.

- All diagnostics tests pass.

- Diagnostic tests show firewall port coturn-freedombox for internal and
external networks, service coturn, and each listening port for udp4, udp6, tcp4
and tcp6.

- Information in the firewall page shows up properly. Enabling the app opens
firewall ports, and disabling it closes them.

- When the app is installed, if a cert domain is available, it will be used.
When multiple domains are available, one of them is picked.

- Status shows 4 URLs with the currently selected domain and secret key.

- Changing domain to another domain succeeds and reflects in the status
information.

- When no domain is configured. Installing the app succeeds. No domain is shown
in the list of domains.

- When domain is changed, the certificates files in /etc/coturn/certs are
overwritten.

- Certificates have the ownership turnserver:turnserver. Public key is cert.pem
has 644 permissions. Private is pkey.pem has 600 permissions. /etc/coturn/certs
is owned by root:root.

- Let's encrypt certificates are setup immediately after install.

- Port forwarding information shows all ports except for relay ports.

- Trying to create a user with username 'turnserver' throws an error. This
happens even when coturn is not installed yet.

- After installing coturn, the configuration file /etc/coturn/freedombox.conf is
created with ownership root:turnserver and permissions 640. The directory
/etc/coturn is created with ownership root:root and permissions 755.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
[jvalleroy: Fix copied form_valid comment]
Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>

2020-05-02 18:51:23 -04:00

2 Commits