Package: coturn Version: 4.5.2-3 Severity: important hi there -
i am using coturn to allow nat traversal for matrix users. the configuration follows the recommendations given here: https://github.com/matrix-org/synapse/blob/develop/docs/turn-howto.md and boils down to: listening-ip=<server-ip> use-auth-secret static-auth-secret=<some-secret> realm=<some-realm> syslog verbose no-tcp-relay # don't let the relay ever try to connect to private IP address ranges within your network (if any) denied-peer-ip=10.0.0.0-10.255.255.255 denied-peer-ip=192.168.0.0-192.168.255.255 denied-peer-ip=172.16.0.0-172.31.255.255 # recommended additional local peers to block, to mitigate external access to internal services. no-multicast-peers denied-peer-ip=0.0.0.0-0.255.255.255 […] denied-peer-ip=240.0.0.0-255.255.255.255 # special case the turn server itself so that client->TURN->TURN->client flows work # this should be one of the turn server's listening IPs allowed-peer-ip=<server-ip> # consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS. user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user. total-quota=1200 … so nothing fancy, and none of these options should require root permissions. However, with this config coturn only does its thing if it runs as root - either by starting it explicitly as "/usr/bin/turnserver -c /etc/turnserver.conf" or by creating a systemd override: [Service] User= User=root Group= Group=root As an added benefit, logging actually starts to work :) thank you very much for your work & with kind regards, thoralf. -- System Information: Debian Release: 11.4 APT prefers stable-security APT policy: (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-17-amd64 (SMP w/8 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages coturn depends on: ii adduser 3.118 ii init-system-helpers 1.60 ii libc6 2.31-13+deb11u3 ii libevent-core-2.1-7 2.1.12-stable-1 ii libevent-extra-2.1-7 2.1.12-stable-1 ii libevent-openssl-2.1-7 2.1.12-stable-1 ii libevent-pthreads-2.1-7 2.1.12-stable-1 ii libhiredis0.14 0.14.1-1 ii libmariadb3 1:10.5.15-0+deb11u1 ii libpq5 13.7-0+deb11u1 ii libsqlite3-0 3.34.1-3 ii libssl1.1 1.1.1n-0+deb11u3 ii libsystemd0 247.3-7 ii lsb-base 11.1.0 ii sqlite3 3.34.1-3 ii telnet [telnet-client] 0.17-42 coturn recommends no packages. Versions of packages coturn suggests: pn sip-router <none> pn xmpp-server <none> -- Configuration Files: /etc/turnserver.conf [Errno 13] Permission denied: '/etc/turnserver.conf' -- no debconf information
