HowTo: Setup Nextcloud Talk with TURN server


#41

@MichaIng: ty! :smiley:

OK, i resolve by creating an other directory, copy the private key, and chown only for _turnserver user…
with another group as “ssl”, and chmod 0440, that’s not run. :wink:

it’s weird because there is no need to change the server certificate!


another question: how i can block SSL23 usage… i want only TLS1.2!
i uncommented:

no-tlsv1
no-tlsv1_1

But, i’ve on start message:

Dec 19 17:30:21 srvr turnserver: 0: SSL23: Certificate file found: /etc/ssl/acme/mydomain.net.cert.pem
Dec 19 17:30:21 srvr turnserver: 0: SSL23: Private key file found: /etc/ssl/acme/turnserver/mydomain.net.privkey.pem
Dec 19 17:30:21 srvr turnserver: 0: TLS1.2: Certificate file found: /etc/ssl/acme/mydomain.net.cert.pem
Dec 19 17:30:21 srvr turnserver: 0: TLS1.2: Private key file found: /etc/ssl/acme/turnserver/mydomain.net.privkey.pem
Dec 19 17:30:21 srvr turnserver: 0: TLS cipher suite: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5
Dec 19 17:30:21 srvr turnserver: 0: DTLS: Certificate file found: /etc/ssl/acme/mydomain.net.cert.pem
Dec 19 17:30:21 srvr turnserver: 0: DTLS: Private key file found: /etc/ssl/acme/turnserver/mydomain.net.privkey.pem
Dec 19 17:30:21 srvr turnserver: 0: DTLS cipher suite: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5


#42

:+1: Actually the way to copy cert+key and chown for only the particular user is the most recommended way for security reasons. Only if you have several different services that require access, the shared group solution is handier.

Indeed, down to SSLv3 everything is supported according to the comments in turnserver.conf: https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L26
But no option to disable SSLv3.

Reading: https://github.com/coturn/coturn/issues/220

  • So it seems that SSLv3 is disabled by default on current version, but somehow it still shows up in the log.
  • Perhaps you can look further into the logs to verify, only TLSv1.2 is used?

#43

I understand…
But as I wrote on the previous message, I had only to deal the private key file, without any changes for another.

Thank for all! :stuck_out_tongue:


#44

Ah jep, strict permissions are most important for your private key of course, while the certificates are public anyway and by default have weaker permissions :wink:.


#45

Can I generate a new certificate for my turnserver, or do I need to use the certificate for my nextcloud’s apache config?


#46

Of course you can use a different one.


#47

:~# sudo systemctl enable --now turnserver
Failed to enable unit: File turnserver.service: No such file or directory

:disappointed_relieved:


#48

The service name is coturn, at least on Debian/Raspbian, if you installed via APT, so: systemctl enable coturn
And don’t forget: sed -i '/TURNSERVER_ENABLED/c\TURNSERVER_ENABLED=1' /etc/default/coturn
Otherwise the service will immediately stop.


#49

An even easier approach is to run the script from the Nextcloud VM.

Two steps:

  1. Open port 5349 (or whichever you want)
  2. wget the RAW script and run it.

#50

IF you run the Nextcloud VM :wink:!

Otherwise it might partly work on other Debian-based distros/systems, but leaves the config left with some wrong estimated variables => coturn settings, based on environment expectations, SSL via LetsEncrypt and others.


#51

Can the TURN server be on the same server as Nextcloud itself? If so, I imagine we cannot refer to the TURN server by the IP address (within Nextcloud configs) as 127.0.0.1.


#52

Both can be on the same machine, but within Nextcloud settings, you still need to set the public/external IP. This is used by the end user WebRTC clients (browser, Android app), not by Nextcloud.


#53

What if we installed our Nextcloud from a snap? That would introduce some complications, I think, to get coturn working on the same server as the snap. I made a post asking deeper questions about this here.