Add allowed and denied peer to turnserver.conf

symptog · symptog · commit 2a95fde1707f · 2021-02-11T11:04:00.000+01:00
Following [1] and [2] the TURN-Server can be used to access the network behind the TURN-Server or the server can be abused to relay attacks in the internet. To workaround those problems `denied-peer-ip` and `allowed-peer-ip` setting should be used. [1] https://www.rtcsec.com/post/2020/04/how-we-abused-slacks-turn-servers-to-gain-access-to-internal-services/ [2] https://www.rtcsec.com/post/2021/01/details-about-cve-2020-26262-bypass-of-coturns-default-access-control-protection/
diff --git a/_posts/2019-02-14-setup-turn-server.md b/_posts/2019-02-14-setup-turn-server.md
@@ -104,19 +104,21 @@ $ sudo chmod 0755 /etc/letsencrypt/renewal-hooks/deploy/coturn
 
 Use the file below for `/etc/turnserver.conf` and make the following changes:
 
-* Replace `<turn.example.com>` with the hostname of your TURN server, and  
-* Replace `<example.com>` with the realm of your TURN server, and  
-* Replace `<secret_value>` to a random value for a shared secret (you can generate one by running `openssl rand -hex 16`)
-* Replace `<IP>` with the external IP of your TURN server
+* Replace `<turn.example.com>` with the hostname of your TURN server.  
+* Replace `<example.com>` with the realm of your TURN server.  
+* Replace `<secret_value>` to a random value for a shared secret (you can generate one by running `openssl rand -hex 16`).
+* Replace `<IP>` with the external IP of your TURN server.
+* Replace `<bbb_server_ip>` with the IP Address of your BigBlueButton-Server.
+  * Repeat `allowed-peer-ip=<ip_address>` for each IPv4 and IPv6 for every BigBlueButton-Server and any other TURN-Server.
 
 This configuration file assumes your TURN server is not behind NAT and has a public IP address.
 
 ```ini
 listening-port=3478
 tls-listening-port=443
 
-listening-ip=$IP
-relay-ip=$IP
+listening-ip=<IP>
+relay-ip=<IP>
 
 # If the server is behind NAT, you need to specify the external IP address.
 # If there is only one external address, specify it like this:
@@ -127,6 +129,24 @@ relay-ip=$IP
 #external-ip=172.17.19.131/10.0.0.11
 #external-ip=172.17.18.132/10.0.0.12
 
+# Flag that can be used to disallow peers on well-known broadcast addresses
+# (224.0.0.0 and above, and FFXX:*). This is an extra security measure.
+#
+no-multicast-peers
+
+# Option to allow or ban specific ip addresses or ranges of ip addresses. 
+# If an ip address is specified as both allowed and denied, then the ip address is 
+# considered to be allowed. This is useful when you wish to ban a range of ip 
+# addresses, except for a few specific ips within that range.
+#
+# This can be used when you do not want users of the turn server to be able to access
+# machines reachable by the turn server, but would otherwise be unreachable from the 
+# internet (e.g. when the turn server is sitting behind a NAT)
+denied-peer-ip=0.0.0.0-255.255.255.255
+denied-peer-ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+allowed-peer-ip=<IP>
+allowed-peer-ip=<bbb_server_ip>
+
 min-port=32769
 max-port=65535
 verbose
