Add allowed and denied peer to turnserver.conf

symptog · web-flow · commit 49cef3ecc584 · 2021-02-10T18:10:42.000+01:00
Following [1] and [2] the TURN-Server can be used to access the network behind the TURN-Server or the server can be abused to relay attacks in the internet. To workaround those problems `denied-peer-ip` and `allowed-peer-ip` setting should be used. [1] https://www.rtcsec.com/post/2020/04/how-we-abused-slacks-turn-servers-to-gain-access-to-internal-services/ [2] https://www.rtcsec.com/post/2021/01/details-about-cve-2020-26262-bypass-of-coturns-default-access-control-protection/
diff --git a/_posts/2019-02-14-setup-turn-server.md b/_posts/2019-02-14-setup-turn-server.md
@@ -80,10 +80,12 @@ Current versions of the certbot command set up automatic renewal by default.  No
 
 `coturn` configuration is stored in the file `/etc/turnserver.conf`. There are a lot of options available, all documented in comments in that file.  We include a sample configuration below with comments indicating the recommended settings, with some notes in locations where customization is required.
 
-You can repace the contents `/etc/turnserver.conf` with this file and make two changes:
+You can repace the contents `/etc/turnserver.conf` with this file and make three changes:
 
 * Replace `turn.example.com` with the hostname of your TURN server, and  
 * Replace `<random value>` to a random value for a shared secret (instructions for generating a new secret are in a comment in the file).
+* Replace `<bbb server ip>` with the IP Address of your BigBlueButton-Server
+  * Repeat `allowed-peer-ip=<bbb server ip>` for each IPv4 and IPv6 for every BigBlueButton-Server
 
 Attention: The `turnserver` process will run as the `turnserver` user, which usually doesn't have access to the certificates/keys in `/etc/letsencrypt/live`. It is recommended that you either create a `ssl-cert` user group, add the `turnserver` user to it and adjust the permissions for `/etc/letsencrypt/live` such that the group can read it or, alternatively, copy the certificates/keys to a safe location (that `turnserver` has access to) after each certificate renewal.
 
@@ -111,6 +113,23 @@ tls-listening-port=443
 #external-ip=172.17.19.131/10.0.0.11
 #external-ip=172.17.18.132/10.0.0.12
 
+# Flag that can be used to disallow peers on well-known broadcast addresses
+# (224.0.0.0 and above, and FFXX:*). This is an extra security measure.
+#
+no-multicast-peers
+
+# Option to allow or ban specific ip addresses or ranges of ip addresses. 
+# If an ip address is specified as both allowed and denied, then the ip address is 
+# considered to be allowed. This is useful when you wish to ban a range of ip 
+# addresses, except for a few specific ips within that range.
+#
+# This can be used when you do not want users of the turn server to be able to access
+# machines reachable by the turn server, but would otherwise be unreachable from the 
+# internet (e.g. when the turn server is sitting behind a NAT)
+denied-peer-ip=0.0.0.0-255.255.255.255
+denied-peer-ip=::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+allowed-peer-ip=<bbb server ip>
+
 # Fingerprints in TURN messages are required for WebRTC
 fingerprint
 
