processone / eturnal Goto Github PK

STUN / TURN standalone server

License: Apache License 2.0

Erlang 68.10% Shell 24.42% Inno Setup 1.59% Batchfile 0.11% Dockerfile 4.64% Ruby 1.14%

eturnal's Introduction

eturnal TURN Server

eturnal is a modern, straightforward STUN and TURN server. For authentication, the mechanism described in the REST API for Access to TURN Services specification is implemented. The server can easily be tested in a Linux shell or using Docker. For a persistent installation, see the following section.

Installation

Note: Running eturnal in container environments such as Docker or Kubernetes is described on a separate documentation page.

On APT-based Linux distributions, run:

sudo apt install extrepo
sudo extrepo enable eturnal
sudo apt update
sudo apt install eturnal

On DNF-based Linux distributions, run:

sudo dnf config-manager --add-repo https://eturnal.net/eturnal.repo
sudo dnf install eturnal
sudo systemctl --now enable eturnal

On YUM-based Linux distributions, run:

sudo yum-config-manager --add-repo https://eturnal.net/eturnal.repo
sudo yum install eturnal
sudo systemctl --now enable eturnal

On SUSE Linux Enterprise and openSUSE systems, distribution repositories can be used instead. There's also an official Alpine package. On other Linux systems, the binary release can be installed as described in the reference documentation. For Windows, an installer is available.

On macOS, homebrew can be used like this:

brew tap processone/eturnal https://github.com/processone/eturnal
brew install processone/eturnal/eturnal

On other platforms, eturnal is built from source.

Configuration

The eturnal server is configured by editing the /etc/eturnal.yml file. This file uses the (indentation-sensitive!) YAML format. For TURN relaying to work, you'll have to specify the shared authentication secret and (if autodetection fails) also the relay_ipv4_addr option, which should be set to the server's external IPv4 address. As an example, a configuration for offering STUN and TURN services on port 3478 (UDP and TCP) might look like this:

eturnal:
  secret: "long-and-cryptic"     # Shared secret, CHANGE THIS.
  relay_ipv4_addr: "203.0.113.4" # The server's public IPv4 address.
  relay_ipv6_addr: "2001:db8::4" # The server's public IPv6 address (optional).

A more detailed, commented example configuration is shipped with the eturnal server.

Running eturnal

On Linux systems, the eturnal server is usually invoked by systemd. For non-systemd platforms, example init and OpenRC scripts are shipped below the etc directory.

For controlling eturnal, the eturnalctl command can be used; see:

eturnalctl help

Logging

If eturnal was started by systemd, log files are written into the /var/log/eturnal directory by default. In order to log to the journal instead, the log_dir option can be set to stdout in the configuration file.

Documentation

For a detailed description of eturnal's configuration options and the eturnalctl tool, see the reference documentation. For notable changes between eturnal releases, see the change log.

Feedback/Support

Please use our issue tracker for bug reports and feature requests. Feel free to (ab)use it for usage questions as well. If you happen to be using XMPP, you could also join our public room [email protected]. Otherwise, just use the web client. As an alternative, there's an #eturnal channel on Slack.

eturnal's People

Contributors

Stargazers

Watchers

eturnal's Issues

Support environment variables for relay addresses

Fall back to reading environment variables when relay_ipv4_address and/or relay_ipv6_address aren't specified. This may be convenient esp. for Docker users.

UDP error not handled gracefully

the following error occurs occasionally, and then, the clients cannot connect eturnal from then on. that is, I have to restart the server

version: eturnal-1.8.3-x64.exe

Prometheus exporter: provide metrics for live I/O data

Currently the I/O data is updated by the end of TURN session. This works generally well.
However, a live view would improve for example views on peaks in I/O, whereas the current data can at best provide an average based upon the current active sessions.

This issue is linked to the grafana dashboard PR (#41).

Erlang port mapper daemon (epmd) port is open by default

When using the .deb package on Debian the epmd Port is open to the public.

    0.0.0.0:4369    0.0.0.0:*    users:(("epmd",pid=13803,fd=3))

If the Erlang port mapper daemon (epmd) is needed it should listen on localhost per default to prevent public access to this service.

If it's not possible to limit access to this port, I strongly recommend to add an advice to the documentation to block this port in the servers local firewall.

`etc/eturnal.yml` installed world readable

I believe, eturnal’s configuration file etc/eturnal.yml is installed world readable.

$ ls -l eturnal-20201030/etc/eturnal.yml
-rw-r--r-- 1 eturnprj eturngrp 2102 Sep  9 16:34 eturnal-20201030/etc/eturnal.yml

As it might contain the secret, should it be installed with the mode 640?

Cannot start eturnal service

Hi,
I am trying to start the eturnal service on a Linux CentOS 7 (x86_64, AMD EPYC processor), but not succeeding ...
Seems the error is related to permissions on /dev/log (see attached screenshot).
Any idea how to solve this?
BTW:

ls -l /dev/log

lrwxrwxrwx 1 root root 28 Sep 6 17:23 /dev/log -> /run/systemd/journal/dev-log

I hope you can help.
Thanks.
Rui Rosado

Add Prometheus exporter

Include a mod_stats_prometheus module for exporting metrics to Prometheus.

windows service cannot start if i change the installation dir

i was looking for a handy windows turn server, I found eturnal.

i changed the installation dir at first two times, neither time i can start the service.

so i tried to use default installation, the service started successfully

I think there may be a bug

version: eturnal-1.8.3-x64.exe

Fails to start with `ERL_EPMD_ADDRESS=127.0.0.1`

Setting the environment variable for the epmd address to localhost ERL_EPMD_ADDRESS=127.0.0.1 in the systemd service unit

Environment=ETURNAL_ETC_PREFIX=/project/eturnal ERL_EPMD_ADDRESS=127.0.0.1

eturnal fails to start with the error below.

eturnalctl[91982]: Protocol 'inet_tcp': register/listen error: econnrefused

update docker image to alpine 3.18

Hi,

I just discovered your project today and it looks great!

However for security reasons I need an eturnal image based on alpine 3.18. Would you mind updating that?

Thanks a lot! :)

systemd service: Evaluate `DynamicUser=true`

With the settings below

eturnal/config/eturnal.service

Lines 19 to 22 in f9168eb

 RuntimeDirectory=eturnal 

 LogsDirectory=eturnal 

 ProtectSystem=full 

 NoNewPrivileges=true

it might make sense to set DynamicUser= to true, which implicitly also sets NoNewPrivileges=true.

eturnal helm chart

Provide a helm chart with respective dependencies to provide functional, scalable TURN services in kubernetes clusters.

TLS example

Hi @weiss! Thanks for this awesome TURN server with a wonderful YAML setup file. 🤗

I've some doubts about how to setup correctly the TLS. I'm using certbot to generate certificates and expose ports 80 and 443 (TLS) both UDP/TCP.

To avoid the read permission I used a script that copies the .pem files and changes the ownership to the eturnal user, using the --deploy-hook (certbot). This script (after copying and changing the ownership) reloads the configuration with eturnalctl reload.

Also, I ensure to open ports 80 and 443.

Considering the above scenario do you know why I can’t get rflx ICE candidates (tested on trickle ICE test page)

This only happens when I setup to work over TLS.

I'm very happy to share an example config with TLS when discover why can't get rflx candidates 😩

Crash on armv6

Debian Buster, armv6, HEAD, Erlang 21.2.6

$sudo -u eturnal ./eturnalctl foreground or via systemd...

Exec: /opt/eturnal/erts-10.2.4/bin/erlexec -noshell -noinput +Bd -boot /opt/eturnal/releases/0.2.0/start -mode embedded -boot_var SYSTEM_LIB_DIR /opt/eturnal/lib -config /opt/eturnal/releases/0.2.0/sys.config -args_file /opt/eturnal/releases/0.2.0/vm.args -- foreground
Root: /opt/eturnal
/opt/eturnal
[error]   crasher:
    initial call: application_master:init/4
    pid: <0.401.0>
    registered_name: []
    exception exit: {bad_return,
                     {{conf,start,[normal,[]]},
                      {'EXIT',
                       {undef,
                        [{application,set_env,
                          [[{eturnal,
                             [{listen,
                               [{{0,0,0,0,0,0,0,0},3478,udp,true},
                                {{0,0,0,0,0,0,0,0},3478,tcp,true}]},
                              {secret,
                               <<"sekret">>},
                              {relay_ipv4_addr,{XXX,XXX,XXX,XXX}},
                              {relay_min_port,60000},
                              {relay_max_port,65000},
                              {max_allocations,10},
                              {max_permissions,10},
                              {max_bps,none},
                              {blacklist,
                               [{{127,0,0,0},8},
                                {{0,0,0,0,0,0,0,1},128},
                                {{8193,0,0,0,0,0,0,0},32},
                                {{8194,0,0,0,0,0,0,0},16}]},
                              {log_level,info},
                              {log_rotate_size,10485760},
                              {log_rotate_count,10},
                              {log_dir,<<"log">>},
                              {realm,<<"eturnal.net">>},
                              {relay_ipv6_addr,{0,0,0,0,0,0,0,1}},
                              {run_dir,<<"run">>},
                              {software_name,<<"eturnal">>},
                              {tls_crt_file,none},
                              {tls_key_file,none}]}],
                           [{persistent,true}]],
                          []},
                         {conf,start,2,
                          [{file,
                            "/home/pi/eturnal/_build/default/lib/conf/src/conf.erl"},
                           {line,111}]},
                         {application_master,start_it_old,4,
                          [{file,"application_master.erl"},{line,277}]}]}}}}
      in function  application_master:init/4 (application_master.erl, line 138)
    ancestors: [<0.400.0>]
    message_queue_len: 1
    messages: [{'EXIT',<0.402.0>,normal}]
    links: [<0.400.0>,<0.341.0>]
    dictionary: []
    trap_exit: true
    status: running
    heap_size: 987
    stack_size: 27
    reductions: 253
  neighbours:

{"Kernel pid terminated",application_controller,"{application_start_failure,conf,{bad_return,{{conf,start,[normal,[]]},{'EXIT',{undef,[{application,set_env,[[{eturnal,[{listen,[{{0,0,0,0,0,0,0,0},3478,udp,true},{{0,0,0,0,0,0,0,0},3478,tcp,true}]},{secret,<<\"sekret\">>},{relay_ipv4_addr,{XXX,XXX,XXX,XXX}},{relay_min_port,60000},{relay_max_port,65000},{max_allocations,10},{max_permissions,10},{max_bps,none},{blacklist,[{{127,0,0,0},8},{{0,0,0,0,0,0,0,1},128},{{8193,0,0,0,0,0,0,0},32},{{8194,0,0,0,0,0,0,0},16}]},{log_level,info},{log_rotate_size,10485760},{log_rotate_count,10},{log_dir,<<\"log\">>},{realm,<<\"eturnal.net\">>},{relay_ipv6_addr,{0,0,0,0,0,0,0,1}},{run_dir,<<\"run\">>},{software_name,<<\"eturnal\">>},{tls_crt_file,none},{tls_key_file,none}]}],[{persistent,true}]],[]},{conf,start,2,[{file,\"/home/pi/eturnal/_build/default/lib/conf/src/conf.erl\"},{line,111}]},{application_master,start_it_old,4,[{file,\"application_master.erl\"},{line,277}]}]}}}}}"}
Kernel pid terminated (application_controller) ({application_start_failure,conf,{bad_return,{{conf,start,[normal,[]]},{'EXIT',{undef,[{application,set_env,[[{eturnal,[{listen,[{{0,0,0,0,0,0,0,0},3478,

Crash dump is being written to: erl_crash.dump...done

This config

eturnal:
  listen:
    -
      ip: "::"
      port: 3478
      transport: udp
    -
      ip: "::"
      port: 3478
      transport: tcp
  secret: "sekret"
  relay_ipv4_addr: "XXX.XXX.XXX.XXX"
  relay_min_port: 60000
  relay_max_port: 65000
  max_allocations: 10
  max_permissions: 10
  max_bps: unlimited
  blacklist:
    - "127.0.0.0/8"
    - "::1"
    - "2001::/32"
    - "2002::/16"
  log_level: info
  log_rotate_size: 10485760
  log_rotate_count: 10

please don't set bg wo fg

Only bg color is defined in stylesheet.css:

body {
    background-color: white

so it looks bad on my end:

Run Eturnal as root in docker

currently there doesn't seem to be a clear way to run eturnal as root, the docker user directive has no effect on which user runs Eturnal.

This is needed, as it isn't always possible to control who owns files needed by eturnal such as SSL certs.

there is a workaround here:
#55 (comment)

listening on 443(tcp) permission denied on AKS

Hello there,

I'm currently working with an eturnal server on AKS. However, I've encountered an error and I'm seeking assistance to figure out what might be the issue.

I've provided my deployment, configmap, and service files below.

Could you kindly help me understand what might be causing this problem?

apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ $.Values.eturnalconfig.name }}
  namespace: {{ $.Values.namespace }}
data:
  eturnal.yml: |
    eturnal:
      # Shared secret for deriving temporary TURN credentials (default: $RANDOM):
      secret: "long-and-cryptic"

      # The server's public IPv4 address (default: autodetected):
      relay_ipv4_addr: "x.x.x.x"
      # The server's public IPv6 address (optional):
      #relay_ipv6_addr: "2001:db8::4"

      listen:
        # -
        #   ip: "::"
        #   port: 443
        #   transport: udp
        -
          ip: "::"
          port: 443
          transport: tcp
        #-
        #  ip: "::"
        #  port: 5349
        #  transport: tls

      # TLS certificate/key files (must be readable by 'eturnal' user!):
      #tls_crt_file: /etc/eturnal/tls/crt.pem
      #tls_key_file: /etc/eturnal/tls/key.pem

      # UDP relay port range (usually, several ports per A/V call are required):
      relay_min_port: 36000     # This is the default.
      relay_max_port: 46000    # This is the default.

      # Reject TURN relaying from/to the following addresses/networks:
      blacklist:                # This is the default blacklist.
        - "127.0.0.0/8"         # IPv4 loopback.
        - "::1"                 # IPv6 loopback.
        #- recommended          # Expands to a number of networks recommended to be
                                # blocked, but includes private networks. Those
                                # would have to be 'whitelist'ed if eturnal serves
                                # local clients/peers within such networks.

      # If 'true', close established calls on expiry of temporary TURN credentials:
      strict_expiry: false      # This is the default.

      # Logging configuration:
      log_level: info           # critical | error | warning | notice | info | debug
      log_rotate_size: 10485760 # 10 MiB (default: unlimited, i.e., no rotation).
      log_rotate_count: 10      # Keep 10 rotated log files.
      #log_dir: stdout          # Enable for logging to the terminal/journal.

      # See: https://eturnal.net/documentation/#Module_Configuration
      modules:
        mod_log_stun: {}        # Log STUN queries (in addition to TURN sessions).
        #mod_stats_influx: {}   # Log STUN/TURN events into InfluxDB.
        #mod_stats_prometheus:  # Expose STUN/TURN and VM metrics to Prometheus.
        #  ip: any              # This is the default: Listen on all interfaces.
        #  port: 8081           # This is the default.
        #  tls: false           # This is the default.
        #  vm_metrics: true     # This is the default.

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: {{ $.Values.namespace }}
  name: {{ $.Values.eturnal.name }}
  labels:
    app: eturnal
spec:
  replicas: 1
  selector:
    matchLabels:
      app: {{ $.Values.eturnal.name }}
  template:
    metadata:
      labels:
        app: {{ $.Values.eturnal.name }}
    spec:
      nodeSelector:
        node_pool: {{ $.Values.node_pool }}
      subdomain: eturnal
      hostNetwork: true
     securityContext:
        runAsUser: 9000
        runAsGroup: 9000
        fsGroup: 9000
      containers:
        - name: {{ $.Values.eturnal.name }}
          image: {{ $.Values.eturnal.image }}
          imagePullPolicy: {{ $.Values.eturnal.imagePullPolicy }}
          securityContext:
            allowPrivilegeEscalation: true
            readOnlyRootFilesystem: true
            runAsUser: 9000
            runAsGroup: 9000
            runAsNonRoot: true
            privileged: false
            capabilities:
              add: [CAP_NET_BIND_SERVICE]
          ports:
            - name: stunturn-udp
              containerPort: 443
              hostPort: 443
              protocol: UDP
            - name: stunturn-tcp
              containerPort: 443
              hostPort: 443
              protocol: TCP
          volumeMounts:
            - name: eturnal-config
              mountPath: /etc/eturnal.yml
              subPath: eturnal.yml
              readOnly: true
      volumes:
        - name: eturnal-config
          configMap:
            name: eturnal-config
            defaultMode: 0440

I have following error and my pod doesn't start

$ kubectl logs pod/eturnal-56ffcc7bf-58btw -n eturnal
Cannot query stun.conversations.im:3478: network is unreachable
Exec: /opt/eturnal/erts-14.0.2/bin/erlexec -noinput +Bd -boot /opt/eturnal/releases/1.11.1/start -mode embedded -boot_var SYSTEM_LIB_DIR
 /opt/eturnal/lib -config /opt/eturnal/releases/1.11.1/sys.config -args_file /opt/eturnal/releases/1.11.1/vm.args -erl_epmd_port 3470 -s
tart_epmd false -- foreground
Root: /opt/eturnal
/opt/eturnal
[error]   crasher:
    initial call: stun_acceptor:init/4
    pid: <0.601.0>
    registered_name: []
    exception exit: eacces
      in function  stun_acceptor:init/4 (stun_acceptor.erl, line 92)
    ancestors: [stun_acceptor_sup,stun_listener_sup,stun_sup,<0.580.0>]
    message_queue_len: 0
    messages: []
    links: [<0.583.0>]
    dictionary: []
    trap_exit: false
    status: running
    heap_size: 376
    stack_size: 28
    reductions: 1065
  neighbours:

[critical] Aborting: Cannot start listening on [::]:443 (tcp): permission denied

SSL key outdated?

Err:2 https://deb.eturnal.net stable Release
Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 194.59.205.169 443]

Minimal / recommended hosting requirements

Hey!

It would be nice to have a minimal / recommended hosting requirement, like the minimum RAM/cpu for the server to work correctly. I know it will usually vary depending on the number of connection, but at least a ballpark estimate would be helpful.

Thanks

Provide an option to define static credentials

Support new STUN and TURN RFCs

Add support for RFC 8489 (STUN) and RFC 8656 (TURN).

Oracle/docker-compose

I have an oracle cloud instance running ubuntu and docker I get the following error when I start the container, I have the correct ports open/ingress rules through oracle. Anyone have any ideas what might be causing this?

Add REST API

Include a mod_rest module to expose the eturnalctl commands via HTTP.

Include 'ssl' dependency

Don't forget to include the ssl application for non-distro builds, as that's required for enabling TLS for the mod_stats_prometheus endpoint.

Proxy Protocol - eturnal behind reverse proxy

Dear Holger,

I would like to load balance eturnal(s) with an nginx load balancer for example. turn obviously needs the real IP-address of a client asking for relaying. ejabberd has implemented proxy-protocol, at least for its xmpp listeners. So I wonder if this is planned also for eturnal.
A possible nginx config could look like this:

stream {
    upstream traefik {
        server traefik-lb:443;
    }

    upstream turnserver {
        server eturnal1:5349;
        server eturnal2:5349;
        server eturnal3:5349;
    }

    map $ssl_preread_alpn_protocols $upstream {
        default traefik;
        "stun.turn" turnserver;
        "stun.nat-discovery" turnserver;
    }

    server {
        listen 443;

        ssl_preread on;
        proxy_pass $upstream;
        proxy_protocol on;
    }
}

Thanks in advance! Have a good evening,
Sando

Documentation: Provide some information about running eturnal in podman rootless environments

Reminder for myself:

mention podman unshare
provide some links to official documentation

TLS ciphers and protocols settings

Please add settings to control allowed TLS ciphers and protocols.

homebrew Formula: remove hard coded erlang.cookie

Possible due to changes through commit 3235f1ae2

Building, testing and running works on --HEAD already (see commit 2351642)

Remove .erlang.cookie related parts
Additionally, remove patches, when new eturnal vsn is released
Remove stable related build config adjustments

Eturnal not starting on Rocky Linux 8.5

Dear Holger,

discovered an issue with Rocky Linux 8.5 (CentOS 8). It is basically a fresh install.

I installed eturnal both ways with dnf package manager or binary packages without any errors or unforeseeable things with the following result:

[root@eturnal-001 ~]# /opt/eturnal/bin/eturnalctl sessions
Node is not running!
[root@eturnal-001 ~]# /opt/eturnal/bin/eturnalctl version
1.7.0 (not running)
[root@eturnal-001 ~]# /opt/eturnal/bin/eturnalctl daemon
^C
Sitzung beendet, Shell wird abgewürgt … … abgewürgt.

The command above stucks forever, so I killed it...

I previously had CentOS 7 and it runs smoothly without any distortions ( I only used binary install, however).

Here are the outputs from log-files (erlang.log.1) which shows a similar issue as if I would use "eturnalctl foreground":

=====
===== LOGGING STARTED Tue Dec 28 17:18:15 CET 2021
=====
Exec: /opt/eturnal/erts-12.2/bin/erlexec -boot /opt/eturnal/releases/1.7.0/start -mode embedded -boot_var SYSTEM_LIB_DIR /opt/eturnal/lib -config /opt/eturnal/releases/1.7.0/sys.config -args_file /opt/eturnal/releases/1.7.0/vm.args -- console  --relx-disable-hooks
Root: /opt/eturnal
/opt/eturnal
Protocol 'inet_tcp': the name [email protected] seems to be in use by another Erlang node

I am unable to investigate further at least "this year" xD ... What makes me wonder is that eturnal is being used already by another Erlang node.. I could not discover any process belonging to eturnal which could block.

Thanks and wishing a great evening!

TURN windows version login account information?

I installed eturnal on Windows.
But I don't know where to put the turn server login account information.(username,password)
Is it correct to set it in the eturnal.yml file?
The turn server does not work normally because the credential error keeps occurring.
Below is the eturnal.yml I wrote.
Please help.

# eturnal STUN/TURN server configuration file.
#
# This file is written in YAML. The YAML format is indentation-sensitive, please
# MAKE SURE YOU INDENT CORRECTLY.
#
# See: https://eturnal.net/documentation/#Global_Configuration

eturnal:

  ## Shared secret for deriving temporary TURN credentials (default: $RANDOM):
  secret: "inventis"

  ## The server's public IPv4 address (default: autodetected):
  #relay_ipv4_addr: "13.124.71.4"
  ## The server's public IPv6 address (optional):
  #relay_ipv6_addr: "2001:db8::4"

  listen:
    -
      ip: "0.0.0.0"
      port: 3478
      transport: udp
    -
      ip: "0.0.0.0"
      port: 3478
      transport: tcp
    -
      ip:  "0.0.0.0"
      port: 5349
      transport: tls

  ## UDP relay port range (usually, several ports per A/V call are required):
  relay_min_port: 49152     # This is the default.
  relay_max_port: 65535     # This is the default.

  ## Reject TURN relaying from/to the following addresses/networks:
  blacklist:                # This is the default blacklist.
    - "127.0.0.0/8"         # IPv4 loopback.
    - "::1"                 # IPv6 loopback.
    #- recommended          # Expands to a number of networks recommended to be
                            # blocked, but includes private networks. Those
                            # would have to be 'whitelist'ed if eturnal serves
                            # local clients/peers within such networks.

  ## If 'true', close established calls on expiry of temporary TURN credentials:
  strict_expiry: false      # This is the default.

  ## Logging configuration:
  log_level: info           # critical | error | warning | notice | info | debug
  log_rotate_size: 10485760 # 10 MiB (default: unlimited, i.e., no rotation).
  log_rotate_count: 10      # Keep 10 rotated log files.
  log_dir: "C:/Program Files/eturnal/log"
  run_dir: "C:/Program Files/eturnal/run"

  ## See: https://eturnal.net/documentation/#Module_Configuration
  modules:
    mod_log_stun: {}        # Log STUN queries (in addition to TURN sessions).
    #mod_stats_influx: {}   # Log STUN/TURN events into InfluxDB.
    #mod_stats_prometheus:  # Expose STUN/TURN and VM metrics to Prometheus.
    #  ip: any              # This is the default: Listen on all interfaces.
    #  port: 8081           # This is the default.
    #  tls: false           # This is the default.
    #  vm_metrics: true     # This is the default.

Crash report on log

Hi @weiss! I see a crash report on the log file after executing the turnutils with the command:

turnutils -t -v -u 1663742530 -w XXXXXXXXXXXXXXXXXXXXX -p 80 -x myturn.example.com

`eturnal.log`

2022-09-21 03:55:58.497067+00:00 [info] Accepting long-term STUN/TURN authentication [TCP, session kt62aprd74lw, user 1663742530, client XXX.XX.XXX.XX:10328>
2022-09-21 03:55:58.671491+00:00 [info] Connection reset by peer [TCP, session 4bnpkrxknf23, user 1663742530, client XXX.XX.XXX.XX:10328]
2022-09-21 03:55:58.671622+00:00 [info] Cannot determine transport protocol: closed
2022-09-21 03:55:58.671834+00:00 [notice] Cannot start connection: closed [TCP|TLS, session g6yxbtgvyzvd]
2022-09-21 03:55:58.671770+00:00 [error] CRASH REPORT:
  crasher:
    initial call: stun:init/1
    pid: <0.507.0>
    registered_name: []
    exception exit: closed
      in function  p1_fsm:init_it/6 (p1_fsm.erl, line 386)
    ancestors: [stun_tmp_sup,stun_sup,<0.473.0>]
    message_queue_len: 0
    messages: []
    links: [<0.478.0>]
    dictionary: []
    trap_exit: true
    status: running
    heap_size: 610
    stack_size: 28
    reductions: 1041
  neighbours:
2022-09-21 03:55:58.672469+00:00 [info] Connection reset by peer [TCP, session kt62aprd74lw, user 1663742530, client XXX.XX.XXX.XX:10330]

`eturnal.yml`

listen:
    -
      ip: "::"
      port: 80
      transport: udp
    -
     ip: "::"
     port: 80
     transport: auto
    -
      ip: "::"
      port: 443
      transport: tls

What I'm doing wrong?

My servers are being attacked by some bad persons

My servers are being attacked by some bad persons, what should I do?

Black-/Whitelisting: Separate client and peer

Currently the blacklist and whitelist do not differentiate between clients and peers.

In certain use cases, it is desirable to differentiate between them, in example to allow clients from a certain private network to connect to a TURN server - authenticated/ authorized through the specified authentication mechanism (ephemeral/ static) - , but to restrict access to peers in the same network environment, e.g. kubernetes cluster.

How to prevent abuse by using amplification/reflection DoS attack?

The DFN-CERT sent the warning below for our STUN server:

Ereignistyp:  Configuration/Amplifier
Zeitstempel:  2023-12-03 02:27:47+00:00
Anzahl:       4
Beschreibung: Auf dem System scheint ein Dienst betrieben zu werden, der
             potentiell für reflektierte DoS-Angriffe genutzt werden
             kann. Das heißt dieser Dienst antwortet auf Anfragen mit
             gefälschter Absenderadresse und schickt dabei Antworten die
             ein vielfaches der Größe der Anfrage haben.

Zuletzt gesehen            IP-Protokoll  Port  Dienst
---------------------------------------------------------
2023-12-01 02:27:33+00:00  UDP            3478  STUN
2023-12-01 02:27:33+00:00  UDP            3478  STUN
2023-12-02 07:55:22+00:00  UDP            3478  STUN
2023-12-03 02:27:47+00:00  UDP            3478  STUN

As I am ignorant about these things, could a security section be added to the README, what risks are to be weighed?

Calls Do Not Connect

Hello,

I am having an issue with my calls not connecting. TrickleIce shows everything is working correctly:

Time	Type	Foundation	Protocol	Address	Port	Priority	URL (if present)	relayProtocol (if present)
0.004	host	3431801334	udp	818f189b-183b-4e1f-9992-957a75063bc0.local	60418	126 | 30 | 255		
0.017	srflx	970610555	udp	<public ip of peer>	31585	100 | 30 | 255	stun:matrix.mydomain.com:3478	
0.091	relay	1914238475	udp	<public ip of server>	2 | 31 | 255	turn:matrix.mydomain.com:3478?transport=udp	udp
0.134	Done

As does Matrix VoIP Tester

turn:<public server IP>:3478?transport=udp
STUN & TURN
Excellent
Succeeded the relaying test.

Candidates:
<public peer IP> port 30596/udp (server-reflexive (STUN))
<public server IP> port 57140/udp (relay (TURN))

However, when I place a call (both clients using Element), the call does not connect. If I put both devices on the same LAN, the calls connect without issue.

This comes in the log every few seconds, as the client does not send any data:

Relayed 0 KiB (in 0 B / 0 packets, out 0 B / 0 packets), duration: 1 seconds [UDP, session 7eugpszr72x4, user 1621923899:@user:mydomain.com, client <public peer IP>:51650, relay <public server IP>:57326]

TURN section from homeserver.yaml from synapse:

turn_uris: [ "turn:matrix.mydomain.com:3478?transport=udp", "stun:matrix.mydomain.com:3478?transport=udp" ]
turn_shared_secret: "<secret from eternal.yml>"
turn_allow_guests: true

I can see in my firewall logs that it is trying to make a direct connection (from peer2 to peer), and not using the relay server (public server IP), which I believe should not be the case?

I feel like I am 98% of the way there to success and I am missing something minor. Any assistance on getting this and calls to work is greatly appreciated :-).

Support `log/` being a symbolic link to another directory

Making the prefix/log a symbolic link to another directory seems to crash eturnal.

May 17 18:07:51 pitti.molgen.mpg.de eturnalctl[97948]: Exec: /project/eturnal/eturnal-20210323/erts-11.1.8/bin/erlexec -noinput +Bd -boot /project/eturnal/eturnal-20210323/releases/1.4.5/start -mode embedded -boot_var SYSTEM_LIB_DIR /project/eturnal/eturnal-20210323/lib -config /project/eturnal/eturnal-20210323/releases/1.4.5/sys.config -args_file /project/eturnal/eturnal-20210323/releases/1.4.5/vm.args -- foreground
May 17 18:07:51 pitti.molgen.mpg.de eturnalctl[97948]: Root: /project/eturnal/eturnal-20210323
May 17 18:07:51 pitti.molgen.mpg.de eturnalctl[97948]: /project/eturnal/eturnal-20210323
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]: [error]   crasher:
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:     initial call: application_master:init/4
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:     pid: <0.465.0>
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:     registered_name: []
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:     exception exit: {bad_return,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                      {{eturnal_app,start,[normal,[]]},
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                       {'EXIT',
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                        {{case_clause,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                          {error,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                           {handler_not_added,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                            {open_failed,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                             "/project/eturnal/eturnal-20210323/log/eturnal.log",
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                             eexist}}}},
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                         [{eturnal_logger,init,1,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                           [{file,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                             "/scratch/local/bee-eturnprj/eturnal/eturnal-1.4.5_20210323-0/source/src/eturnal_logger.erl"},
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                            {line,131}]},
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                          {eturnal_logger,start,0,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                           [{file,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                             "/scratch/local/bee-eturnprj/eturnal/eturnal-1.4.5_20210323-0/source/src/eturnal_logger.erl"},
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                            {line,48}]},
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                          {eturnal_app,start,2,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                           [{file,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                             "/scratch/local/bee-eturnprj/eturnal/eturnal-1.4.5_20210323-0/source/src/eturnal_app.erl"},
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                            {line,33}]},
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                          {application_master,start_it_old,4,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                           [{file,"application_master.erl"},{line,277}]}]}}}}
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:       in function  application_master:init/4 (application_master.erl, line 138)
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:     ancestors: [<0.464.0>]
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:     message_queue_len: 1
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:     messages: [{'EXIT',<0.466.0>,normal}]
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:     links: [<0.464.0>,<0.385.0>]
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:     dictionary: []
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:     trap_exit: true
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:     status: running
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:     heap_size: 987
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:     stack_size: 28
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:     reductions: 271
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:   neighbours:
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]: [notice]     application: eturnal
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:     exited: {bad_return,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                 {{eturnal_app,start,[normal,[]]},
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                  {'EXIT',
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                      {{case_clause,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                           {error,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                               {handler_not_added,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                                   {open_failed,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                                       "/project/eturnal/eturnal-20210323/log/eturnal.log",
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                                       eexist}}}},
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                       [{eturnal_logger,init,1,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                            [{file,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                                 "/scratch/local/bee-eturnprj/eturnal/eturnal-1.4.5_20210323-0/source/src/eturnal_logger.erl"},
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                             {line,131}]},
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                        {eturnal_logger,start,0,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                            [{file,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                                 "/scratch/local/bee-eturnprj/eturnal/eturnal-1.4.5_20210323-0/source/src/eturnal_logger.erl"},
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                             {line,48}]},
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                        {eturnal_app,start,2,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                            [{file,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                                 "/scratch/local/bee-eturnprj/eturnal/eturnal-1.4.5_20210323-0/source/src/eturnal_app.erl"},
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                             {line,33}]},
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                        {application_master,start_it_old,4,
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:                            [{file,"application_master.erl"},{line,277}]}]}}}}
May 17 18:07:52 pitti.molgen.mpg.de eturnalctl[97948]:     type: permanent
May 17 18:07:53 pitti.molgen.mpg.de eturnalctl[97948]: {"Kernel pid terminated",application_controller,"{application_start_failure,eturnal,{bad_return,{{eturnal_app,start,[normal,[]]},{'EXIT',{{case_clause,{error,{handler_not_added,{open_failed,\"/project/eturnal/eturnal-20210323/log/eturnal.log\",eexist}}}},[{eturnal_logger,init,1,[{file,\"/scratch/local/bee-eturnprj/eturnal/eturnal-1.4.5_20210323-0/source/src/eturnal_logger.erl\"},{line,131}]},{eturnal_logger,start,0,[{file,\"/scratch/local/bee-eturnprj/eturnal/eturnal-1.4.5_20210323-0/source/src/eturnal_logger.erl\"},{line,48}]},{eturnal_app,start,2,[{file,\"/scratch/local/bee-eturnprj/eturnal/eturnal-1.4.5_20210323-0/source/src/eturnal_app.erl\"},{line,33}]},{application_master,start_it_old,4,[{file,\"application_master.erl\"},{line,277}]}]}}}}}"}
May 17 18:07:53 pitti.molgen.mpg.de eturnalctl[97948]: Kernel pid terminated (application_controller) ({application_start_failure,eturnal,{bad_return,{{eturnal_app,start,[normal,[]]},{'EXIT',{{case_clause,{error,{handler_not_added,{open_failed,"/project/e
May 17 18:07:53 pitti.molgen.mpg.de eturnalctl[97948]: [1B blob data]
May 17 18:07:53 pitti.molgen.mpg.de eturnalctl[97948]: Crash dump is being written to: erl_crash.dump...done
May 17 18:07:53 pitti.molgen.mpg.de systemd[1]: eturnal.service: Main process exited, code=exited, status=1/FAILURE
May 17 18:07:53 pitti.molgen.mpg.de systemd[1]: eturnal.service: Failed with result 'exit-code'.
May 17 18:07:53 pitti.molgen.mpg.de systemd[1]: Failed to start eturnal STUN/TURN server.
-- Subject: Unit eturnal.service has failed

Specify explicit list of permitted turn relay targets

It would be good to have an explicit list of allowed relay targets similar to the allowed-peer-ip feature in coturn. Depending on the network environment where the turn server is located, this is sometimes easier to specify than specifying complex blacklist rules.

https://www.rtcsec.com/post/2020/04/how-we-abused-slacks-turn-servers-to-gain-access-to-internal-services/

DTLS support

Please add DTLS support.

No logs created

Debian Buster, armv6, HEAD

Eg. when crashing on #2 it says {log_dir,<<"/var/log/eturnal">>}, while started by systemd, but there's no file there.

Docker ARM64 image doesn't work

it seems that the image wasn't compiled correctly, the same config works on an x86 machine.

/opt/eturnal/erts-14.0.2/bin/erlexec: line 4: syntax error: unexpected "("

Can relay_ipv4_addr and relay_ipv6_addr be set as an FQDN?

I often switch between multiple VPS providers because some of them offer better deals. This leads to frequent changes in my IP address, and I don't want to modify configuration files or environment variables each time.
Of course, I could also try writing a shell script to make a DNS request each time before starting Eturnal and then output the response to environment variable.

Root cause of Rejecting permission creation request: Forbidden

Hi there! I switched to Eturnal from Coturn and it's logging looks much more useful. However, when using both TURNS (udp,tcp) + TURN (udp,tcp), for some calls made via Matrix I'm getting the errors below. Users are LTE/various Wi-Fi mobile devices. All Eturnal tls/udp/tcp ports are defaults. I'm using ZeroSSL certs. What theoretically may be causing such errors?

They occur only for around 5% of calls and I spent weeks on trying to make it work properly.
All errors below are about the same Matrix user and the same session (unsuccessfull)

Rejecting permission creation request: Forbidden [UDP, session bv95wke8p61e
Rejecting permission creation request: Forbidden [UDP, session bv95wke8p61e
Accepting long-term STUN/TURN authentication [TCP, session k15qtohtxcnt
Rejecting permission creation request: Forbidden [TCP, session k15qtohtxcnt
Accepting long-term STUN/TURN authentication [TLS, session 4minwbljwqj8
Rejecting permission creation request: Forbidden [TLS, session 4minwbljwqj8
Accepting long-term STUN/TURN authentication [TLS, session grbshvs74cwb
Rejecting permission creation request: Forbidden [TLS, session grbshvs74cwb

But just after that on the same session with the same user with the same IP it's ok:
Accepting long-term STUN/TURN authentication [UDP - no errors
Accepting long-term STUN/TURN authentication [UDP - no errors

Make all configuration items configurable with environment variables

Currently, only some configuration items like secret can be configured using environment variables.

Goal:
Implementing a general procedure e.g. with a prefix ETURNAL__ to let eturnal evaluate these variables for its configuration items.

For complex configuration items like listeners, something like this could be used: ETURNAL__LISTEN_0_PORT=443

ETURNAL_SECRET variable set, command eturnalctl credentials fails

Hello Holger,

I tested to use ETURNAL_SECRET variable to specify without having a secret specified in eturnal.yml file. It fails to produce eturnalctl credentials with the following log :

2022-05-25 07:37:40.157116+00:00 [notice] Starting eturnal 1.8.3 on Erlang/OTP 24 (ERTS 12.1.4) (eturnal_app:start/2:35)
2022-05-25 07:37:40.157248+00:00 [info] Got no NOTIFY_SOCKET, notifications disabled (eturnal_systemd:init/1:95)
2022-05-25 07:37:40.157323+00:00 [info] Relay IPv4 address: xxx.xxx.xxx.xxx (port range: 49152-65535) (eturnal:log_relay_addresses/0:287)
2022-05-25 07:37:40.157361+00:00 [info] Relay IPv6 address not configured (eturnal:log_relay_addresses/0:297)
2022-05-25 07:37:40.157862+00:00 [info] Listening on 127.0.0.1:41937 (tcp) (Erlang protocol version 6) (eturnal:log_control_listener/0:307)
2022-05-25 07:37:40.158012+00:00 [info] Started mod_log_stun (eturnal:start_modules/0:323)
2022-05-25 07:37:40.158200+00:00 [info] Listening on [::]:3478 (udp) (STUN/TURN) (eturnal:start_listeners/0:372)
2022-05-25 07:37:40.158367+00:00 [info] Listening on [::]:3478 (tcp) (STUN/TURN) (eturnal:start_listeners/0:372)
2022-05-25 07:38:03.586447+00:00 [info] Stopped listening on [::]:3478 (udp) (eturnal:stop_listeners/1:395)
2022-05-25 07:38:03.586583+00:00 [info] Stopped listening on [::]:3478 (tcp) (eturnal:stop_listeners/1:395)
2022-05-25 07:38:03.587049+00:00 [info] Stopped mod_log_stun (eturnal:stop_modules/1:343)
2022-05-25 07:38:03.587912+00:00 [error] ** Generic server eturnal terminating 
** Last message in was {get_password,<<"1653550683">>}
** When Server state == {eturnal_state,
                            [{{0,0,0,0,0,0,0,0},3478,udp},
                             {{0,0,0,0,0,0,0,0},3478,tcp}],
                            [mod_log_stun]}
** Reason for termination ==
** {{case_clause,<<"12345678">>},
    [{eturnal,handle_call,3,[{file,"/eturnal/src/eturnal.erl"},{line,170}]},
     {gen_server,try_handle_call,4,[{file,"gen_server.erl"},{line,721}]},
     {gen_server,handle_msg,6,[{file,"gen_server.erl"},{line,750}]},
     {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,226}]}]}
** Client <0.576.0> stacktrace
** [{gen,do_call,4,[{file,"gen.erl"},{line,233}]},
    {gen_server,call,2,[{file,"gen_server.erl"},{line,235}]},
    {eturnal_ctl,call,1,[{file,"/eturnal/src/eturnal_ctl.erl"},{line,451}]},
    {eturnal_ctl,get_credentials,2,
                 [{file,"/eturnal/src/eturnal_ctl.erl"},{line,63}]},
    {erpc,execute_call,3,[{file,"erpc.erl"},{line,410}]},
    {rpc,execute_call,3,[{file,"rpc.erl"},{line,255}]},
    {rpc,'-handle_call/3-fun-0-',5,[{file,"rpc.erl"},{line,136}]}]
 (gen_server:error_info/7:949)
2022-05-25 07:38:03.589398+00:00 [error] CRASH REPORT:
  crasher:
    initial call: eturnal:init/1
    pid: <0.547.0>
    registered_name: eturnal
    exception error: no case clause matching <<"12345678">>
      in function  eturnal:handle_call/3 (/eturnal/src/eturnal.erl, line 170)
      in call from gen_server:try_handle_call/4 (gen_server.erl, line 721)
      in call from gen_server:handle_msg/6 (gen_server.erl, line 750)
    ancestors: [eturnal_sup,<0.540.0>]
    message_queue_len: 0
    messages: []
    links: [<0.545.0>]
    dictionary: []
    trap_exit: true
    status: running
    heap_size: 6772
    stack_size: 28
    reductions: 24077
  neighbours:
 (proc_lib:crash_report/4:525)
2022-05-25 07:38:03.589669+00:00 [error] SUPERVISOR REPORT:
    supervisor: {local,eturnal_sup}
    errorContext: child_terminated
    reason: {{case_clause,<<"12345678">>},
             [{eturnal,handle_call,3,
                       [{file,"/eturnal/src/eturnal.erl"},{line,170}]},
              {gen_server,try_handle_call,4,
                          [{file,"gen_server.erl"},{line,721}]},
              {gen_server,handle_msg,6,[{file,"gen_server.erl"},{line,750}]},
              {proc_lib,init_p_do_apply,3,
                        [{file,"proc_lib.erl"},{line,226}]}]}
    offender: [{pid,<0.547.0>},
               {id,eturnal},
               {mfargs,{eturnal,start_link,[]}},
               {restart_type,permanent},
               {significant,false},
               {shutdown,5000},
               {child_type,worker}]
 (supervisor:do_restart/3:736)
2022-05-25 07:38:03.589921+00:00 [info] Relay IPv4 address: xxx.xxx.xxx.xxx (port range: 49152-65535) (eturnal:log_relay_addresses/0:287)
2022-05-25 07:38:03.589979+00:00 [info] Relay IPv6 address not configured (eturnal:log_relay_addresses/0:297)
2022-05-25 07:38:03.590939+00:00 [info] Listening on 127.0.0.1:41937 (tcp) (Erlang protocol version 6) (eturnal:log_control_listener/0:307)
2022-05-25 07:38:03.591605+00:00 [info] Started mod_log_stun (eturnal:start_modules/0:323)
2022-05-25 07:38:03.592206+00:00 [info] Listening on [::]:3478 (udp) (STUN/TURN) (eturnal:start_listeners/0:372)
2022-05-25 07:38:03.592569+00:00 [info] Listening on [::]:3478 (tcp) (STUN/TURN) (eturnal:start_listeners/0:372)

I tested with a plain install from apt repository with ARM64 (raspberry pi)

sudo apt install extrepo
sudo extrepo enable eturnal
sudo apt update
sudo apt install eturnal

And with the discussed docker image from pull request #20 . Both have the same failure.

IPv4 address is discovered correctly (although unrelated for this issue)

Thanks and best regards,
sando

Support hot release upgrades

Supporting hot release upgrades would be nice, as restarting the TURN service kills running calls.

Caveats:

To avoid an emulator restart during the upgrade, the new eturnal version would have to stick to the same OTP version. At least the core applications cannot be soft-upgraded: ERTS, Kernel, STDLIB, and SASL.
Supporting hot upgrades with distribution packages would probably be (too) combersume, as both the old and new version would have to be installed in parallel during the upgrade. Just using versioned package names won't do the trick, as both the old and the new package would install identical file paths. (Ab)using mechanisms such as Debian's diversions or alternatives is probably too much a hassle given the number of affected files. However, hot upgrades should be possible with the binary release.

Detect self-communication and do not route it through the UDP stack

In certain scenarios, a TURN server communicates with itself. This is done through the UDP stack.

To be more effective eturnal should detect such cases and avoid using the UPD stack for self-communication.

Potentially also using eBPF.

eturnal with TLS

Hello,

I have coturn running on port 3478 and 5349 TLS.
Works well, but sometimes I get "WebRTC: ICE failed, see about:webrtc for more details" errors.

Running eturnal works well on port 3478 but not on port 5349 TLS.

Coturn and eturnal are both running on my server now, with eturnal using ports 3479 and 5350.
I can

telnet foxy.tel 3479
and
telnet foxy.tel 5350

but when I test with [https://icetest.info/]

URL: stun:foxy.tel:3479
URL: stun:foxy.tel:5350

I can not get "srflx"response on port 5350, only on 3479.

So how can I get TLS to work?

Thank you.
eturnal.txt

To facilitate rollover, the TURN server SHOULD be able to validate incoming MESSAGE-INTEGRITY tokens based on at least 2 shared secrets at any time.

Point 5.2 in API For Access To TURN Services draft mentions that at least 2 keys should be supported at any time. I don't see anything about this in the documentation. Is it already supported. If not, are there any plans too?

Support UDP proxy protocol

If we deploy eturnal in managed kubernetes environments, we require a loadbalancer service, which forwards the traffic to eturnal. These traffic will not have the real IP address of the connecting clients but from the loadbalancer. Loadbalancer usually support proxy protocol though, therefore, having proxy protocol for UDP transports would solve the problem.

Nodeport is not a suitable solution, because we will always lose the IP addresses here as well, because the connecting IP address will be the kubernetes local gateway.

Reload certificates on eturnalctl reload

Currently, new certificates can only be deployed with a restart. However, a reload should suffice. It seems that reloading the PEM file is already in the code base, but my erlang fu is still not very strong.

	RuntimeDirectory=eturnal
	LogsDirectory=eturnal
	ProtectSystem=full
	NoNewPrivileges=true