Skip to content

Commit

Permalink
- add guide to documentation and example files to repository to run c…
Browse files Browse the repository at this point in the history
…oturn alongside PairDrop via Docker Compose

- enable TURN over TLS
- modified the .gitignore to ignore files with user-data
- should fix #105
- partly cherry-picked from #106

Co-authored-by: xundeenergie <xundeenergie@users.noreply.github.com>
  • Loading branch information
schlagmichdoch and xundeenergie committed Oct 28, 2023
1 parent 750f543 commit 2467a5f
Show file tree
Hide file tree
Showing 5 changed files with 95 additions and 18 deletions.
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,6 @@ node_modules
fqdn.env
/docker/certs
qrcode-svg/
turnserver.conf
rtc_config.json
ssl/
16 changes: 12 additions & 4 deletions docker-compose-coturn.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,20 +4,28 @@ services:
image: "lscr.io/linuxserver/pairdrop:latest"
container_name: pairdrop
restart: unless-stopped
volumes:
- ./rtc_config.json:/home/node/app/rtc_config.json
environment:
- PUID=1000 # UID to run the application as
- PGID=1000 # GID to run the application as
- WS_FALLBACK=false # Set to true to enable websocket fallback if the peer to peer WebRTC connection is not available to the client.
- RATE_LIMIT=false # Set to true to limit clients to 1000 requests per 5 min.
- RTC_CONFIG=false # Set to the path of a file that specifies the STUN/TURN servers.
- RTC_CONFIG=/home/node/app/rtc_config.json # Set to the path of a file that specifies the STUN/TURN servers.
- DEBUG_MODE=false # Set to true to debug container and peer connections.
- TZ=Etc/UTC # Time Zone
ports:
- "127.0.0.1:3000:3000" # Web UI. Change the port number before the last colon e.g. `127.0.0.1:9000:3000`
coturn_server:
image: "coturn/coturn"
restart: always
network_mode: "host"
restart: unless-stopped
volumes:
- ./turnserver.conf:/etc/coturn/turnserver.conf
#you need to copy turnserver_example.conf to turnserver.conf and specify domain, IP address, user and password
- ./ssl/:/etc/coturn/ssl/
ports:
- "3478:3478"
- "3478:3478/udp"
- "5349:5349"
- "5349:5349/udp"
- "10000-20000:10000-20000/udp"
# see guide at docs/host-your-own.md#coturn-and-pairdrop-via-docker-compose
48 changes: 48 additions & 0 deletions docs/host-your-own.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ Beware that you have to host your own TURN server to enable transfers between di

Follow [this guide](https://gabrieltanner.org/blog/turn-server/) to either install coturn directly on your system (Step 1)
or deploy it via Docker (Step 5).

You can use the `docker-compose-coturn.yml` in this repository. See [Coturn and PairDrop via Docker Compose](#coturn-and-pairdrop-via-docker-compose).

Alternatively, use a free, pre-configured TURN server like [OpenRelay](https://www.metered.ca/tools/openrelay/)

Expand Down Expand Up @@ -546,6 +548,52 @@ service apache2 reload

<br>

## Coturn and PairDrop via Docker Compose

### Setup container
To run coturn and PairDrop at once by using the `docker-compose-coturn.yml` with TURN over TLS enabled
you need to follow these steps:

1. generate or retrieve certificates for your <DOMAIN> (e.g. letsencrypt / certbot)
2. copy your ssl-certificates and the privkey to `./ssl` and `chown -R nobody:nogroup ./ssl`
3. create a dh-params file with `openssl dhparam -out ./ssl/dhparams.pem 4096`
4. copy `rtc_config_example-coturn.json` to `rtc_config.json`
5. copy `turnserver_example.conf` to `turnserver.conf`
6. change `<DOMAIN>` in both files to the domain where your PairDrop instance is running
7. change `username` and `password` in `turnserver.conf` and `rtc-config.json`
8. To start the container including coturn run: \
`docker compose -f docker-compose-coturn.yml up -d`

<br>

#### Setup container
To restart the container including coturn run: \
`docker compose -f docker-compose-coturn.yml restart`

<br>

#### Setup container
To stop the container including coturn run: \
`docker compose -f docker-compose-coturn.yml stop`

<br>

### Firewall
To run PairDrop including its own coturn-server you need to punch holes in the firewall. These ports must be opened additionally:
- 3478 tcp/udp
- 5349 tcp/udp
- 10000:20000 tcp/udp

<br>

### Firewall
To run PairDrop including its own coturn-server you need to punch holes in the firewall. These ports must be opened additionally:
- 3478 tcp/udp
- 5349 tcp/udp
- 10000:20000 tcp/udp

<br>

## Local Development

### Install
Expand Down
4 changes: 2 additions & 2 deletions rtc_config_example.json
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@
"sdpSemantics": "unified-plan",
"iceServers": [
{
"urls": "stun:stun.l.google.com:19302"
"urls": "stun:<DOMAIN>:3478"
},
{
"urls": "turn:example.com:3478",
"urls": "turns:<DOMAIN>:5349",
"username": "username",
"credential": "password"
}
Expand Down
42 changes: 30 additions & 12 deletions turnserver_example.conf
Original file line number Diff line number Diff line change
Expand Up @@ -6,33 +6,51 @@ server-name=pairdrop
listening-ip=0.0.0.0

# External IP-Address of the TURN server
external-ip=<IP_ADDRESS>
# only needed, if coturn is behind a NAT
# external-ip=<IP_ADDRESS>

# Main listening port
# Main listening port for STUN and TURN
listening-port=3478

# Main listening port for TURN over TLS (TURNS)
# Use port 443 to bypass some firewalls
tls-listening-port=5349

# Further ports that are open for communication
min-port=10000
max-port=20000

# Use fingerprint in TURN message
fingerprint

# Log file path
log-file=/var/log/turnserver.log

# Enable verbose logging
verbose
# verbose

# Log file path
# - is logging to STDOUT, so it's visible in docker-compose logs
log-file=-

# Specify the user for the TURN authentification
user=user:password
user=username:password

# Enable long-term credential mechanism
lt-cred-mech

# SSL certificates
cert=/etc/letsencrypt/live/<DOMAIN>/cert.pem
pkey=/etc/letsencrypt/live/<DOMAIN>/privkey.pem

# 443 for TURN over TLS, which can bypass firewalls
tls-listening-port=443
cert=/etc/coturn/ssl/cert.crt
pkey=/etc/coturn/ssl/pkey.pem
dh-file=/etc/coturn/ssl/dhparam.pem

# For security-reasons disable old ssl and tls-protocols
# and other recommended options: see https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf
no-sslv3
no-tlsv1
no-tlsv1_1
no-tlsv1_2
no-rfc5780
no-stun-backward-compatibility
response-origin-only-with-rfc5780
no-cli
no-multicast-peers
no-software-attribute
check-origin-consistency

0 comments on commit 2467a5f

Please sign in to comment.