[Question] Clarification about coturn settings

[MichaIng]

I just wanted to ask for some clarification about how to configure coturn for Nextcloud Talk (only):

• As in Talk admin settings you give a specific port to access TURN server: Am I right, that you only need to open a single listening port, standard or tls, and the alternative ports, coturn config offers, are without any effect for Talk?
• Does it make sense to e.g. use the alternative port for just STUN, so you can configure Talk to use one port on your server for STUN only and the other for TURN only?
• I am right that the peers/users need direct access to STUN/TURN server, thus it is not all redirected from within Nextcloud somehow? Would allow to give STUN/TURN URLs as localhost. Did not work on test, so I think that answers it already 😉. Answer: Yes, direct access is needed; Ref: https://github.com/spreedbox/spreedbox/wiki/Use-TURN-server#run-turn-server-on-spreedbox-behind-nat
• I don't understand the "listening IP" setting of coturn. It does not work, if I give local server IP there, does this would need external server IP as well, thus should be not set for servers with dynamic IPs? Answer: Leave commented behind NAT, otherwise use external IP, for more details (listening-ip/relay-ip/external-ip) coturn devs should be asked directly; Ref: https://github.com/spreedbox/spreedbox/wiki/Use-TURN-server#run-turn-server-on-spreedbox-behind-nat

I think all other settings that are included within the many posts on Nextcloud forum seem to be clear, all have them in common. Would be still nice if there would be some official guide here on wiki or Nextcloud admin manual e.g..

[Ivansss]

@fancycode maybe you could help here.

[MichaIng]

@gurussia
Thanks, I have a working config as well. My question is more about assuring some assumptions I have about what is really needed and what not. E.g. on help.nextcloud.com and several external guides often you see listening port besides tls port and alternative ports as well configured. This works, but if I am right, it is unnecessary and would be enough to configure coturn to just listen to one port (tls or normal), the one you set in Talk admin settings. And maybe there are some other possibilities, fitting coturn just for use with Talk, performance and security wise.

[nickvergessen]

@fancycode can you enlight us?

[MichaIng]

What I collected, tested and think should be right/sufficient is the following:

non-TLS:

listening-port=<choose> #no alt-/tls-/alt-tls-listening-port needed
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=<choose, in case 'openssl rand -hex 32'>
realm=<yourDomain>
total-quota=100
bps-capacity=0
stale-nonce
no-loopback-peers
no-multicast-peers

TLS:

tls-listening-port=<choose> #no alt-/alt-tls- or 'listening-port' needed
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=<choose, in case 'openssl rand -hex 32'>
realm=<yourDomain>
total-quota=100
bps-capacity=0
stale-nonce
cert=</path/to/your/cert.pem>
pkey=</path/to/your/privkey.pem>
cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5" #or default/comment or whatever desired for compatibility <> security
no-loopback-peers
no-multicast-peers

Then add <yourDomain>:<chosenPort> to STUN (or leave default) and TURN (+ <chosenSecret>) to Talk admin settings.
I didn't try yet and don't know if there is any benefit, if setting alt-(tls-)listening-port (or leave it commented, which will result in (tls-)listening-port+1 and use this for STUN server. Then STUN and TURN requests would be separated to two different ports.

[fancycode]

You can use this tutorial as base, the same Coturn settings can be used for Nextcloud talk:
https://github.com/spreedbox/spreedbox/wiki/Use-TURN-server#turn-server-configuration

[MichaIng]

@fancycode
Thanks, yeah same as on many guides/examples a bid confusing:

• cipher-list without using TLS? 🤔
• port+alt-port set, but just one configured in spreed?

But the main parts are confirmed again.

[vzhd1701]

As I understand, non-TLS "turn:" urls are hardcoded into configuration. So it should be enough to keep only listening-port for turnserver configuration.

[MichaIng]

@jason1122
I don't see some hardcoding there, the settings are received before, but on the other hand I am not good in interpreting such PHP code 🤔.
But what I see, there is definitely just one TURN address handled with port as fixed part of it.

If it's TLS or non-TLS seems to be decided by TURN server. The client can't know at first, as it has just blank domain and port. But the server then knows by it's settings if should be TLS or not and seems to shift the connection accordingly. But that's just logical guessing 😉.

[nickvergessen]

Yes, that's about it.

[MichaIng]

Okay I answered the questions moreless by myself. The spreedbox TURN wiki is quite a good bases, explaining limits/needs in combination with NAT etc., topics that I can't find on most Nextcloud forum threads. This could/should be used/linked for Talk at some prominent place as well, e.g. wiki, app description?

@fancycode
May I still ask for some last clarifications?

• Talk does just use the one configured port to access TURN respectively STUN server and it's up to the server to shift this connection to TLS or not, right? As coturn by default listens to listening-port+1 as well.
• Do you see any benefit in using two different ports for STUN and TURN requests?
• About the cipher-list, it is the same security <> compatibility trade as for webservers, so it's also about what ciphers are supported by the connecting browsers/clients, right?
  Would be interesting if the Talk android app has some limitations there, or if it's just about the underlying Android version, but I think I would need to ask @mario about?

[mario]

@MichaIng:

• each Android vendor ships a certain set of supported ciphers & protocols
• if you run a GPlay version of the Talk app, we update that list from Google every time you run the app for maximum compatibility (and well, sometimes security, because stuff gets disabled too sometimes - but this is the task of the server TBH)
• the only exception is that I disable all SSL versions manually on Android 5 since Android 5 is relatively bad in regards to security

Let me know if I can help you in any other way!