Skip to content

v0.1.2.2 — coturn validation works on more provider topologies

Choose a tag to compare

@vnykmshr vnykmshr released this 26 Apr 10:57
30a0f5e

Note for go install users: this tag is 4-segment (v0.1.2.2), which Go module proxy treats as invalid semver and silently substitutes a pseudo-version. The Go binary is byte-identical to v0.1.2 — no Go source changed in v0.1.2.1 or v0.1.2.2, the deltas are conf + docs + script that ship via Homebrew or repo clone, not via go install. Use go install github.com/1mb-dev/natcheck/cmd/natcheck@v0.1.2 (same binary) or brew install 1mb-dev/tap/natcheck (binary + corrected assets). v0.1.3 will use 3-segment semver.

Patch release. Closes #15 and #16. No code or JSON schema delta — same binary as v0.1.2 / v0.1.2.1.

Fixed

  • examples/coturn-natcheck.conf now uses the two-listening-ip + two-external-ip-pair form explicitly. v0.1.2.1's external-ip=PUBLIC/PRIVATE only worked on AWS/GCP-style topologies where the two IPs differ naturally. On single-public-IP providers (DigitalOcean basic droplet, Linode Nanode, Hetzner single-IP), eth0's IP IS the public IP — external-ip=A/A doesn't satisfy coturn's "two distinct IPs" requirement and coturn silently logs WARNING: ... only one IP address is provided while natcheck reports filtering: untested.
  • docs/coturn-setup.md adds a per-provider topology table (AWS/GCP / DO basic / bare metal) with a worked DigitalOcean Reserved IP example (ip addr add SECOND_IP/32 dev eth0).

Added

  • scripts/validate-coturn.sh — one-shot SSH-pipe provisioner that installs coturn, writes the conf, opens the firewall, starts coturn in tmux, and verifies the startup log for the two specific warning lines that signal a misconfigured §4.4 path. Exits non-zero with FAIL: ... if either appears, so misconfigured droplets don't silently produce filtering: untested samples. Accepts SECOND_IP=<addr> env var for single-public-IP providers — aliases the IP to the NIC and writes the multi-IP conf.

    # AWS/GCP topology:
    ssh root@<vm-ip> 'bash -s' < scripts/validate-coturn.sh
    
    # Single-public-IP provider, after attaching a second IP:
    ssh root@<vm-ip> "SECOND_IP=<reserved-ip> bash -s" < scripts/validate-coturn.sh

Verified

End-to-end against a real DigitalOcean basic droplet (coturn 4.6, Ubuntu 24.04, primary public IP + Reserved IP aliased to eth0). Canonical filtering verdict reproduces across runs; classification + warnings + exit code stable. tcpdump confirmed coturn responds to RFC 5780 §4.4 Test 2 + Test 3 with routable public source IPs.

Known follow-up

  • #14 — when the default-server hostnames resolve via IPv6 and a custom --server is IPv4 literal, the classifier compares mapped endpoints across address families and produces wrong ADM verdicts. Affects users following docs/coturn-setup.md who pass the natural probe set. Larger surface (Go code change + new schema warning + tests). v0.1.3.

Install

brew tap 1mb-dev/tap
brew upgrade natcheck      # if already installed
brew install natcheck      # fresh install

or

go install github.com/1mb-dev/natcheck/cmd/natcheck@v0.1.2.2