Permalink
ffc661b Sep 11, 2018
1 contributor

Users who have contributed to this file

1185 lines (844 sloc) 42.4 KB
I. TURN Server as a standard OS package
At the present time, several operation systems have this project pre-packaged:
1) New Linuxes in Debian family have package "coturn":
http://packages.qa.debian.org/r/coturn.html
If you are using the Debian package from the project download site,
then follow these instructions:
Unpack the archive:
$ tar xvfz turnserver-<...>.tar.gz
Read the INSTALl file:
$ cat INSTALL
Install the *.deb file:
$ sudo apt-get update
$ sudo apt-get install gdebi-core
$ sudo gdebi coturn*.deb
(to install the bare package without any dependencies, type:
$ sudo dpkg -i coturn_*_*.deb)
After the install, read the documentation in /usr/share/doc/coturn directory.
All binaries will be installed in /usr/bin/ directory.
The turn*.conf config files are in /etc directory.
The service start-up control scripts will be in /etc/init.d/coturn and
in /etc/defaults/coturn files.
2) ArchLinux has this TURN server package:
https://aur.archlinux.org/packages/coturn/
3) FreeBSD and OpenSUSE have the predecessor of this project packaged
(rfc5766-turn-server).
II. DOWNLOAD
You have to download the archive file turnserver-*.tar.gz and unpack it:
$ tar xfz turnserver-*.tgz
it will create the directory 'turnserver-*' with all sources, build files,
examples and documentation.
III. BUILD
If you are sure that you system is ready for the build (see the section
"Extra libraries and Utilities" below) then you can build the system.
First, you have to run the configure script:
$ cd turnserver-*
$ ./configure
It will create a Makefile customized for your system.
By default, the generated Makefile will install everything to:
- /usr on Solaris.
- /usr/pkg on NetBSD.
- /usr/local everywhere else.
The binaries will be copied to the bin subdirectory of the installation
destination, config files copied to etc subdirectory. The default SQLite database
will be created in var/db/turndb. There will be
also documents, examples and some other files, in separate directories.
You can change the root configured destination directory by
setting PREFIX variable in the
configure command line. For example:
$ PREFIX=/opt ./configure
Or:
$ ./configure --prefix=/opt
You can change the auxiliary configured destination sub-directories by
setting BINDIR, CONFDIR, MANPREFIX, EXAMPLESDIR, DOCSDIR, LIBDIR, SCHEMADIR,
LOCALSTATEDIR, TURNDBDIR and TURNINCLUDEDIR variables in the
configure command line. For example:
$ PREFIX=/opt BINDIR=/opt/bin64 CONFDIR=/opt/conf ./configure
Or:
$ ./configure --prefix=/opt --bindir=/opt/bin64 --confdir=/opt/conf
You also can change the compilation and link options by
setting common build variables in the
configure command line. For example:
$ CC=clang CFLAGS=-D_CAURIB LDFLAGS=-lshanka ./configure --prefix=/opt/shy
See below a separate INSTALL section for more details.
The script "configure" is a proprietary script. It will create a Makefile
that you can use to build the project:
$ make
The make command without options will do the following:
- compile the code.
- create bin/ sub-directory and put the TURN server, TURN admin and
"utility" programs there.
- create lib/ sub-directory and put the client library there.
- create include/turn/ sub-directory and put include files there.
- create sqlite/turndb default empty database that will be copied to
var/db/ during the installation.
The TURN programs can be either called directly, or a shell scripts can be used.
The script examples are located in examples/scripts directory. These scripts
are just examples: you can run them successfully for the tests, but
you will have to change the script parameters for your real environment.
The command:
$ sudo make install
will install everything into the system file structure (see below).
(NOTE: On NetBSD, use "su root -c").
The command:
$ sudo make deinstall
will remove all installed TURN Server files from your system.
The command:
$ make clean
will clean all results of the build and configuration actions.
Do not run "make clean" before "make deinstall". The "clean" command will
remove the Makefile and you will not be able to "deinstall" then. If that
has happened, then run ./configure and make again, then deinstall and then
clean.
NOTE: On most modern systems, the build will produce dynamically linked
executables. If you want statically linked executables, you have to modify,
accordingly, the Makefile.in template file.
IV. OPENSSL
If you are using the OpenSSL that is coming with your system, and you are
OK with it, then you do not have to read this chapter. If your system has
an outdated OpenSSL version, or if you need some very fresh OpenSSL features
that are not present in the current usual stable version, then you may have
to compile (and run) your TURN server with a different OpenSSL version.
For example, if you need ALPN feature, or DTLS1.2, and your system comes with
OpenSSL 1.0.1, you will not be able to use those features unless you install
OpenSSL 1.0.2 and compile and run the TURN server with the newer version.
The problem is, it is usually not safe to replace the system's OpenSSL with
a different version. Some systems are "bound" to its "native" OpenSSL
installations, and their behavior may become unpredictable with the newer
versions.
So you want to preserve your system's OpenSSL but you want to compile and to
run the TURN server with newer OpenSSL version. There are different ways to
do that. We are suggesting the following:
1) Download the OpenSSL version from openssl.org.
2) Let's assume that we want to install the "custom" OpenSSL into /opt.
Configure and build OpenSSL as:
$ ./config --prefix=/opt
$ make
$ make install
Those commands will install OpenSSL into /opt, with static libraries (no
dynamic libraries).
3) Build the TURN server:
$ ./configure --prefix=/opt
$ make
Those commands will build the TURN server binaries, statically linked
against the newer OpenSSL.
4) Then you can run the TURN server without setting the dynamic
libraries paths - because it has been linked statically against the newer
OpenSSL libraries.
One potential problem is that libevent2 is using the OpenSSL, too. So, ideally,
to be 100% safe of all potential discrepancies in the runtime, we'd suggesting
rebuilding libevent2 with the newer OpenSSL, too.
V. INSTALL
This step is optional. You can run the turnserver from the original build
directory, successfully, without installing the TURN server into your system.
You have to install the turnserver only if you want to integrate the
turnserver in your system.
Run the command:
$ make install
It will install turnserver in /usr/local/ directory (or to whatever directory
was set in the PREFIX variable). You will have to copy
/usr/local/etc/turnserver.conf.default to /usr/local/etc/turnserver.conf file
and adjust your runtime configuration.
This command will also:
- copy the content of examples subdirectory into
PREFIX/share/examples/turnserver/ directory;
- copy the generated default empty SQLite database from sqlite/turndb
to /usr/local/var/db or to /var/db/turndb;
- copy the content of include/turn subdirectory into
PREFIX/include/turn/ directory;
- copy the database schema file turndb/schema.sql into
PREFIX/share/turnserver/
directory;
- copy all docs into PREFIX/share/doc/turnserver/ directory.
The installation destination of "make install" can be changed by
using DESTDIR variable, for example:
$ ./configure --prefix=/usr
$ make
$ make DESTDIR=/opt install
In this example, the root installation directory will be /opt/usr.
The "configure" script by default generates a Makefile with "rpath" option
set for the dynamic libraries linking (if your system and your compiler
allow that option). If that is not desirable (like in some OS packaging
procedures), then run the "configure" script with --disable-rpath option.
If you are not using the rpath linking option, then after the installation,
you may have to adjust the system-wide shared library search path with
"ldconfig -n <libdirname>" (Linux), "ldconfig -m <libdirname>" (BSD) or
"crle -u -l <libdirname>" (Solaris). Your system must be able to find the
libevent2, openssl and (optionally) SQLite and/or PostgreSQL and/or MySQL
(MariaDB) and/or MongoDB and/or Redis shared libraries, either with the
help of the system-wide library search configuration or by using
LD_LIBRARY_PATH. "make install" will make a non-guaranteed effort to add
automatically PREFIX/lib and /usr/local/lib to the libraries search path,
but if you have some libraries in different non-default directories then
you will have to add them manually to the search path, or you will have
to adjust LD_LIBRARY_PATH.
VI. PLATFORMS
The TURN Server is using generic *NIX system APIs and is supposed to be
usable on wide range of *NIX systems.
The following platforms are supported
(both i386 and x86_64 variants when applicable):
- Linux,
- BSD family (Mac OS X, FreeBSD, NetBSD, OpenBSD),
- Solaris 11,
- Cygwin
It must work on other *NIXes, as well. The configure script and/or
Makefile may need adjustments for other *NIXes not mentioned above.
The code of the client messaging library can be compiled and used on
Windows, too, but it is not supported for now.
VI. COMPILERS
The TURN Server is written in C programming language, for portability
and for the performance reasons.
The tested C compilers are:
- gcc 3.4.4 thru 4.8.x
- clang 3.0 or better
- Solaris Studio 12 C compiler
It may be compiled with other compilers, too.
The code is compatible with C++ compiler, and a C++ compiler
(like g++) can be used for the compilation, too:
$ CC=g++ ./configure
$ make
VIII. WHICH EXTRA LIBRARIES AND UTILITIES YOU NEED
In addition to common *NIX OS services and libraries, to compile this code,
OpenSSL (version 1.0.0a or better recommended) and libevent2 (version 2.0.5
or better) are required, SQLite C development library and header is optional,
the PostgreSQL C client development setup is optional,
the MySQL (MariaDB) C client development setup is optional,
the MongoDB C Driver and the Hiredis development files for Redis database
access are all optional. For development build, the development headers and
the libraries to link with, are to be installed. For the runtime, only the
runtime setup is required. If the build is modified for
static linking, then even runtime installation is not needed.
OpenSSL, SQLite, libevent2, PostgreSQL, MySQL (or MariaDB) and Hiredis
libraries can be downloaded from their web sites:
- http://www.openssl.org (required);
- http://www.libevent.org (required);
- http://www.sqlite.org (optional);
- http://www.postgresql.org (optional);
- http://www.mysql.org (or http://mariadb.org) (optional);
- https://github.com/mongodb/mongo-c-driver (optional);
- http://redis.io (optional).
The installations are pretty straightforward - the usual
"./configure" and "make install" commands. Install them into their default
locations - the configure script and the Makefile are assuming that they are
installed in their default locations. If not, then you will have to modify
those.
Most modern popular systems (FreeBSD, Linux Ubuntu/Debian/Mint, Amazon Linux, Fedora)
have a simpler way of the third party tools installation:
*) FreeBSD (the FRESH ports database is assumed to be installed, with
the turnserver port included):
$ cd /usr/ports/net/turnserver
$ sudo make install clear
That's it - that command will install the TURN server with all necesary
thrid-party tools.
If you system have no fresh ports repository:
$ cd /usr/ports/security/openssl/
$ sudo make install clean
$ cd /usr/ports/databases/sqlite3/
$ sudo make install clean
$ cd /usr/ports/devel/libevent2/
$ sudo make install clean
$ cd /usr/ports/databases/postgresql84-client/ (or any other version)
$ sudo make install clean
$ cd /usr/ports/databases/mysql51-client/ (or any other version)
$ sudo make install clean
$ cd /usr/ports/databases/hiredis/
$ sudo make install clean
**) Linux Ubuntu, Debian, Mint:
$ sudo apt-get install libssl-dev
$ sudo apt-get install libsqlite3 (or sqlite3)
$ sudo apt-get install libsqlite3-dev (or sqlite3-dev)
$ sudo apt-get install libevent-dev
$ sudo apt-get install libpq-dev
$ sudo apt-get install mysql-client
$ sudo apt-get install libmysqlclient-dev
$ sudo apt-get install libhiredis-dev
or you can use Synaptic or other software center.
***) Fedora:
$ sudo yum install openssl-devel
$ sudo yum install sqlite
$ sudo yum install sqlite-devel
$ sudo yum install libevent
$ sudo yum install libevent-devel
$ sudo yum install postgresql-devel
$ sudo yum install postgresql-server
$ sudo yum install mysql-devel
$ sudo yum install mysql-server
$ sudo yum install hiredis
$ sudo yum install hiredis-devel
****) Amazon Linux is similar to Fedora, but:
- you have to install gcc first:
$ sudo yum install gcc
- mongo-c-driver packages are not available "automatically".
MongoDB support will not be compiled, unless you install it "manually"
before the TURN server compilation. Refer to
https://github.com/mongodb/mongo-c-driver for installation instructions
of the driver.
- hiredis packages are not available, so do not issue the
hiredis installation commands. Redis support will not be
compiled, unless you install it "manually" before the TURN
server compilation. For Amazon EC2 AMIs, we install the
redis manually in the system. But the TURN server can be
perfectly installed without redis support - if you do not
need it.
*****) Older Debian family Linuxes are using some packages
with different names.
******) On some CentOS / RedHat 6.x systems you have to install
libevent2 "manually", and optionally you have to download and
install Hiredis, but everything else can be found in the software
repository. Also, if you would like to make an RPM for CentOS,
check the directory rpm/ with the instructions.
NOTE: If your tools are installed in non-standard locations, you will
have to adjust CFLAGS and LDFLAGS environment variables for TURN
server ./configure script. For example, to configure the TURN server
with Solaris 11 PostgreSQL 32-bits setup, you may use a command
like this:
$ CFLAGS="${CFLAGS} -I/usr/postgres/9.2-pgdg/include/" LDFLAGS="${LDFLAGS} -L/usr/postgres/9.2-pgdg/lib/" ./configure
Dynamic library paths:
You may also have to adjust the turn server start script, add all the dynamic runtime
library paths to LD_LIBRARY_PATH. Or you may find that it would be more convenient to adjust the
system-wide shared library search path by using commands:
on Linux:
$ ldconfig -n <libdirname>
or on BSD:
$ ldconfig -m <libdirname>
or on Solaris:
$ crle -u -l <libdirname>
On Mac OS X, you have three different choices for dynamic libraries handling:
1) Use DYLD_LIBRARY_PATH environment variable in runtime; OR
2) Before the compilation, check the dynamic libraries and adjust their identification names,
if necessary, to the absolute library path or to @rpath/<library-file-name>.
For example, the MySQL dynamic library may need that adjustment. You will have to use
"adjust_name_tool" with -id option for that; OR
3) After the compilation, you can use the same tool, "adjust_name_tool",
with option -change, to adjust the library paths values in the binary,
where necessary. All library paths must be absolute paths or @rpath/... .
See also the next section.
NOTE: See "SQLite setup" and "PostgreSQL setup" and "MySQL setup" and
"MongoDB setup" and "Redis setup" sections below for more database setup
information.
NOTE: If you do not install SQLite or PostgreSQL or MySQL or MongoDB or Redis,
then you will be limited to the command-line options for user database.
It will work great for development setup, but for real runtime systems you
will need SQLite or PostgreSQL or MySQL or MongoDB or Redis.
NOTE: To run PostgreSQL or MySQL or MongoDB or Redis server on the same system,
you will also have to install a corresponding PostgreSQL or MySQL or
MongoDB or Redis server package. The DB C development packages only provide
development libraries, and client libraries only provide client
access utilities and runtime libraries. The server packages may
include everything - client, C development and server runtime.
NOTE: OpenSSL to be installed before libevent2. When libevent2 is building,
it is checking whether OpenSSL has been already installed, and which version
of OpenSSL. If the OpenSSL is missed, or too old, then libevent_openssl
library is not being created during the build, and you will not be able to
compile the TURN Server with TLS support.
NOTE: An older libevent version, version 1.x.x, is often included in some *NIX
distributions. That version has its deficiencies and is inferior to the newer
libevent2, especially in the performance department. This is why we are
not providing backward compatibility with the older libevent 1.x version.
If you have a system with older libevent, then you have to install the new
libevent2 from their web site. It was tested with older *NIXes
(like FreeBSD 6.x) and it works just fine.
NOTE: SQLite must be of version 3.x.
NOTE: For extra security features (like DTLS)
support, OpenSSL version 1.0.0a or newer is recommended. Older versions do
not support DTLS, reliably, in some cases. For example, the Debian 'Squeeze'
Linux supplies 0.9.8 version of OpenSSL, that does not work correctly with
DTLS over IPv6. If your system already has an older version of OpenSSL
installed (usually in directory /usr) then you may want to install your
newer OpenSSL "over" the old one (because it will most probably will not allow
removal of the old one). When installing the newer OpenSSL, run the OpenSSL's
configure command like this:
$ ./config --prefix=/usr
that will set the installation prefix to /usr (without "--prefix=/usr"
by default it would be installed to /usr/local). This is necessary if you
want to overwrite your existing older OpenSSL installation.
IX. BUILDING WITH NON-DEFAULT PREFIX DIRECTORY
Say, you have an older system with old openssl and old libevent
library and you do not want to change that, but you still want
to build the turnserver.
Do the following steps:
1) Download new openssl from openssl.org.
2) Configure and build new openssl and install it into /opt:
$ ./config --prefix=/opt
$ make
$ make install
3) Download the latest libevent2 from libevent.org, configure and install
it into /opt:
$ ./configure --prefix=/opt
$ make
$ make install
4) Change directory to coturn and build it:
$ ./configure --prefix=/opt
$ make
After that, you can either use it locally, or install it into /opt.
But remember that to run it, you have to adjust your LD_LIBRARY_PATH,
like that:
$ LD_LIBRARY_PATH=/opt/lib ./bin/turnserver
An alternative would be adjusting the system-wide shared library search path
by using
$ ldconfig -n <libdirname> (Linux)
$ ldconfig -m <libdirname> (BSD)
$ crle -u -l <libdirname> (Solaris)
X. TEST SCRIPTS
First of all, you can use the test vectors from RFC 5769 to double-check that the
STUN/TURN message encoding algorithms work properly. Run the utility:
$ cd examples
$ ./scripts/rfc5769.sh
It will perform several protocol checks and print the results on the output.
If anything has compiled wrongly (TURN Server, or OpenSSL libraries)
then you will see some errors.
Now, you can perform the TURN functionality test (bare minimum TURN example).
If everything compiled properly, then the following programs must run
together successfully, simulating TURN network routing in local loopback
networking environment:
Open two shell screens or consoles:
In shell number 1, run TURN server application:
$ cd examples
$ ./scripts/basic/relay.sh
In shell number 2, run test client application:
$ cd examples
$ ./scripts/basic/udp_c2c_client.sh
If the client application produces output and in approximately 22 seconds
prints the jitter, loss and round-trip-delay statistics, then everything is
fine.
There is another more complex test:
In shell number 1, run TURN server application:
$ cd examples
$ ./scripts/basic/relay.sh
In shell number 2, run "peer" application:
$ cd examples
$ ./scripts/peer.sh
In shell number 3, run test client application:
$ cd examples
$ ./scripts/basic/udp_client.sh (or ./scripts/basic/tcp_client.sh)
There is a similar set of examples/scripts/longtermsecure/* scripts for
TURN environment with long-term authentication mechanism. This set of
scripts is more complex, and checking the scripts options is useful for
understanding how the TURN Server works:
In shell number 1, run secure TURN server application:
$ cd examples
$ ./scripts/longtermsecure/secure_relay.sh
In shell number 2, run "peer" application:
$ cd examples
$ ./scripts/peer.sh
In shell number 3, run secure test client application:
$ cd examples
$ ./scripts/longtermsecure/secure_udp_client.sh
(or ./scripts/longtermsecure/secure_tcp_client.sh)
(or ./scripts/longtermsecure/secure_tls_client.sh)
(or ./scripts/longtermsecure/secure_dtls_client.sh)
(or ./scripts/longtermsecure/secure_sctp_client.sh)
(or ./scripts/longtermsecure/secure_udp_c2c.sh for "peerless"
client-to-client communications)
The provided scripts are set for the local loopback communications,
as an example and as a test environment. Real networking IPs must be
used in real work environments.
Try wireshark to check the communications between client, turnserver
and the peer.
Check the README.* files and the comments in the scripts relay.sh and
secure_relay.sh as a guidance how to run the TURN server.
XI. OS X compilation notes
OS X usually has an older version of openssl supplied, with some Apple
additions. The the "native" openssl will work, within its limitations,
but the best option is to install a good fresh openssl development
library, from http://www.openssl.org. You will have
to handle the dynamic linking of the generated binaries, or use the
static linking (see the section OPENSSL).
XII. MS Windows and Cygwin support
Currently, this project cannot be compiled under MS Windows.
As the project is using fairly straightforward *NIX API, it is supported
under Cygwin environment in MS Windows.
One note for Cygwin users: we recommended libevent2 installation from the cygwin
"ports" site: http://sourceware.org/cygwinports/ . You will have to install
libevent2 runtime and libevent-devel packages. "Manual" libevent2 compilation
and installation in Cygwin is not recommended and does not garantee a good
outcome.
XIII. CLIENT API LIBRARY.
The compilation process will create lib/ sub-directory with libturnclient.a
library. The header files for this library are located in include/turn/client/
sub-directory. The C++ wrapper for the messaging functionality is located in
TurnMsgLib.h header. An example of C++ code can be found in stunclient.c file.
This file is compiled as a C++ program if C++ compiler is used, and as a C
program if C compiler is used.
XIV. DOCS
After installation, the man page turnserver(1) must be available. The man page
is located in man/man1 subdirectory. If you want to see the man page without
installation, run the command:
$ man -M man turnserver
HTML-formatted client library functions reference is located in docs/html
subdirectory of the original archive tree. After the installation, it will
be placed in PREFIX/share/doc/turnserver/html.
XV. SQLite setup
The site http://www.sqlite.org site has excellent extensive documentation.
The default SQLite database location for the TURN Server is
/usr/local/var/db/turndb or /var/db/turndb (depending on the platform).
The database schema for the TURN server is very minimalistic and is located
in project's turndb/schema.sql file, or in the system's
PREFIX/share/turnserver/schema.sql file after the turnserver installation:
If you would like to created a new fresh SQLite TURN database:
$ sqlite3 <your-db-file-name> < turndb/schema.sql
The schema description:
# Table for long-term credentials mechanism authorization:
#
CREATE TABLE turnusers_lt (
realm varchar(127) default '',
name varchar(512),
hmackey char(128),
PRIMARY KEY (realm,name)
);
The field hmackey contains HEX string representation of the key.
We do not store the user open passwords for long-term credentials, for
security reasons. Storing only the HMAC key has its own implications -
if you change the realm, you will have to update the HMAC keys of all
users, because the realm is used for the HMAC key generation.
The key must be up to 32 characters (HEX representation of 16 bytes) for SHA1:
# Table holding shared secrets for secret-based authorization
# (REST API). Shared secret can be stored either in unsecure open
# plain form, or in encrypted form (see turnadmin docs).
# It can only be used together with the long-term
# mechanism:
#
CREATE TABLE turn_secret (
realm varchar(127) default '',
value varchar(127),
primary key (realm,value)
);
# Table holding "white" allowed peer IP ranges.
#
CREATE TABLE allowed_peer_ip (
realm varchar(127) default '',
ip_range varchar(256),
primary key (realm,ip_range)
);
# Table holding "black" denied peer IP ranges.
#
CREATE TABLE denied_peer_ip (
realm varchar(127) default '',
ip_range varchar(256),
primary key (realm,ip_range)
);
# Table to match origin to realm.
# Multiple origins may have the same realm.
# If no realm is found or the origin is absent
# then the default realm is used.
#
CREATE TABLE turn_origin_to_realm (
origin varchar(127),
realm varchar(127),
primary key (origin,realm)
);
# Realm options.
# Valid options are 'max-bps',
# 'total-quota' and 'user-quota'.
# Values for them are integers (in text form).
#
CREATE TABLE turn_realm_option (
realm varchar(127) default '',
opt varchar(32),
value varchar(128),
primary key (realm,opt)
);
# oAuth key storage table.
#
CREATE TABLE oauth_key (
kid varchar(128),
ikm_key varchar(256),
timestamp bigint default 0,
lifetime integer default 0,
as_rs_alg varchar(64) default '',
realm varchar(127) default '',
primary key (kid)
);
The oauth_key table fields meanings are:
kid: the kid of the key;
ikm_key - base64-encoded key ("input keying material");
timestamp - (optional) the timestamp (in seconds) when the key
lifetime starts;
lifetime - (optional) the key lifetime in seconds; the default value
is 0 - unlimited lifetime.
as_rs_alg - oAuth token encryption algorithm; the valid values are
"A256GCM", "A128GCM" (see
http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-5.1).
The default value is "A256GCM";
realm - (optional) can be used to set the user realm (if the field is not empty).
# Https access admin users.
# Leave this table empty if you do not want
# remote https access to the admin functions.
# Web user password can be stored either in unsecure open
# plain form, or in encrypted form (see turnadmin docs).
#
CREATE TABLE admin_user (
name varchar(32),
realm varchar(127),
password varchar(127),
primary key (name)
);
You can use turnadmin program to manage the database - you can either use
turnadmin to add/modify/delete users, or you can use turnadmin to produce
the hmac keys and modify the database with your favorite tools.
When starting the turnserver, the --db parameter will be, for example:
turnserver ... --db="/var/db/turndb"
You will have to use the program turnadmin to fill the
database, or you can do that manually with psql.
Fill in users, for example:
Shared secret for the TURN REST API (realm north.gov):
$ bin/turnadmin -s logen -r north.gov -b "/var/db/turndb"
Long-term credentials mechanism:
$ bin/turnadmin -a -b "/var/db/turndb" -u gorst -r north.gov -p hero
$ bin/turnadmin -a -b "/var/db/turndb" -u ninefingers -r north.gov -p youhavetoberealistic
Admin users:
$ bin/turnadmin -A -b "/var/db/turndb" -u gorst -p hero
$ bin/turnadmin -A -b "/var/db/turndb" -u ninefingers -p youhavetoberealistic -r north.gov
XVI. PostgreSQL setup
The site http://www.postgresql.org site has excellent extensive documentation.
For a quick-start guide, you can take a look into this page:
http://www.freebsddiary.org/postgresql.php. That page is written for
FreeBSD users, but it has lots of generic information applicable to other
*NIXes, too.
For the psql-userdb TURN server parameter, you can either set a PostgreSQL
connection string, or a PostgreSQL URI, see the link:
For 8.4 PostgreSQL version:
http://www.postgresql.org/docs/8.4/static/libpq-connect.html
For newer 9.x versions:
http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING.
In the PostgreSQL connection string or URI, you can set the host, the
access port, the database name, the user, and the user password
(if the access is secured). Numerous other parameters can be set,
see the links above. The TURN server will blindly use that connection
string without any modifications. You are responsible for the right
connection string format.
Below are the steps to setup the PostgreSQL database server from scratch:
1) Install PostgreSQL server. After the installation, do not forget to
initialize the postgres root database directory:
$ sudo bash
$ su -l pgsql
$ initdb -D /usr/local/pgsql/data
2) Find and edit Postgres' pg_hba.conf file to set the access options
(see docs). On different systems, it may be located in different places.
Set the lines for local access as "trust" for now (you can change it later),
for TCP/IP access set the value as "md5".
To set TCP/IP access from any host, use "0.0.0.0/0" for IPv4, and "::/0"
for IPv6.
3) Edit postgresql.conf file to allow TCP/IP access - uncomment and edit
the "listen_addresses" option (see docs). On different systems, this file
may be located in different places.
4) Restart your system or restart the postgresql server, for example:
$ sudo /etc/init.d/postgresql stop
$ sudo /etc/init.d/postgresql start
The scripts may also be in /usr/local/etc/init.d, or in /etc/rc.d/, or
in /usr/local/etc/rc.d/ .
5) Check /etc/passwd file to find out which user account is used for the
PostgreSQL admin access on your system (it may be "pgsql", or "postgres",
or "postgresql"). Let's assume that this is "postgres" account.
6) Create a database for the TURN purposes, with name, say, "turn":
$ createdb -U postgres coturn
7) Create a user for the TURN with name, say, "turn":
$ psql -U postgres coturn
turn=# create user turn with password 'turn';
turn=#
Ctrl-D
8) Create the TURN users database schema.
The database schema for the TURN server is very minimalistic and is located
in project's turndb/schema.sql file, or in the system's
PREFIX/share/turnserver/schema.sql file after the turnserver installation:
$ cat turndb/schema.sql | psql -U turn -d coturn
NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "turnusers_lt_pkey" for table "turnusers_lt"
CREATE TABLE
CREATE TABLE
See the SQLite section for the detailed database schema explanation.
To fill the database with test data:
cat turndb/testsqldbsetup.sql | psql -U turn -d coturn
You can use turnadmin program to manage the database - you can either use
turnadmin to add/modify/delete users, or you can use turnadmin to produce
the hmac keys and modify the database with your favorite tools.
More examples of database schema creation:
psql -h <host> -U <db-user> -d <database-name> < turndb/schema.sql
(old style for 8.4)
psql postgresql://username:password@/databasename < turndb/schema.sql
(newer style for 9.x, UNIX domain local sockets)
Or:
psql postgresql://username:password@hostname:port/databasename < turndb/schema.sql
(newer style for 9.x, TCP/IP access)
Below, the string "postgresql://turn:turn@/turn" is the connection URI.
Of course, the administrators can play with the connection string as they want.
When starting the turnserver, the psql-userdb parameter will be, for example:
turnserver ... --psql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30"
Or, for 9.x PostgreSQL versions:
turnserver ... --psql-userdb=postgresql://username:password@/databasename ...
9) You are ready to use the TURN database. The database name is "turn",
the user name is "turn", the user password is "turn". Of course, you can
choose your own names. Now, you will have to use the program turnadmin to fill the
database, or you can do that manually with psql.
Fill in users, for example:
Shared secret for the TURN REST API (realm north.gov):
$ bin/turnadmin -s logen -r north.gov -e "host=localhost dbname=coturn user=turn password=turn"
Long-term credentials mechanism:
$ bin/turnadmin -a -e "host=localhost dbname=coturn user=turn password=turn" -u gorst -r north.gov -p hero
$ bin/turnadmin -a -e "host=localhost dbname=coturn user=turn password=turn" -u ninefingers -r north.gov -p youhavetoberealistic
Admin users:
$ bin/turnadmin -A -e "host=localhost dbname=coturn user=turn password=turn" -u gorst -p hero
$ bin/turnadmin -A -e "host=localhost dbname=coturn user=turn password=turn" -u ninefingers -p youhavetoberealistic -r north.gov
XVII. MySQL (MariaDB) setup
The MySQL setup is similar to PostgreSQL (the same idea), and is well documented
on their site http://www.mysql.org. The TURN Server database schema is the
same as for PostgreSQL and you can find it in turndb/schema.sql file, or
in the system's PREFIX/share/turnserver/schema.sql file after the turnserver
installation.
The general setup is similar to PostgreSQL setup procedure:
1) Check that the mysql server access is OK. Immediately after the MySQL server
installation, it must be accessible, at the very minimum, at the localhost with
the root account.
2) Login into mysql console from root account:
$ sudo bash
# mysql mysql
(or mysql -p mysql if mysql account password set)
3) Add 'turn' user with 'turn' password (for example):
> create user 'turn'@'localhost' identified by 'turn';
4) Create database 'coturn' (for example) and grant privileges to user 'turn':
> create database coturn character set latin1;
> grant all on coturn.* to 'turn'@'localhost';
> flush privileges;
Ctrl-D
5) Create database schema:
$ mysql -p -u turn coturn < turndb/schema.sql
Enter password: turn
$
Fill in test database data, if this is a test database
(not a production database):
$ mysql -p -u turn coturn < turndb/testsqldbsetup.sql
6) Fill in users, for example:
Shared secret for the TURN REST API (realm north.gov):
$ bin/turnadmin -s logen -r north.gov -M "host=localhost dbname=coturn user=turn password=turn"
Long-term credentials mechanism:
$ bin/turnadmin -a -M "host=localhost dbname=coturn user=turn password=turn" -u gorst -r north.gov -p hero
$ bin/turnadmin -a -M "host=localhost dbname=coturn user=turn password=turn" -u ninefingers -r north.gov -p youhavetoberealistic
Admin users:
$ bin/turnadmin -A -M "host=localhost dbname=coturn user=turn password=turn" -u gorst -p hero
$ bin/turnadmin -A -M "host=localhost dbname=coturn user=turn password=turn" -u ninefingers -p youhavetoberealistic -r north.gov
7) Now we can use mysql in the turnserver.
If the TURN server was compiled with MySQL support, then we can use the
TURN server database parameter --mysql-userdb. The value of this parameter
is a connection string for the MySQL database. As "native" MySQL does not
have such a feature as "connection string", the TURN server parses the
connection string and converts it into MySQL database connection parameter.
The format of the MySQL connection string is:
"host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds> read_timeout=<seconds>"
(all parameters are optional)
So, an example of the MySQL database parameter in the TURN server command
line would be:
--mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30 read_timeout=30"
Or in the turnserver.conf file:
mysql-userdb="host=localhost dbname=coturn user=turn password=turn connect_timeout=30 read_timeout=30"
If you have to use a secure MySQL connection (SSL) then you have to use also
the optional connection string parameters for the secure communications:
ca, capath, cert, key, cipher (see
http://dev.mysql.com/doc/refman/5.1/en/ssl-options.html for the
command options description).
XVIII. MongoDB setup
The MongoDB setup is well documented on their site http://docs.mongodb.org/manual/.
Note: if your system has a "standard" plain vanilla UNIX "make" utility
(that is not a GNU make) then you will have to use the GNU make to compile
the Mongo driver, because the Mongo compilation process was written with
the "proprietary" GNU extensions. For example, in FreeBSD in will have to use
"gmake" command.
If the TURN server was compiled with MongoDB support (mongo-c-driver is the C client
library for MongoDB), then we can use the TURN server database parameter
--mongo-userdb. The value of this parameter is a connection string
for the MongoDB database. The format of the connection string is described at
http://hergert.me/docs/mongo-c-driver/mongoc_uri.html:
"mongodb://[username:password@]host1[:port1][,host2[:port2],...[,hostN[:portN]]][/[database][?options]]"
So, an example of the MongoDB database parameter in the TURN server command
line would be:
--mongo-userdb="mongodb://localhost:27017/coturn"
Or in the turnserver.conf file:
mongo-userdb="mongodb://localhost:27017/coturn"
The meanings of the MongoDB keys are the same as for the other databases, see the
explanations for the Postgres, for example.
See the file testmongosetup.sh for the database structure examples.
XIX. Redis setup
The Redis setup is well documented on their site http://redis.io.
The TURN Server Redis database schema description can be found
in schema.userdb.redis and schema.stats.redis files. Those files are located
either in the turndb subdirectory of the main source code directory,
or in /usr/local/share/turnserver/ after the installation, or somewhere in /usr/share/
directory, depending on the OS and on the instalation package.
If the TURN server was compiled with Hiredis support (Hiredis is the C client
library for Redis), then we can use the TURN server database parameter
--redis-userdb. The value of this parameter is a connection string
for the Redis database. As "native" Redis does not have such a feature as
"connection string", the TURN server parses the connection string and
converts it into Redis database access parameter. The format of the Redis
connection string is:
"ip=<ip-addr> dbname=<database-number> password=<database-password> port=<port> connect_timeout=<seconds>"
(all parameters are optional)
So, an example of the Redis database parameter in the TURN server command
line would be:
--redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30"
Or in the turnserver.conf file:
redis-userdb="ip=127.0.0.1 dbname=2 password=turn connect_timeout=30"
Redis can be also used for the TURN allocation status check and for status and
traffic notifications.
See the explanation in the turndb/schema.stats.redis file, and an example in
turndb/testredisdbsetup.sh file. One special thing about TURN Redis security
setup is that you can store open passwords for long-term credentials in Redis.
You cannot set open passwords for long-term credentials in SQLite or MySQL or
PostgreSQL - with those DBs, you have to use the keys only. With Redis, you
have a choice - keys or open passwords.
You also have to take care about Redis connection parameters, the timeout and the
keepalive. The following settings must be in your Redis config file
(/etc/redis.conf or /usr/local/etc/redis.conf):
..........
timeout 0
..........
tcp-keepalive 60
..........
Redis TURN admin commands:
Shared secret for the TURN REST API (realm north.gov):
$ bin/turnadmin -s logen -r north.gov -N "host=localhost dbname=2 user=turn password=turn"
Long-term credentials mechanism:
$ bin/turnadmin -a -N "host=localhost dbname=2 user=turn password=turn" -u gorst -r north.gov -p hero
$ bin/turnadmin -a -N "host=localhost dbname=2 user=turn password=turn" -u ninefingers -r north.gov -p youhavetoberealistic
Admin users:
$ bin/turnadmin -A -N "host=localhost dbname=2 user=turn password=turn" -u gorst -p hero
$ bin/turnadmin -A -N "host=localhost dbname=2 user=turn password=turn" -u ninefingers -p youhavetoberealistic -r north.gov
See the file testredisdbsetup.sh for the data structure examples.
XX. Performance tuning
This topic is covered in the wiki page:
https://github.com/coturn/coturn/wiki/TURN-Performance-and-Load-Balance
XXI. TURN Server setup
Read the project wiki pages: https://github.com/coturn/coturn/wiki
Also, check the project from page links to the TURN/WebRTC configuration examples.
It may give you an idea how it can be done.
XXII. HTTPS Management Interface
The turnserver process provides an HTTPS Web access as statistics and basic management
interface. The turnserver listens to incoming HTTPS admin connections on the same ports
as the main TURN/STUN listener. The Web admin pages are basic and self-explanatory.
To make the HTTPS interface active, the database table admin_user must be
populated with the admin user account(s). An admin user can be a superuser
(if not assigned to a particular realm) or a restricted user (if assigned to
a realm). The restricted admin users can perform only limited actions, within
their corresponding realms.
XXIII. Telnet CLI management interface
You have a telnet interface (enabled by default) to access the turnserver process,
to view its state, to gather some statistical information, and to make some changes
on-the-fly.
You can access that CLI interface with telnet or putty program (in telnet mode).
The process by default listens to port 5766 on IP address 127.0.0.1 for the telnet
connections.
WARNING: all telnet communications are going unencrypted over the network. For
security reasons, we advise using the loopback IP addresses for CLI (127.0.0.1
or ::1). The CLI may have a password configured, but that password is
transferred over the network unencrypted, too. So sticking to the local system
CLI access, and accessing the turnserver system terminal with ssh only, would
be a wise decision.
XXIV. ALPN support.
Starting with version 4.3.2.1, the TURN server supports the ALPN STUN
specifications (http://tools.ietf.org/html/draft-ietf-tram-alpn-08).
If the ALPN functionality is needed, then OpenSSL version 1.0.2 or
newer has to be used. See OPENSSL section for the OpenSSL upgrade hints.
XXV. SCTP support
Starting with version 4.4.3.1, the TURN server supports 'native' SCTP.
On the client side, the TURN server, additionally, supports SCTP and
TLS-over-SCTP.
The relay side is not changing - the relay communications will still be UDP
or TCP.