diff --git a/.gitignore b/.gitignore
index bd15e97..ba0f1e5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,6 @@ node_modules
fqdn.env
/docker/certs
qrcode-svg/
+turnserver.conf
+rtc_config.json
+ssl/
diff --git a/docker-compose-coturn.yml b/docker-compose-coturn.yml
index 67fcf2f..9d0b0a8 100644
--- a/docker-compose-coturn.yml
+++ b/docker-compose-coturn.yml
@@ -4,20 +4,28 @@ services:
image: "lscr.io/linuxserver/pairdrop:latest"
container_name: pairdrop
restart: unless-stopped
+ volumes:
+ - ./rtc_config.json:/home/node/app/rtc_config.json
environment:
- PUID=1000 # UID to run the application as
- PGID=1000 # GID to run the application as
- WS_FALLBACK=false # Set to true to enable websocket fallback if the peer to peer WebRTC connection is not available to the client.
- RATE_LIMIT=false # Set to true to limit clients to 1000 requests per 5 min.
- - RTC_CONFIG=false # Set to the path of a file that specifies the STUN/TURN servers.
+ - RTC_CONFIG=/home/node/app/rtc_config.json # Set to the path of a file that specifies the STUN/TURN servers.
- DEBUG_MODE=false # Set to true to debug container and peer connections.
- TZ=Etc/UTC # Time Zone
ports:
- "127.0.0.1:3000:3000" # Web UI. Change the port number before the last colon e.g. `127.0.0.1:9000:3000`
coturn_server:
image: "coturn/coturn"
- restart: always
- network_mode: "host"
+ restart: unless-stopped
volumes:
- ./turnserver.conf:/etc/coturn/turnserver.conf
- #you need to copy turnserver_example.conf to turnserver.conf and specify domain, IP address, user and password
+ - ./ssl/:/etc/coturn/ssl/
+ ports:
+ - "3478:3478"
+ - "3478:3478/udp"
+ - "5349:5349"
+ - "5349:5349/udp"
+ - "10000-20000:10000-20000/udp"
+ # see guide at docs/host-your-own.md#coturn-and-pairdrop-via-docker-compose
\ No newline at end of file
diff --git a/docs/host-your-own.md b/docs/host-your-own.md
index 626cc9c..ffa03c1 100644
--- a/docs/host-your-own.md
+++ b/docs/host-your-own.md
@@ -6,6 +6,8 @@ Beware that you have to host your own TURN server to enable transfers between di
Follow [this guide](https://gabrieltanner.org/blog/turn-server/) to either install coturn directly on your system (Step 1)
or deploy it via Docker (Step 5).
+
+You can use the `docker-compose-coturn.yml` in this repository. See [Coturn and PairDrop via Docker Compose](#coturn-and-pairdrop-via-docker-compose).
Alternatively, use a free, pre-configured TURN server like [OpenRelay](https://www.metered.ca/tools/openrelay/)
@@ -546,6 +548,54 @@ service apache2 reload
+## Coturn and PairDrop via Docker Compose
+
+### Setup container
+To run coturn and PairDrop at once by using the `docker-compose-coturn.yml` with TURN over TLS enabled
+you need to follow these steps:
+
+1. Generate or retrieve certificates for your `` (e.g. letsencrypt / certbot)
+2. Create `./ssl` folder: `mkdir ssl`
+3. Copy your ssl-certificates and the privkey to `./ssl`
+4. Restrict access to `./ssl`: `chown -R nobody:nogroup ./ssl`
+5. Create a dh-params file: `openssl dhparam -out ./ssl/dhparams.pem 4096`
+6. Copy `rtc_config_example.json` to `rtc_config.json`
+7. Copy `turnserver_example.conf` to `turnserver.conf`
+8. Change `` in both files to the domain where your PairDrop instance is running
+9. Change `username` and `password` in `turnserver.conf` and `rtc-config.json`
+10. To start the container including coturn run: \
+ `docker compose -f docker-compose-coturn.yml up -d`
+
+
+
+#### Setup container
+To restart the container including coturn run: \
+ `docker compose -f docker-compose-coturn.yml restart`
+
+
+
+#### Setup container
+To stop the container including coturn run: \
+ `docker compose -f docker-compose-coturn.yml stop`
+
+
+
+### Firewall
+To run PairDrop including its own coturn-server you need to punch holes in the firewall. These ports must be opened additionally:
+- 3478 tcp/udp
+- 5349 tcp/udp
+- 10000:20000 tcp/udp
+
+
+
+### Firewall
+To run PairDrop including its own coturn-server you need to punch holes in the firewall. These ports must be opened additionally:
+- 3478 tcp/udp
+- 5349 tcp/udp
+- 10000:20000 tcp/udp
+
+
+
## Local Development
### Install
diff --git a/rtc_config_example.json b/rtc_config_example.json
index d7e48e8..fe34c25 100644
--- a/rtc_config_example.json
+++ b/rtc_config_example.json
@@ -2,10 +2,10 @@
"sdpSemantics": "unified-plan",
"iceServers": [
{
- "urls": "stun:stun.l.google.com:19302"
+ "urls": "stun::3478"
},
{
- "urls": "turn:example.com:3478",
+ "urls": "turns::5349",
"username": "username",
"credential": "password"
}
diff --git a/turnserver_example.conf b/turnserver_example.conf
index 09e7986..04bc82d 100644
--- a/turnserver_example.conf
+++ b/turnserver_example.conf
@@ -6,11 +6,16 @@ server-name=pairdrop
listening-ip=0.0.0.0
# External IP-Address of the TURN server
-external-ip=
+# only needed, if coturn is behind a NAT
+# external-ip=
-# Main listening port
+# Main listening port for STUN and TURN
listening-port=3478
+# Main listening port for TURN over TLS (TURNS)
+# Use port 443 to bypass some firewalls
+tls-listening-port=5349
+
# Further ports that are open for communication
min-port=10000
max-port=20000
@@ -18,21 +23,34 @@ max-port=20000
# Use fingerprint in TURN message
fingerprint
-# Log file path
-log-file=/var/log/turnserver.log
-
# Enable verbose logging
-verbose
+# verbose
+
+# Log file path
+# - is logging to STDOUT, so it's visible in docker-compose logs
+log-file=-
# Specify the user for the TURN authentification
-user=user:password
+user=username:password
# Enable long-term credential mechanism
lt-cred-mech
# SSL certificates
-cert=/etc/letsencrypt/live//cert.pem
-pkey=/etc/letsencrypt/live//privkey.pem
+cert=/etc/coturn/ssl/cert.crt
+pkey=/etc/coturn/ssl/pkey.pem
+dh-file=/etc/coturn/ssl/dhparam.pem
-# 443 for TURN over TLS, which can bypass firewalls
-tls-listening-port=443
+# For security-reasons disable old ssl and tls-protocols
+# and other recommended options: see https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf
+no-sslv3
+no-tlsv1
+no-tlsv1_1
+no-tlsv1_2
+no-rfc5780
+no-stun-backward-compatibility
+response-origin-only-with-rfc5780
+no-cli
+no-multicast-peers
+no-software-attribute
+check-origin-consistency
\ No newline at end of file