deploy/coturn/turnserver.conf

# coturn config for BizGaze Connect self-hosted TURN.
# Put this on your VM (public IP) and run via Docker (see docker-compose.yml) or
# native coturn (apt install coturn). Replace every CHANGE_ME / placeholder.

# --- listening ---
listening-port=3478
tls-listening-port=5349
# If this VM has a spare 443, also exposing TURNS on 443 gives the best traversal
# through strict corporate firewalls (uncomment + ensure nothing else uses 443):
# alt-tls-listening-port=443

# Public address clients reach. If the VM has a 1:1 NAT, use external-ip=PUBLIC/PRIVATE.
external-ip=CHANGE_ME_PUBLIC_IP

# Relay port range (open these UDP ports in the firewall too).
min-port=49152
max-port=65535

# --- auth: time-limited shared-secret credentials (matches the app's TURN_SECRET) ---
use-auth-secret
static-auth-secret=CHANGE_ME_LONG_RANDOM_SECRET
realm=connect.yourdomain.com

# --- TLS (needed for turns: on 5349/443). Use a real cert for turn.yourdomain.com ---
cert=/etc/letsencrypt/live/turn.yourdomain.com/fullchain.pem
pkey=/etc/letsencrypt/live/turn.yourdomain.com/privkey.pem

# --- hardening ---
fingerprint
no-cli
no-multicast-peers
no-tcp-relay
# Block relaying to private/internal ranges (prevents your relay being used to reach
# your own LAN / cloud metadata — important SSRF protection):
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=::1
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
# Optional: cap per-session bandwidth (bytes/sec) to protect the VM, e.g. 700000 = ~5.6 Mbps
# bps-capacity=0
# total-quota=100
feat(turn): self-hosted coturn support + time-limited creds + failure UX 2026-06-16 14:36:05 +05:30			`# coturn config for BizGaze Connect self-hosted TURN.`
			`# Put this on your VM (public IP) and run via Docker (see docker-compose.yml) or`
			`# native coturn (apt install coturn). Replace every CHANGE_ME / placeholder.`

			`# --- listening ---`
			`listening-port=3478`
			`tls-listening-port=5349`
			`# If this VM has a spare 443, also exposing TURNS on 443 gives the best traversal`
			`# through strict corporate firewalls (uncomment + ensure nothing else uses 443):`
			`# alt-tls-listening-port=443`

			`# Public address clients reach. If the VM has a 1:1 NAT, use external-ip=PUBLIC/PRIVATE.`
			`external-ip=CHANGE_ME_PUBLIC_IP`

			`# Relay port range (open these UDP ports in the firewall too).`
			`min-port=49152`
			`max-port=65535`

			`# --- auth: time-limited shared-secret credentials (matches the app's TURN_SECRET) ---`
			`use-auth-secret`
			`static-auth-secret=CHANGE_ME_LONG_RANDOM_SECRET`
			`realm=connect.yourdomain.com`

			`# --- TLS (needed for turns: on 5349/443). Use a real cert for turn.yourdomain.com ---`
			`cert=/etc/letsencrypt/live/turn.yourdomain.com/fullchain.pem`
			`pkey=/etc/letsencrypt/live/turn.yourdomain.com/privkey.pem`

			`# --- hardening ---`
			`fingerprint`
			`no-cli`
			`no-multicast-peers`
			`no-tcp-relay`
			`# Block relaying to private/internal ranges (prevents your relay being used to reach`
			`# your own LAN / cloud metadata — important SSRF protection):`
			`denied-peer-ip=0.0.0.0-0.255.255.255`
			`denied-peer-ip=10.0.0.0-10.255.255.255`
			`denied-peer-ip=100.64.0.0-100.127.255.255`
			`denied-peer-ip=169.254.0.0-169.254.255.255`
			`denied-peer-ip=172.16.0.0-172.31.255.255`
			`denied-peer-ip=192.168.0.0-192.168.255.255`
			`denied-peer-ip=::1`
			`denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`
			`# Optional: cap per-session bandwidth (bytes/sec) to protect the VM, e.g. 700000 = ~5.6 Mbps`
			`# bps-capacity=0`
			`# total-quota=100`