# Deployment Guide (niom-turn) This guide assumes a fresh Debian LXC (e.g., 10.0.0.22), Fritzbox port forwards are in place, and you want TURN reachable on 3478/udp+tcp and 5349/tcp with a UDP relay range (e.g., 49152-49200). ## 1) Install dependencies ```bash sudo apt update sudo apt install -y build-essential pkg-config libssl-dev curl git systemd # Rust toolchain (stable) curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y source "$HOME/.cargo/env" ``` ## 2) Clone and build ```bash cd /opt sudo mkdir -p niom-turn && sudo chown "$USER":"$USER" niom-turn cd /opt/niom-turn git clone https://github.com//niom-turn.git . cargo build --release # Binary: target/release/niom-turn ``` ## 3) Configuration Create config dir and place TLS cert/key (exported from NPM) and config: ```bash sudo mkdir -p /etc/niom-turn sudo chown "$USER":"$USER" /etc/niom-turn # place /etc/niom-turn/fullchain.pem and /etc/niom-turn/privkey.pem ``` Example `/etc/niom-turn/appsettings.json` (adjust realm, WAN IP, secrets): ```json { "logging": { "level": "info" }, "auth": { "realm": "turn.example.com", "nonce_ttl_seconds": 600, "rest_secret": "CHANGE_ME_REST_SECRET", "rest_max_ttl_seconds": 86400 }, "listeners": { "udp": "0.0.0.0:3478", "tcp": "0.0.0.0:3478", "tls": { "addr": "0.0.0.0:5349", "cert_file": "/etc/niom-turn/fullchain.pem", "key_file": "/etc/niom-turn/privkey.pem" } }, "relay": { "bind_addr": "0.0.0.0", "public_addr": "YOUR_WAN_IP", "port_range": "49152-49200" }, "rate_limits": { "enabled": true, "max_allocations_per_ip": 10, "max_permissions_per_allocation": 10, "max_channels_per_allocation": 10 } } ``` - `public_addr` must be your public WAN IP (not the LXC IP). - `rest_secret` is used for TURN REST credentials (time-based user/pass). ## 4) Systemd service Install binary and user: ```bash sudo cp /opt/niom-turn/target/release/niom-turn /usr/local/bin/niom-turn sudo useradd --system --no-create-home --shell /usr/sbin/nologin niomturn sudo chown root:root /usr/local/bin/niom-turn sudo chmod 0755 /usr/local/bin/niom-turn sudo chown -R niomturn:niomturn /etc/niom-turn ``` Create `/etc/systemd/system/niom-turn.service`: ``` [Unit] Description=niom-turn After=network.target [Service] User=niomturn Group=niomturn ExecStart=/usr/local/bin/niom-turn --config /etc/niom-turn/appsettings.json Environment=RUST_LOG=debug,niom_turn=debug Restart=on-failure RestartSec=3 # Optional: LimitNOFILE=65535 [Install] WantedBy=multi-user.target ``` Enable/start: ```bash sudo systemctl daemon-reload sudo systemctl enable --now niom-turn ``` ## 5) Firewall (LXC) Allow inbound: UDP 3478, TCP 3478, TCP 5349, UDP relay range (49152-49200). Outbound allow all. ## 6) Quick checks - Listener ports: `ss -tulpen | grep -E '3478|5349'` - Logs: `journalctl -u niom-turn -f` - External TCP reachability (from Hotspot): `nc -vz turn.example.com 3478` and `nc -vz turn.example.com 5349` - STUN/TURN test: `stunclient turn.example.com 3478 -u user -p pass` (or REST creds) - WebRTC: open webrtc-internals / about:webrtc; ensure relay candidates show your WAN IP + ports in 49152-49200. ## 7) Fritzbox / Port forwards (reference) - UDP 3478 → 10.0.0.22:3478 - TCP 3478 → 10.0.0.22:3478 - TCP 5349 → 10.0.0.22:5349 - UDP 49152-49200 → 10.0.0.22:49152-49200 Test from external network (Hotspot), not from LAN (avoid NAT loopback assumptions). ## 8) Tuning / next steps - For more logs temporarily set `RUST_LOG=trace,niom_turn=trace` in the service env. - Consider JSON logging + metrics export if you need richer observability. - Keep certs renewed via NPM and re-export to the LXC.