spektr/niom-turn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
niom-turn/docs/deployment.md

3.6 KiB
Raw Blame History

Deployment Guide (niom-turn)

This guide assumes a fresh Debian LXC (e.g., 10.0.0.22), Fritzbox port forwards are in place, and you want TURN reachable on 3478/udp+tcp and 5349/tcp with a UDP relay range (e.g., 49152-49200).

1) Install dependencies

sudo apt update
sudo apt install -y build-essential pkg-config libssl-dev curl git systemd
# Rust toolchain (stable)
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
source "$HOME/.cargo/env"

2) Clone and build

cd /opt
sudo mkdir -p niom-turn && sudo chown "$USER":"$USER" niom-turn
cd /opt/niom-turn
git clone https://github.com/<your-repo>/niom-turn.git .
cargo build --release
# Binary: target/release/niom-turn

3) Configuration

Create config dir and place TLS cert/key (exported from NPM) and config:

sudo mkdir -p /etc/niom-turn
sudo chown "$USER":"$USER" /etc/niom-turn
# place /etc/niom-turn/fullchain.pem and /etc/niom-turn/privkey.pem

Example /etc/niom-turn/appsettings.json (adjust realm, WAN IP, secrets):

{
  "logging": { "level": "info" },
  "auth": {
    "realm": "turn.example.com",
    "nonce_ttl_seconds": 600,
    "rest_secret": "CHANGE_ME_REST_SECRET",
    "rest_max_ttl_seconds": 86400
  },
  "listeners": {
    "udp": "0.0.0.0:3478",
    "tcp": "0.0.0.0:3478",
    "tls": {
      "addr": "0.0.0.0:5349",
      "cert_file": "/etc/niom-turn/fullchain.pem",
      "key_file": "/etc/niom-turn/privkey.pem"
    }
  },
  "relay": {
    "bind_addr": "0.0.0.0",
    "public_addr": "YOUR_WAN_IP",
    "port_range": "49152-49200"
  },
  "rate_limits": {
    "enabled": true,
    "max_allocations_per_ip": 10,
    "max_permissions_per_allocation": 10,
    "max_channels_per_allocation": 10
  }
}
  • public_addr must be your public WAN IP (not the LXC IP).
  • rest_secret is used for TURN REST credentials (time-based user/pass).

4) Systemd service

Install binary and user:

sudo cp /opt/niom-turn/target/release/niom-turn /usr/local/bin/niom-turn
sudo useradd --system --no-create-home --shell /usr/sbin/nologin niomturn
sudo chown root:root /usr/local/bin/niom-turn
sudo chmod 0755 /usr/local/bin/niom-turn
sudo chown -R niomturn:niomturn /etc/niom-turn

Create /etc/systemd/system/niom-turn.service:

[Unit]
Description=niom-turn
After=network.target

[Service]
User=niomturn
Group=niomturn
ExecStart=/usr/local/bin/niom-turn --config /etc/niom-turn/appsettings.json
Environment=RUST_LOG=debug,niom_turn=debug
Restart=on-failure
RestartSec=3
# Optional: LimitNOFILE=65535

[Install]
WantedBy=multi-user.target

Enable/start:

sudo systemctl daemon-reload
sudo systemctl enable --now niom-turn

5) Firewall (LXC)

Allow inbound: UDP 3478, TCP 3478, TCP 5349, UDP relay range (49152-49200). Outbound allow all.

6) Quick checks

  • Listener ports: ss -tulpen | grep -E '3478|5349'
  • Logs: journalctl -u niom-turn -f
  • External TCP reachability (from Hotspot): nc -vz turn.example.com 3478 and nc -vz turn.example.com 5349
  • STUN/TURN test: stunclient turn.example.com 3478 -u user -p pass (or REST creds)
  • WebRTC: open webrtc-internals / about:webrtc; ensure relay candidates show your WAN IP + ports in 49152-49200.

7) Fritzbox / Port forwards (reference)

  • UDP 3478 → 10.0.0.22:3478
  • TCP 3478 → 10.0.0.22:3478
  • TCP 5349 → 10.0.0.22:5349
  • UDP 49152-49200 → 10.0.0.22:49152-49200 Test from external network (Hotspot), not from LAN (avoid NAT loopback assumptions).

8) Tuning / next steps

  • For more logs temporarily set RUST_LOG=trace,niom_turn=trace in the service env.
  • Consider JSON logging + metrics export if you need richer observability.
  • Keep certs renewed via NPM and re-export to the LXC.