niom-turn/docs/deployment.md

3.6 KiB

Deployment (niom-turn)

This page describes a pragmatic deployment of niom-turn as a systemd service.

TL;DR:

  • TURN/STUN: UDP + TCP on port 3478
  • TURN over TLS (turns:): TCP/TLS on port 5349
  • Relay ports: optional UDP port range (e.g. 49152-49200)

Important pitfall: config path

The server currently always loads appsettings.json from the current working directory (Config::load_default()).

For systemd, that means: set WorkingDirectory= to the directory that contains appsettings.json.

1) Provide the binary

cargo build --release
ls -lah target/release/niom-turn

Typical layout (example):

  • binary: /opt/niom-turn/target/release/niom-turn
  • config: /etc/niom-turn/appsettings.json
  • TLS: /etc/niom-turn/fullchain.pem, /etc/niom-turn/privkey.pem

2) Create the configuration

sudo mkdir -p /etc/niom-turn
sudo cp appsettings.example.json /etc/niom-turn/appsettings.json
sudoedit /etc/niom-turn/appsettings.json

Example appsettings.json (schema matches src/config.rs):

{
  "server": {
    "bind": "0.0.0.0:3478",
    "udp_bind": null,
    "tcp_bind": null,
    "tls_bind": "0.0.0.0:5349",
    "enable_udp": true,
    "enable_tcp": true,
    "enable_tls": true,
    "tls_cert": "/etc/niom-turn/fullchain.pem",
    "tls_key": "/etc/niom-turn/privkey.pem"
  },
  "relay": {
    "relay_port_min": 49152,
    "relay_port_max": 49200,
    "relay_bind_ip": "0.0.0.0",
    "advertised_ip": "YOUR_PUBLIC_IP_OR_HOSTNAME"
  },
  "auth": {
    "realm": "turn.example.com",
    "nonce_secret": null,
    "nonce_ttl_seconds": 300,
    "rest_secret": null,
    "rest_max_ttl_seconds": 600
  },
  "credentials": [
    { "username": "testuser", "password": "secretpassword" }
  ],
  "logging": {
    "default_directive": "warn,niom_turn=info"
  },
  "limits": {
    "max_allocations_per_ip": null,
    "max_permissions_per_allocation": null,
    "max_channel_bindings_per_allocation": null,

    "unauth_rps": null,
    "unauth_burst": null,
    "binding_rps": null,
    "binding_burst": null
  }
}

NAT / public IP / hostnames

  • If the server runs behind NAT, set relay.advertised_ip to the public IP so clients receive a reachable address in XOR-RELAYED-ADDRESS.
  • As a workaround, relay.relay_bind_ip and relay.advertised_ip can also be hostnames; they are resolved once at startup.

3) TLS certificates

You need PEM files:

  • fullchain.pem (certificate chain)
  • privkey.pem (private key)

Set restrictive permissions, e.g.:

sudo chown root:root /etc/niom-turn/fullchain.pem /etc/niom-turn/privkey.pem
sudo chmod 0644 /etc/niom-turn/fullchain.pem
sudo chmod 0600 /etc/niom-turn/privkey.pem

4) systemd unit

Example: /etc/systemd/system/niom-turn.service

[Unit]
Description=niom-turn TURN server
After=network.target

[Service]
User=niomturn
Group=niomturn

# Important: appsettings.json is loaded from WorkingDirectory
WorkingDirectory=/etc/niom-turn
ExecStart=/opt/niom-turn/target/release/niom-turn

Restart=on-failure
RestartSec=2

# Optional: enable temporarily for debugging
# Environment=RUST_LOG=debug,niom_turn=debug
# Environment=NIOM_TURN_DEBUG_CONFIG=1
# Environment=NIOM_TURN_DEBUG_CONFIG_JSON=1

[Install]
WantedBy=multi-user.target

Enable:

sudo systemctl daemon-reload
sudo systemctl enable --now niom-turn

5) Firewall / port forwarding

Open/forward at least:

  • UDP 3478
  • TCP 3478
  • TCP 5349
  • UDP relay range (if relay_port_min/max is set)

6) Debugging / checks

  • Ports: ss -tulpen | grep -E '3478|5349'
  • Logs: journalctl -u niom-turn -f -o cat
  • Nur letzte Logs: journalctl -u niom-turn -n 200 --no-pager -o cat