spektr/niom-turn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
niom-turn/docs/deployment.md

137 lines
3.6 KiB
Markdown
Raw Blame History

# Deployment Guide (niom-turn)
This guide assumes a fresh Debian LXC (e.g., 10.0.0.22), Fritzbox port forwards are in place, and you want TURN reachable on 3478/udp+tcp and 5349/tcp with a UDP relay range (e.g., 49152-49200).
## 1) Install dependencies
```bash
sudo apt update
sudo apt install -y build-essential pkg-config libssl-dev curl git systemd
# Rust toolchain (stable)
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
source "$HOME/.cargo/env"
```
## 2) Clone and build
```bash
cd /opt
sudo mkdir -p niom-turn && sudo chown "$USER":"$USER" niom-turn
cd /opt/niom-turn
git clone https://github.com/<your-repo>/niom-turn.git .
cargo build --release
# Binary: target/release/niom-turn
```
## 3) Configuration
Create config dir and place TLS cert/key (exported from NPM) and config:
```bash
sudo mkdir -p /etc/niom-turn
sudo chown "$USER":"$USER" /etc/niom-turn
# place /etc/niom-turn/fullchain.pem and /etc/niom-turn/privkey.pem
```
Example `/etc/niom-turn/appsettings.json` (adjust realm, WAN IP, secrets):
```json
{
"logging": { "level": "info" },
"auth": {
"realm": "turn.example.com",
"nonce_ttl_seconds": 600,
"rest_secret": "CHANGE_ME_REST_SECRET",
"rest_max_ttl_seconds": 86400
},
"listeners": {
"udp": "0.0.0.0:3478",
"tcp": "0.0.0.0:3478",
"tls": {
"addr": "0.0.0.0:5349",
"cert_file": "/etc/niom-turn/fullchain.pem",
"key_file": "/etc/niom-turn/privkey.pem"
}
},
"relay": {
"bind_addr": "0.0.0.0",
"public_addr": "YOUR_WAN_IP",
"port_range": "49152-49200"
},
"rate_limits": {
"enabled": true,
"max_allocations_per_ip": 10,
"max_permissions_per_allocation": 10,
"max_channels_per_allocation": 10
}
}
```
- `public_addr` must be your public WAN IP (not the LXC IP).
- `rest_secret` is used for TURN REST credentials (time-based user/pass).
## 4) Systemd service
Install binary and user:
```bash
sudo cp /opt/niom-turn/target/release/niom-turn /usr/local/bin/niom-turn
sudo useradd --system --no-create-home --shell /usr/sbin/nologin niomturn
sudo chown root:root /usr/local/bin/niom-turn
sudo chmod 0755 /usr/local/bin/niom-turn
sudo chown -R niomturn:niomturn /etc/niom-turn
```
Create `/etc/systemd/system/niom-turn.service`:
```
[Unit]
Description=niom-turn
After=network.target
[Service]
User=niomturn
Group=niomturn
ExecStart=/usr/local/bin/niom-turn --config /etc/niom-turn/appsettings.json
Environment=RUST_LOG=debug,niom_turn=debug
Restart=on-failure
RestartSec=3
# Optional: LimitNOFILE=65535
[Install]
WantedBy=multi-user.target
```
Enable/start:
```bash
sudo systemctl daemon-reload
sudo systemctl enable --now niom-turn
```
## 5) Firewall (LXC)
Allow inbound: UDP 3478, TCP 3478, TCP 5349, UDP relay range (49152-49200). Outbound allow all.
## 6) Quick checks
- Listener ports: `ss -tulpen | grep -E '3478|5349'`
- Logs: `journalctl -u niom-turn -f`
- External TCP reachability (from Hotspot): `nc -vz turn.example.com 3478` and `nc -vz turn.example.com 5349`
- STUN/TURN test: `stunclient turn.example.com 3478 -u user -p pass` (or REST creds)
- WebRTC: open webrtc-internals / about:webrtc; ensure relay candidates show your WAN IP + ports in 49152-49200.
## 7) Fritzbox / Port forwards (reference)
- UDP 3478 → 10.0.0.22:3478
- TCP 3478 → 10.0.0.22:3478
- TCP 5349 → 10.0.0.22:5349
- UDP 49152-49200 → 10.0.0.22:49152-49200
Test from external network (Hotspot), not from LAN (avoid NAT loopback assumptions).
## 8) Tuning / next steps
- For more logs temporarily set `RUST_LOG=trace,niom_turn=trace` in the service env.
- Consider JSON logging + metrics export if you need richer observability.
- Keep certs renewed via NPM and re-export to the LXC.
Reference in New Issue View Git Blame Copy Permalink