Skip to content

Instantly share code, notes, and snippets.

@bradleythughes

bradleythughes/turnserver.conf.awk

Last active April 28, 2022 19:38
Show Gist options
  • Save bradleythughes/907a9b30cb451a1b5f969982fc2130de to your computer and use it in GitHub Desktop.
Save bradleythughes/907a9b30cb451a1b5f969982fc2130de to your computer and use it in GitHub Desktop.
Download ZIP
Example configuration for coturn on AWS
Raw
turnserver.conf.awk
/^external-ip=/ {
print "external-ip=" PUBLIC "/" PRIVATE
next
}
/^static-auth-secret=/ {
print "static-auth-secret=" SECRET
next
}
{ print }
Raw
turnserver.conf.example
external-ip=PUBLIC/PRIVATE
static-auth-secret=SECRET
listening-port 443
alt-listening-port 3478
fingerprint
lt-cred-mech
stale-nonce
use-auth-secret
realm=example.com
no-loopback-peers
no-multicast-peers
syslog
verbose
tls-listening-port 443
alt-tls-listening-port 3478
cert /usr/local/etc/turnserver.crt
pkey /usr/local/etc/turnserver.key
cipher-list ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
no-sslv2
no-sslv3
Raw
turnserver.js
"use strict";
const assert = require("assert");
const crypto = require("crypto");
const secret = process.argv[2];
assert.ok(secret, "Missing static-auth-secret argument");
// generated credentials expire 4 hours from now
const expiration = Math.floor((Date.now() / 1000) + (4 * 60 * 60));
const username = "example:" + expiration;
const hmacsha1 = crypto.createHmac("sha1", secret);
hmacsha1.setEncoding("base64");
hmacsha1.write(username);
hmacsha1.end();
const password = hmacsha1.read();
console.log("TURN username:", username);
console.log("TURN password:", password);
@bradleythughes
Copy link
Author

bradleythughes commented May 24, 2017
edited
Loading

Run awk(1) like this to generate the configuration. This will query the EC2 instance meta-data for the public and private IPv4 addresses and generate a new 20-byte static-auth-secret.

$ awk -v PUBLIC=$(curl -s http://169.254.169.254/latest/meta-data/public-ipv4) \
    -v PRIVATE=$(curl -s http://169.254.169.254/latest/meta-data/local-ipv4) \
    -v SECRET=$(cat /dev/urandom | tr -dc '0-9a-zA-Z' | fold -w 20 | head -n 1) \
    -f turnserver.conf.awk turnserver.conf.example

external-ip=34.251.x.x/172.30.x.x
static-auth-secret=paO4faXUbg2wiCLIirgC
listening-port 443
alt-listening-port 3478
fingerprint
lt-cred-mech
stale-nonce
use-auth-secret
realm=example.com
no-loopback-peers
no-multicast-peers
syslog
verbose
tls-listening-port 443
alt-tls-listening-port 3478
cert /usr/local/etc/turnserver.crt
pkey /usr/local/etc/turnserver.key
cipher-list ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA
no-sslv2
no-sslv3

@bradleythughes
Copy link
Author

bradleythughes commented May 24, 2017
edited
Loading

Run turnserver.js like this to generate TURN credentials:

$ node turnserver.js paO4faXUbg2wiCLIirgC

TURN username: example:1495627810
TURN password: tnPplWKVaTzW1LYS+uguhaaAujQ=

Note that these credentials expire 4 hours after they are generated. You can change the expiration time in turnserver.js if desired.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment