From 0495097a7f6c6f5230972e0a5f32c0c9c42ef61b Mon Sep 17 00:00:00 2001
From: ewaf1 <59422220+ewaf1@users.noreply.github.com>
Date: Thu, 2 Jan 2020 11:41:30 +0100
Subject: Added the section 'Configuration' in /docs/turn-howto.md (#6614)

put the 2nd part of the "source installation"-section into a new section, because it also applies to Debian packages
---
 docs/turn-howto.md | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'docs/turn-howto.md')

diff --git a/docs/turn-howto.md b/docs/turn-howto.md
index 4a983621e5..1bd3943f54 100644
--- a/docs/turn-howto.md
+++ b/docs/turn-howto.md
@@ -39,6 +39,8 @@ The TURN daemon `coturn` is available from a variety of sources such as native p
         make
         make install
 
+### Configuration
+
 1.  Create or edit the config file in `/etc/turnserver.conf`. The relevant
     lines, with example values, are:
 
-- 
cgit 1.4.1


From 2e826cd80c97cbdcec3e600b802c43ec27263e39 Mon Sep 17 00:00:00 2001
From: Jostein Kjønigsen <jostein@kjonigsen.net>
Date: Tue, 31 Mar 2020 16:50:48 +0200
Subject: Improve TURN documentation. (#7167)

---
 changelog.d/7167.doc | 1 +
 docs/turn-howto.md   | 7 +++++++
 2 files changed, 8 insertions(+)
 create mode 100644 changelog.d/7167.doc

(limited to 'docs/turn-howto.md')

diff --git a/changelog.d/7167.doc b/changelog.d/7167.doc
new file mode 100644
index 0000000000..a7e7ba9b51
--- /dev/null
+++ b/changelog.d/7167.doc
@@ -0,0 +1 @@
+Improve README.md by being explicit about public IP recommendation for TURN relaying.
diff --git a/docs/turn-howto.md b/docs/turn-howto.md
index 1bd3943f54..b26e41f19e 100644
--- a/docs/turn-howto.md
+++ b/docs/turn-howto.md
@@ -11,6 +11,13 @@ TURN server.
 
 The following sections describe how to install [coturn](<https://github.com/coturn/coturn>) (which implements the TURN REST API) and integrate it with synapse.
 
+## Requirements
+
+For TURN relaying with `coturn` to work, it must be hosted on a server/endpoint with a public IP.
+
+Hosting TURN behind a NAT (even with appropriate port forwarding) is known to cause issues
+and to often not work.
+
 ## `coturn` Setup
 
 ### Initial installation
-- 
cgit 1.4.1


From 0d775fcc2d0c7b6a07dad5430256d4d6c75a9f0d Mon Sep 17 00:00:00 2001
From: nataraj-hates-MS-for-stealing-github
 <48326335+nataraj-hates-MS-for-stealing-github@users.noreply.github.com>
Date: Fri, 17 Apr 2020 15:04:23 +0300
Subject: Improve example TURN configuration in documentation (#7284)

---
 docs/turn-howto.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'docs/turn-howto.md')

diff --git a/docs/turn-howto.md b/docs/turn-howto.md
index 1bd3943f54..1e121ead6a 100644
--- a/docs/turn-howto.md
+++ b/docs/turn-howto.md
@@ -113,7 +113,7 @@ Your home server configuration file needs the following extra keys:
 As an example, here is the relevant section of the config file for matrix.org:
 
     turn_uris: [ "turn:turn.matrix.org:3478?transport=udp", "turn:turn.matrix.org:3478?transport=tcp" ]
-    turn_shared_secret: n0t4ctuAllymatr1Xd0TorgSshar3d5ecret4obvIousreAsons
+    turn_shared_secret: "n0t4ctuAllymatr1Xd0TorgSshar3d5ecret4obvIousreAsons"
     turn_user_lifetime: 86400000
     turn_allow_guests: True
 
-- 
cgit 1.4.1


From 4fa74c7606ff302b0f255e418299eacdc1b5ca7f Mon Sep 17 00:00:00 2001
From: Richard van der Hoff <1389908+richvdh@users.noreply.github.com>
Date: Wed, 20 May 2020 11:04:34 +0100
Subject: Minor clarifications to the TURN docs (#7533)

---
 changelog.d/7533.doc |  1 +
 docs/turn-howto.md   | 57 ++++++++++++++++++++++++++++++++++++++--------------
 2 files changed, 43 insertions(+), 15 deletions(-)
 create mode 100644 changelog.d/7533.doc

(limited to 'docs/turn-howto.md')

diff --git a/changelog.d/7533.doc b/changelog.d/7533.doc
new file mode 100644
index 0000000000..e3c1df99fa
--- /dev/null
+++ b/changelog.d/7533.doc
@@ -0,0 +1 @@
+Minor clarifications to the TURN docs.
diff --git a/docs/turn-howto.md b/docs/turn-howto.md
index b8a2ba3e82..d4a726be66 100644
--- a/docs/turn-howto.md
+++ b/docs/turn-howto.md
@@ -18,7 +18,7 @@ For TURN relaying with `coturn` to work, it must be hosted on a server/endpoint
 Hosting TURN behind a NAT (even with appropriate port forwarding) is known to cause issues
 and to often not work.
 
-## `coturn` Setup
+## `coturn` setup
 
 ### Initial installation
 
@@ -26,7 +26,13 @@ The TURN daemon `coturn` is available from a variety of sources such as native p
 
 #### Debian installation
 
-    # apt install coturn
+Just install the debian package:
+
+```sh
+apt install coturn
+```
+
+This will install and start a systemd service called `coturn`.
 
 #### Source installation
 
@@ -63,38 +69,52 @@ The TURN daemon `coturn` is available from a variety of sources such as native p
 1.  Consider your security settings. TURN lets users request a relay which will
     connect to arbitrary IP addresses and ports. The following configuration is
     suggested as a minimum starting point:
-    
+
         # VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
         no-tcp-relay
-        
+
         # don't let the relay ever try to connect to private IP address ranges within your network (if any)
         # given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
         denied-peer-ip=10.0.0.0-10.255.255.255
         denied-peer-ip=192.168.0.0-192.168.255.255
         denied-peer-ip=172.16.0.0-172.31.255.255
-        
+
         # special case the turn server itself so that client->TURN->TURN->client flows work
         allowed-peer-ip=10.0.0.1
-        
+
         # consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
         user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
         total-quota=1200
 
-    Ideally coturn should refuse to relay traffic which isn't SRTP; see
-    <https://github.com/matrix-org/synapse/issues/2009>
+1.  Also consider supporting TLS/DTLS. To do this, add the following settings
+    to `turnserver.conf`:
+
+        # TLS certificates, including intermediate certs.
+        # For Let's Encrypt certificates, use `fullchain.pem` here.
+        cert=/path/to/fullchain.pem
+
+        # TLS private key file
+        pkey=/path/to/privkey.pem
 
 1.  Ensure your firewall allows traffic into the TURN server on the ports
-    you've configured it to listen on (remember to allow both TCP and UDP TURN
-    traffic)
+    you've configured it to listen on (By default: 3478 and 5349 for the TURN(s)
+    traffic (remember to allow both TCP and UDP traffic), and ports 49152-65535
+    for the UDP relay.)
+
+1.  (Re)start the turn server:
 
-1.  If you've configured coturn to support TLS/DTLS, generate or import your
-    private key and certificate.
+    * If you used the Debian package (or have set up a systemd unit yourself):
+      ```sh
+      systemctl restart coturn
+      ```
 
-1.  Start the turn server:
+    * If you installed from source:
 
-         bin/turnserver -o
+      ```sh
+      bin/turnserver -o
+      ```
 
-## synapse Setup
+## Synapse setup
 
 Your home server configuration file needs the following extra keys:
 
@@ -126,7 +146,14 @@ As an example, here is the relevant section of the config file for matrix.org:
 
 After updating the homeserver configuration, you must restart synapse:
 
+  * If you use synctl:
+    ```sh
     cd /where/you/run/synapse
     ./synctl restart
+    ```
+  * If you use systemd:
+    ```
+    systemctl restart synapse.service
+    ```
 
 ..and your Home Server now supports VoIP relaying!
-- 
cgit 1.4.1