matrix: Move TURN to other ports and disable STUN

We get a lot of unauthorized STUN requests in the logs.

matrix: Move TURN to other ports and disable STUN
366b8054 · Jan Alexander Steffens (heftig) · d5bef045 · 366b8054 · 366b8054 · 366b8054
Verified Commit 366b8054 authored 2 years ago by Jan Alexander Steffens (heftig)
--- a/roles/matrix/tasks/main.yml
+++ b/roles/matrix/tasks/main.yml
@@ -337,10 +337,10 @@
    # synapse's identd
    - 113/tcp
    # turnserver
-    - 3478-3479/tcp
-    - 3478-3479/udp
-    - 5349-5350/tcp
-    - 5349-5350/udp
+    - 2410-2411/tcp
+    - 2410-2411/udp
+    - 2420-2421/tcp
+    - 2420-2421/udp
    - 33000-33999/udp
  when: configure_firewall
  tags:

--- a/roles/matrix/templates/homeserver.yaml.j2
+++ b/roles/matrix/templates/homeserver.yaml.j2
@@ -105,10 +105,10 @@ url_preview_accept_language:

 # WebRTC
 turn_uris:
-  - "turns:{{ matrix_domain }}:5349?transport=udp"
-  - "turns:{{ matrix_domain }}:5349?transport=tcp"
-  - "turn:{{ matrix_domain }}:3478?transport=udp"
-  - "turn:{{ matrix_domain }}:3478?transport=tcp"
+  - "turns:{{ matrix_domain }}:2420?transport=udp"
+  - "turns:{{ matrix_domain }}:2420?transport=tcp"
+  - "turn:{{ matrix_domain }}:2410?transport=udp"
+  - "turn:{{ matrix_domain }}:2410?transport=tcp"
 turn_shared_secret: "{{ vault_matrix_secrets.turn_shared_secret }}"

 # Metrics

--- a/roles/matrix/templates/turnserver.conf.j2
+++ b/roles/matrix/templates/turnserver.conf.j2
@@ -15,7 +15,7 @@
 # Note: actually, TLS & DTLS sessions can connect to the
 # "plain" TCP & UDP port(s), too - if allowed by configuration.
 #
-#listening-port=3478
+listening-port=2410

 # TURN listener port for TLS (Default: 5349).
 # Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS
@@ -27,7 +27,7 @@
 # TLS version 1.0, 1.1 and 1.2.
 # For secure UDP connections, Coturn supports DTLS version 1.
 #
-#tls-listening-port=5349
+tls-listening-port=2420

 # Alternative listening port for UDP and TCP listeners;
 # default (or zero) value means "listening port plus one".
@@ -602,7 +602,7 @@ syslog
 # Run as TURN server only, all STUN requests will be ignored.
 # By default, this option is NOT set.
 #
-#no-stun
+no-stun

 # This is the timestamp/username separator symbol (character) in TURN REST API.
 # The default value is ':'.