If you are enjoying using Synapse as your own private chat server you will probably at some point want to use it also as voip/video service. Here are the steps on how to do it. I’m using server that is not behind NAT and has public IP, so have that in mind.
My LAB config
Little guide on the IPs and names for tutorial:
I’m using only public IP (no NAT) for Turn in this tutorial and it will be – 60.60.80.91
My turn has own subdomain defined in DNS and we will call it turn.informaticar.net
Matrix/Synapse server is installed on matrix.informaticar.net
Installation
Run following command to install Turn on your CentOS server
sudo yum install coturn
Turn Configuration
Installation is done in /etc/coturn. In that directory there is turnserver.conf file which we will need to edit
sudo vi /etc/coturn/turnserver.conf
We will go from the beginning to the end of file and enable necessary and secure things for out Turn server.
First, Turn listener port for TLS. We only want secure communication.
tls-listening-port=5349
Listening IP. Enter IP on which port 5349 will wait for connections.
listening-ip=60.60.80.91
Under external-ip you will enter your public/internet facing ip.
external-ip=60.60.80.91
We will also need to enable range of UDP ports.
min-port=63000
max-port=64535
We will also enable use-auth-secret
use-auth-secret
We will also need to create static-auth-secret. You need to change it to something more complex. Also, remember this secret, you will need to enter exact same secret to your syanpse configuration later on.
static-auth-secret=ThisIsYorSecretCHANGEME
One way to generate more complex secret is by running pwgen.First we will install this util.
sudo yum install pwgen
And then run a command
pwgen -s 64 1
The result will be something like this.
Next value we need to change is realm. You need to enter domain on which your synapse/matrix installation resides.
realm=matrix.informaticar.net
We will also enable no udp option.
no-udp
You will also need to define public and private cert locations for your tls connection to work. Change default rules below. “cert=” is for public part and “pkey=” for private part of the cert. I renamed my certs to the names written below to match names in turn config files.
cert=/etc/pki/coturn/public/turn_server_cert.pem
pkey=/etc/pki/coturn/private/turn_server_pkey.pem
I don’t need cli, so I will disable it by uncommenting no-cli option.
no-cli
We will also need to open few firewall ports. Ports for 63000-64545 are optional and not needed in this scenario, but they are here for reference.
sudo firewall-cmd --permanent --add-port=5349/tcp
sudo firewall-cmd --permanent --add-port=5349/udp
sudo firewall-cmd --permanent --add-port=63000-64535/udp
sudo firewall-cmd --reload
Synapse/Matrix Configuration
We need to also edit homeserver.yaml file in Synapse configuration and enter Turn configuration so that Synapse knows it is there.
Best to add Turn configuration to end of the homeserver.yaml file.
Change turn.informaticar.net to your turn domain/subdomain, and enter shared_secret you created under turn_shared_secret. Remember, it has to be the same secret you entered into turn config file.
## Turn ##
# The public URIs of the TURN server to give to clients
turn_uris:
- "turns:turn.informaticar.net:5349?transport=udp"
- "turns:turn.informaticar.net:5349?transport=tcp"
# The shared secret used to compute passwords for the TURN server
turn_shared_secret: "ThisIsYorSecretCHANGEME"
# How long generated TURN credentials last
turn_user_lifetime: "1h"
Start Turn Server
After all is done, reboot server, run first Synapse server and then start Turn server with following command
sudo turnserver -L 60.60.80.91 -o -a -b turnserver.conf -f -r turn.informaticar.net
You can also define ports you would like to turnserver listen to, then this command would be like
sudo turnserver -L 60.60.80.91:5349 -o -a -b turnserver.conf -f -r turn.informaticar.net:5349
Combine the start command the way you see best fit.
That is it, this is the configuration that is working for me, it is not perfect, there are errors when you start Turn config sometimes (I get ERROR set_ctx and ERROR cannot set DH), other times there are some weird glitches, like errors saying that I cannot combine auth-secret with classic login, although I only have auth-secret enabled, and few other minor details. Nothing serious that will prevent Turn from working. In practice, it is working very nice despite all the small bugs.