mirror of
https://github.com/netbirdio/netbird.git
synced 2024-11-21 23:53:14 +01:00
Add external-ip support for coturn (#1439)
Handles the case when users are running Coturn with peers in the same network, and these peers connect to the relay server via private IP addresses (e.g., Oracle cloud), which causes relay candidates to be allocated using private IP addresses. This causes issues with external peers who can't reach these private addresses. Use the provided IP address with NETBIRD_TURN_EXTERNAL_IP or discover the address via https://jsonip.com API. For quick-start guide with Zitadel, we only use the discover method with the external API
This commit is contained in:
parent
72a1e97304
commit
c61cb00f40
@ -87,8 +87,10 @@ jobs:
|
|||||||
CI_NETBIRD_SIGNAL_PORT: 12345
|
CI_NETBIRD_SIGNAL_PORT: 12345
|
||||||
CI_NETBIRD_STORE_CONFIG_ENGINE: "sqlite"
|
CI_NETBIRD_STORE_CONFIG_ENGINE: "sqlite"
|
||||||
CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
|
CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
|
||||||
|
CI_NETBIRD_TURN_EXTERNAL_IP: "1.2.3.4"
|
||||||
|
|
||||||
run: |
|
run: |
|
||||||
|
set -x
|
||||||
grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
|
grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
|
||||||
grep AUTH_CLIENT_SECRET docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_SECRET
|
grep AUTH_CLIENT_SECRET docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_SECRET
|
||||||
grep AUTH_AUTHORITY docker-compose.yml | grep $CI_NETBIRD_AUTH_AUTHORITY
|
grep AUTH_AUTHORITY docker-compose.yml | grep $CI_NETBIRD_AUTH_AUTHORITY
|
||||||
@ -120,6 +122,7 @@ jobs:
|
|||||||
grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep TokenEndpoint | grep $CI_NETBIRD_AUTH_TOKEN_ENDPOINT
|
grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep TokenEndpoint | grep $CI_NETBIRD_AUTH_TOKEN_ENDPOINT
|
||||||
grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep Scope | grep "$CI_NETBIRD_AUTH_SUPPORTED_SCOPES"
|
grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep Scope | grep "$CI_NETBIRD_AUTH_SUPPORTED_SCOPES"
|
||||||
grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep -A 3 RedirectURLs | grep "http://localhost:53000"
|
grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep -A 3 RedirectURLs | grep "http://localhost:53000"
|
||||||
|
grep "external-ip" turnserver.conf | grep $CI_NETBIRD_TURN_EXTERNAL_IP
|
||||||
|
|
||||||
- name: Install modules
|
- name: Install modules
|
||||||
run: go mod tidy
|
run: go mod tidy
|
||||||
@ -175,7 +178,10 @@ jobs:
|
|||||||
- name: test management.json file gen
|
- name: test management.json file gen
|
||||||
run: test -f management.json
|
run: test -f management.json
|
||||||
- name: test turnserver.conf file gen
|
- name: test turnserver.conf file gen
|
||||||
run: test -f turnserver.conf
|
run: |
|
||||||
|
set -x
|
||||||
|
test -f turnserver.conf
|
||||||
|
grep external-ip turnserver.conf
|
||||||
- name: test zitadel.env file gen
|
- name: test zitadel.env file gen
|
||||||
run: test -f zitadel.env
|
run: test -f zitadel.env
|
||||||
- name: test dashboard.env file gen
|
- name: test dashboard.env file gen
|
||||||
|
@ -23,6 +23,8 @@ NETBIRD_SIGNAL_PORT=${NETBIRD_SIGNAL_PORT:-10000}
|
|||||||
# Turn
|
# Turn
|
||||||
TURN_DOMAIN=${NETBIRD_TURN_DOMAIN:-$NETBIRD_DOMAIN}
|
TURN_DOMAIN=${NETBIRD_TURN_DOMAIN:-$NETBIRD_DOMAIN}
|
||||||
|
|
||||||
|
NETBIRD_TURN_EXTERNAL_IP=${NETBIRD_TURN_EXTERNAL_IP}
|
||||||
|
|
||||||
# Turn credentials
|
# Turn credentials
|
||||||
# User
|
# User
|
||||||
TURN_USER=self
|
TURN_USER=self
|
||||||
@ -120,3 +122,4 @@ export NETBIRD_DASHBOARD_TAG
|
|||||||
export NETBIRD_SIGNAL_TAG
|
export NETBIRD_SIGNAL_TAG
|
||||||
export NETBIRD_MANAGEMENT_TAG
|
export NETBIRD_MANAGEMENT_TAG
|
||||||
export COTURN_TAG
|
export COTURN_TAG
|
||||||
|
export NETBIRD_TURN_EXTERNAL_IP
|
||||||
|
@ -54,6 +54,29 @@ if [[ "x-$TURN_PASSWORD" == "x-" ]]; then
|
|||||||
export TURN_PASSWORD=$(openssl rand -base64 32 | sed 's/=//g')
|
export TURN_PASSWORD=$(openssl rand -base64 32 | sed 's/=//g')
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
TURN_EXTERNAL_IP_CONFIG="#"
|
||||||
|
|
||||||
|
if [[ "x-$NETBIRD_TURN_EXTERNAL_IP" == "x-" ]]; then
|
||||||
|
echo "discovering server's public IP"
|
||||||
|
IP=$(curl -s -4 https://jsonip.com | jq -r '.ip')
|
||||||
|
if [[ "x-$IP" != "x-" ]]; then
|
||||||
|
TURN_EXTERNAL_IP_CONFIG="external-ip=$IP"
|
||||||
|
else
|
||||||
|
echo "unable to discover server's public IP"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
echo "${NETBIRD_TURN_EXTERNAL_IP}"| egrep '([0-9]{1,3}\.){3}[0-9]{1,3}$' > /dev/null
|
||||||
|
if [[ $? -eq 0 ]]; then
|
||||||
|
echo "using provided server's public IP"
|
||||||
|
TURN_EXTERNAL_IP_CONFIG="external-ip=$NETBIRD_TURN_EXTERNAL_IP"
|
||||||
|
else
|
||||||
|
echo "provided NETBIRD_TURN_EXTERNAL_IP $NETBIRD_TURN_EXTERNAL_IP is invalid, please correct it and try again"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
export TURN_EXTERNAL_IP_CONFIG
|
||||||
|
|
||||||
artifacts_path="./artifacts"
|
artifacts_path="./artifacts"
|
||||||
mkdir -p $artifacts_path
|
mkdir -p $artifacts_path
|
||||||
|
|
||||||
|
@ -402,6 +402,15 @@ read_nb_domain() {
|
|||||||
echo "$READ_NETBIRD_DOMAIN"
|
echo "$READ_NETBIRD_DOMAIN"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
get_turn_external_ip() {
|
||||||
|
TURN_EXTERNAL_IP_CONFIG="#external-ip="
|
||||||
|
IP=$(curl -s -4 https://jsonip.com | jq -r '.ip')
|
||||||
|
if [[ "x-$IP" != "x-" ]]; then
|
||||||
|
TURN_EXTERNAL_IP_CONFIG="external-ip=$IP"
|
||||||
|
fi
|
||||||
|
echo "$TURN_EXTERNAL_IP_CONFIG"
|
||||||
|
}
|
||||||
|
|
||||||
initEnvironment() {
|
initEnvironment() {
|
||||||
CADDY_SECURE_DOMAIN=""
|
CADDY_SECURE_DOMAIN=""
|
||||||
ZITADEL_EXTERNALSECURE="false"
|
ZITADEL_EXTERNALSECURE="false"
|
||||||
@ -413,6 +422,7 @@ initEnvironment() {
|
|||||||
TURN_PASSWORD=$(openssl rand -base64 32 | sed 's/=//g')
|
TURN_PASSWORD=$(openssl rand -base64 32 | sed 's/=//g')
|
||||||
TURN_MIN_PORT=49152
|
TURN_MIN_PORT=49152
|
||||||
TURN_MAX_PORT=65535
|
TURN_MAX_PORT=65535
|
||||||
|
TURN_EXTERNAL_IP_CONFIG=$(get_turn_external_ip)
|
||||||
|
|
||||||
if ! check_nb_domain "$NETBIRD_DOMAIN"; then
|
if ! check_nb_domain "$NETBIRD_DOMAIN"; then
|
||||||
NETBIRD_DOMAIN=$(read_nb_domain)
|
NETBIRD_DOMAIN=$(read_nb_domain)
|
||||||
@ -560,6 +570,7 @@ EOF
|
|||||||
renderTurnServerConf() {
|
renderTurnServerConf() {
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
listening-port=3478
|
listening-port=3478
|
||||||
|
$TURN_EXTERNAL_IP_CONFIG
|
||||||
tls-listening-port=5349
|
tls-listening-port=5349
|
||||||
min-port=$TURN_MIN_PORT
|
min-port=$TURN_MIN_PORT
|
||||||
max-port=$TURN_MAX_PORT
|
max-port=$TURN_MAX_PORT
|
||||||
|
@ -15,6 +15,12 @@ NETBIRD_DOMAIN=""
|
|||||||
# if not specified it will assume NETBIRD_DOMAIN
|
# if not specified it will assume NETBIRD_DOMAIN
|
||||||
NETBIRD_TURN_DOMAIN=""
|
NETBIRD_TURN_DOMAIN=""
|
||||||
|
|
||||||
|
# TURN server public IP address
|
||||||
|
# required for a connection involving peers in
|
||||||
|
# the same network as the server and external peers
|
||||||
|
# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
|
||||||
|
NETBIRD_TURN_EXTERNAL_IP=""
|
||||||
|
|
||||||
# -------------------------------------------
|
# -------------------------------------------
|
||||||
# OIDC
|
# OIDC
|
||||||
# e.g., https://example.eu.auth0.com/.well-known/openid-configuration
|
# e.g., https://example.eu.auth0.com/.well-known/openid-configuration
|
||||||
|
@ -25,3 +25,4 @@ NETBIRD_IDP_MGMT_CLIENT_SECRET=$CI_NETBIRD_IDP_MGMT_CLIENT_SECRET
|
|||||||
NETBIRD_SIGNAL_PORT=12345
|
NETBIRD_SIGNAL_PORT=12345
|
||||||
NETBIRD_STORE_CONFIG_ENGINE=$CI_NETBIRD_STORE_CONFIG_ENGINE
|
NETBIRD_STORE_CONFIG_ENGINE=$CI_NETBIRD_STORE_CONFIG_ENGINE
|
||||||
NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=$CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH
|
NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=$CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH
|
||||||
|
NETBIRD_TURN_EXTERNAL_IP=1.2.3.4
|
@ -132,6 +132,7 @@ tls-listening-port=5349
|
|||||||
#external-ip=60.70.80.91/172.17.19.101
|
#external-ip=60.70.80.91/172.17.19.101
|
||||||
#external-ip=60.70.80.92/172.17.19.102
|
#external-ip=60.70.80.92/172.17.19.102
|
||||||
|
|
||||||
|
$TURN_EXTERNAL_IP_CONFIG
|
||||||
|
|
||||||
# Number of the relay threads to handle the established connections
|
# Number of the relay threads to handle the established connections
|
||||||
# (in addition to authentication thread and the listener thread).
|
# (in addition to authentication thread and the listener thread).
|
||||||
|
Loading…
Reference in New Issue
Block a user