Add external-ip support for coturn (#1439)

Handles the case when users are running Coturn with peers in the same network, and these peers connect to the relay server via private IP addresses (e.g., Oracle cloud), which causes relay candidates to be allocated using private IP addresses. This causes issues with external peers who can't reach these private addresses.

Use the provided IP address with NETBIRD_TURN_EXTERNAL_IP or discover the address via https://jsonip.com API.

For quick-start guide with Zitadel, we only use the discover method with the external API
This commit is contained in:
Maycon Santos 2024-01-10 13:03:46 +01:00 committed by GitHub
parent 72a1e97304
commit c61cb00f40
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 53 additions and 2 deletions

View File

@ -87,8 +87,10 @@ jobs:
CI_NETBIRD_SIGNAL_PORT: 12345 CI_NETBIRD_SIGNAL_PORT: 12345
CI_NETBIRD_STORE_CONFIG_ENGINE: "sqlite" CI_NETBIRD_STORE_CONFIG_ENGINE: "sqlite"
CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH: false
CI_NETBIRD_TURN_EXTERNAL_IP: "1.2.3.4"
run: | run: |
set -x
grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID grep AUTH_CLIENT_ID docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_ID
grep AUTH_CLIENT_SECRET docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_SECRET grep AUTH_CLIENT_SECRET docker-compose.yml | grep $CI_NETBIRD_AUTH_CLIENT_SECRET
grep AUTH_AUTHORITY docker-compose.yml | grep $CI_NETBIRD_AUTH_AUTHORITY grep AUTH_AUTHORITY docker-compose.yml | grep $CI_NETBIRD_AUTH_AUTHORITY
@ -120,6 +122,7 @@ jobs:
grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep TokenEndpoint | grep $CI_NETBIRD_AUTH_TOKEN_ENDPOINT grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep TokenEndpoint | grep $CI_NETBIRD_AUTH_TOKEN_ENDPOINT
grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep Scope | grep "$CI_NETBIRD_AUTH_SUPPORTED_SCOPES" grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep Scope | grep "$CI_NETBIRD_AUTH_SUPPORTED_SCOPES"
grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep -A 3 RedirectURLs | grep "http://localhost:53000" grep -A 10 PKCEAuthorizationFlow management.json | grep -A 10 ProviderConfig | grep -A 3 RedirectURLs | grep "http://localhost:53000"
grep "external-ip" turnserver.conf | grep $CI_NETBIRD_TURN_EXTERNAL_IP
- name: Install modules - name: Install modules
run: go mod tidy run: go mod tidy
@ -175,7 +178,10 @@ jobs:
- name: test management.json file gen - name: test management.json file gen
run: test -f management.json run: test -f management.json
- name: test turnserver.conf file gen - name: test turnserver.conf file gen
run: test -f turnserver.conf run: |
set -x
test -f turnserver.conf
grep external-ip turnserver.conf
- name: test zitadel.env file gen - name: test zitadel.env file gen
run: test -f zitadel.env run: test -f zitadel.env
- name: test dashboard.env file gen - name: test dashboard.env file gen

View File

@ -23,6 +23,8 @@ NETBIRD_SIGNAL_PORT=${NETBIRD_SIGNAL_PORT:-10000}
# Turn # Turn
TURN_DOMAIN=${NETBIRD_TURN_DOMAIN:-$NETBIRD_DOMAIN} TURN_DOMAIN=${NETBIRD_TURN_DOMAIN:-$NETBIRD_DOMAIN}
NETBIRD_TURN_EXTERNAL_IP=${NETBIRD_TURN_EXTERNAL_IP}
# Turn credentials # Turn credentials
# User # User
TURN_USER=self TURN_USER=self
@ -120,3 +122,4 @@ export NETBIRD_DASHBOARD_TAG
export NETBIRD_SIGNAL_TAG export NETBIRD_SIGNAL_TAG
export NETBIRD_MANAGEMENT_TAG export NETBIRD_MANAGEMENT_TAG
export COTURN_TAG export COTURN_TAG
export NETBIRD_TURN_EXTERNAL_IP

View File

@ -54,6 +54,29 @@ if [[ "x-$TURN_PASSWORD" == "x-" ]]; then
export TURN_PASSWORD=$(openssl rand -base64 32 | sed 's/=//g') export TURN_PASSWORD=$(openssl rand -base64 32 | sed 's/=//g')
fi fi
TURN_EXTERNAL_IP_CONFIG="#"
if [[ "x-$NETBIRD_TURN_EXTERNAL_IP" == "x-" ]]; then
echo "discovering server's public IP"
IP=$(curl -s -4 https://jsonip.com | jq -r '.ip')
if [[ "x-$IP" != "x-" ]]; then
TURN_EXTERNAL_IP_CONFIG="external-ip=$IP"
else
echo "unable to discover server's public IP"
fi
else
echo "${NETBIRD_TURN_EXTERNAL_IP}"| egrep '([0-9]{1,3}\.){3}[0-9]{1,3}$' > /dev/null
if [[ $? -eq 0 ]]; then
echo "using provided server's public IP"
TURN_EXTERNAL_IP_CONFIG="external-ip=$NETBIRD_TURN_EXTERNAL_IP"
else
echo "provided NETBIRD_TURN_EXTERNAL_IP $NETBIRD_TURN_EXTERNAL_IP is invalid, please correct it and try again"
exit 1
fi
fi
export TURN_EXTERNAL_IP_CONFIG
artifacts_path="./artifacts" artifacts_path="./artifacts"
mkdir -p $artifacts_path mkdir -p $artifacts_path

View File

@ -402,6 +402,15 @@ read_nb_domain() {
echo "$READ_NETBIRD_DOMAIN" echo "$READ_NETBIRD_DOMAIN"
} }
get_turn_external_ip() {
TURN_EXTERNAL_IP_CONFIG="#external-ip="
IP=$(curl -s -4 https://jsonip.com | jq -r '.ip')
if [[ "x-$IP" != "x-" ]]; then
TURN_EXTERNAL_IP_CONFIG="external-ip=$IP"
fi
echo "$TURN_EXTERNAL_IP_CONFIG"
}
initEnvironment() { initEnvironment() {
CADDY_SECURE_DOMAIN="" CADDY_SECURE_DOMAIN=""
ZITADEL_EXTERNALSECURE="false" ZITADEL_EXTERNALSECURE="false"
@ -413,6 +422,7 @@ initEnvironment() {
TURN_PASSWORD=$(openssl rand -base64 32 | sed 's/=//g') TURN_PASSWORD=$(openssl rand -base64 32 | sed 's/=//g')
TURN_MIN_PORT=49152 TURN_MIN_PORT=49152
TURN_MAX_PORT=65535 TURN_MAX_PORT=65535
TURN_EXTERNAL_IP_CONFIG=$(get_turn_external_ip)
if ! check_nb_domain "$NETBIRD_DOMAIN"; then if ! check_nb_domain "$NETBIRD_DOMAIN"; then
NETBIRD_DOMAIN=$(read_nb_domain) NETBIRD_DOMAIN=$(read_nb_domain)
@ -560,6 +570,7 @@ EOF
renderTurnServerConf() { renderTurnServerConf() {
cat <<EOF cat <<EOF
listening-port=3478 listening-port=3478
$TURN_EXTERNAL_IP_CONFIG
tls-listening-port=5349 tls-listening-port=5349
min-port=$TURN_MIN_PORT min-port=$TURN_MIN_PORT
max-port=$TURN_MAX_PORT max-port=$TURN_MAX_PORT

View File

@ -15,6 +15,12 @@ NETBIRD_DOMAIN=""
# if not specified it will assume NETBIRD_DOMAIN # if not specified it will assume NETBIRD_DOMAIN
NETBIRD_TURN_DOMAIN="" NETBIRD_TURN_DOMAIN=""
# TURN server public IP address
# required for a connection involving peers in
# the same network as the server and external peers
# usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
NETBIRD_TURN_EXTERNAL_IP=""
# ------------------------------------------- # -------------------------------------------
# OIDC # OIDC
# e.g., https://example.eu.auth0.com/.well-known/openid-configuration # e.g., https://example.eu.auth0.com/.well-known/openid-configuration

View File

@ -24,4 +24,5 @@ NETBIRD_IDP_MGMT_CLIENT_ID=$CI_NETBIRD_IDP_MGMT_CLIENT_ID
NETBIRD_IDP_MGMT_CLIENT_SECRET=$CI_NETBIRD_IDP_MGMT_CLIENT_SECRET NETBIRD_IDP_MGMT_CLIENT_SECRET=$CI_NETBIRD_IDP_MGMT_CLIENT_SECRET
NETBIRD_SIGNAL_PORT=12345 NETBIRD_SIGNAL_PORT=12345
NETBIRD_STORE_CONFIG_ENGINE=$CI_NETBIRD_STORE_CONFIG_ENGINE NETBIRD_STORE_CONFIG_ENGINE=$CI_NETBIRD_STORE_CONFIG_ENGINE
NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=$CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH NETBIRD_MGMT_IDP_SIGNKEY_REFRESH=$CI_NETBIRD_MGMT_IDP_SIGNKEY_REFRESH
NETBIRD_TURN_EXTERNAL_IP=1.2.3.4

View File

@ -132,6 +132,7 @@ tls-listening-port=5349
#external-ip=60.70.80.91/172.17.19.101 #external-ip=60.70.80.91/172.17.19.101
#external-ip=60.70.80.92/172.17.19.102 #external-ip=60.70.80.92/172.17.19.102
$TURN_EXTERNAL_IP_CONFIG
# Number of the relay threads to handle the established connections # Number of the relay threads to handle the established connections
# (in addition to authentication thread and the listener thread). # (in addition to authentication thread and the listener thread).