Which ports should be allowed in firewall to use TURN server?

oividiosCaeremos picture oividiosCaeremos · Dec 5, 2019 · Viewed 11.6k times · Source

I want to set up a turn server (coturn) on our company's servers. And I'm not sure which ports should be allowed by outside access. 8443 is a must, using WebRTC. 3478 is a must for credential use. But there's these gazillions of ports which TURN server uses, do they need to be allowed in firewall?Or which ports should be allowed to use CoTURN without problem?

Answer

Fotiou D. picture Fotiou D. · Dec 6, 2019

I think it depends on the transport protocols you want to use and the level of security.

With Coturn coturn(git):

The default port for sending (or listening to) STUN/TURN requests is 3478.

TURN listener port for UDP and TCP listeners (Default: 3478). Note: actually, TLS & DTLS sessions can connect to the "plain" TCP & UDP port(s), too - if allowed by configuration. For example, the default listening port can be set to 80 or 443, to go around some strict NATs. Remember that ports < 1024 may require superuser privileges to start the turnserver process.

In my project I used also tls listening port but probably it is not necessary:

The default port for sending (or listening to) STUN/TURN over TLS is 5349.

TURN listener port for TLS and DTLS listeners (Default: 5349). Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS port(s), too - if allowed by configuration. For example, the default tls listening port can be set to 443, to go around some strict NATs. Remember that ports < 1024 may require superuser privileges to start the turnserver process. For secure TCP connections, we currently support SSL version 3 and TLS versions 1.0, 1.1, 1.2. For secure UDP connections, we support DTLS version 1.

Also, for establishing at last p2p connection :

Each client will send the data through UDP to the other endpoint: if it’s sending to a TURN server (to a relay candidate) it will send to a port between 49152-65535 (if it’s sending directly to the other party it will send to any port in the 0-65535 range)

--min-port Lower bound of the UDP port range for relay endpoints allocation. Default value is 49152, according to RFC 5766.

--max-port Upper bound of the UDP port range for relay endpoints allocation. Default value is 65535, according to RFC 5766.