Which ports should be allowed in firewall to use TURN server?

webrtc turn coturn
oividiosCaeremos picture oividiosCaeremos · Dec 5, 2019 · Viewed 11.6k times · Source

I want to set up a turn server (coturn) on our company's servers. And I'm not sure which ports should be allowed by outside access. 8443 is a must, using WebRTC. 3478 is a must for credential use. But there's these gazillions of ports which TURN server uses, do they need to be allowed in firewall?Or which ports should be allowed to use CoTURN without problem?

Answer

Fotiou D. picture Fotiou D. · Dec 6, 2019

I think it depends on the transport protocols you want to use and the level of security.

With Coturn coturn(git):

The default port for sending (or listening to) STUN/TURN requests is 3478.

TURN listener port for UDP and TCP listeners (Default: 3478). Note: actually, TLS & DTLS sessions can connect to the "plain" TCP & UDP port(s), too - if allowed by configuration. For example, the default listening port can be set to 80 or 443, to go around some strict NATs. Remember that ports < 1024 may require superuser privileges to start the turnserver process.

In my project I used also tls listening port but probably it is not necessary:

The default port for sending (or listening to) STUN/TURN over TLS is 5349.

TURN listener port for TLS and DTLS listeners (Default: 5349). Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS port(s), too - if allowed by configuration. For example, the default tls listening port can be set to 443, to go around some strict NATs. Remember that ports < 1024 may require superuser privileges to start the turnserver process. For secure TCP connections, we currently support SSL version 3 and TLS versions 1.0, 1.1, 1.2. For secure UDP connections, we support DTLS version 1.

Also, for establishing at last p2p connection :

Each client will send the data through UDP to the other endpoint: if it’s sending to a TURN server (to a relay candidate) it will send to a port between 49152-65535 (if it’s sending directly to the other party it will send to any port in the 0-65535 range)

--min-port Lower bound of the UDP port range for relay endpoints allocation. Default value is 49152, according to RFC 5766.

--max-port Upper bound of the UDP port range for relay endpoints allocation. Default value is 65535, according to RFC 5766.

Related questions

CoTURN: How to use TURN REST API?

I have build coturn and run it successfully. ip:192.168.1.111. Now the question I faced is to get the Turn credential through REST API. http://tools.ietf.org/html/draft-uberti-behave-turn-rest-00 According to the passage the request format should be GET /?service=…

Read More
STUN/TURN server connectivity test

I am trying to figure out how to test whether a STUN/TURN server is alive and properly responding to connections. Ideally this test would be performed from an external machine, just in case the STUN/TURN machine is down …

Read More
Implementing our own STUN/TURN server for WebRTC Application

I am working on a webrtc application and have to implement following TURN server. https://code.google.com/p/rfc5766-turn-server/ I am following this tutorial. http://www.dialogic.com/den/developer_forums/f/71/t/10238.aspx and it says to …

Read More