<buttonid="sidebar-toggle"class="icon-button"type="button"title="Toggle Table of Contents"aria-label="Toggle Table of Contents"aria-controls="sidebar">
<inputtype="search"id="searchbar"name="searchbar"placeholder="Search this book ..."aria-controls="searchresults-outer"aria-describedby="searchresults-header">
<p>After installation, <code>eturnal</code> usually ships a <ahref="https://github.com/processone/eturnal/blob/master/config/eturnal.yml">default configuration file</a>
here: <code>/etc/eturnal.yml</code> (and, if not found there, there is a backup file here:
<code>/opt/eturnal/etc/eturnal.yml</code>). It uses the (indentation-sensitive!) <ahref="https://en.wikipedia.org/wiki/YAML">YAML</a>
format. The file contains further explanations.</p>
<p>Here are some hints how to configure eturnal on your <ahref="https://github.com/processone/eturnal#configuration">host machine</a>
or when using e.g. <ahref="https://eturnal.net/documentation/code/docker.html">Docker</a>.
You may also further deep dive into the <ahref="https://eturnal.net/documentation/">reference documentation</a>.</p>
<p><code>eturnal</code> runs out of the box with the default configuration. To enable TURN and
to integrate it with your homeserver, some aspects in <code>eturnal</code>'s default configuration file
<p>One way to generate a <code>secret</code> is with <code>pwgen</code>:</p>
<pre><codeclass="language-sh">pwgen -s 64 1
</code></pre>
</li>
<li>
<p>Public IP address</p>
<p>If your TURN server is behind NAT, the NAT gateway must have an external,
publicly-reachable IP address. <code>eturnal</code> tries to autodetect the public IP address,
however, it may also be configured by uncommenting and adjusting this line, so
<code>eturnal</code> advertises that address to connecting clients:</p>
<pre><codeclass="language-yaml">relay_ipv4_addr: "203.0.113.4" # The server's public IPv4 address.
</code></pre>
<p>If your NAT gateway is reachable over both IPv4 and IPv6, you may
configure <code>eturnal</code> to advertise each available address:</p>
<pre><codeclass="language-yaml">relay_ipv4_addr: "203.0.113.4" # The server's public IPv4 address.
relay_ipv6_addr: "2001:db8::4" # The server's public IPv6 address (optional).
</code></pre>
<p>When advertising an external IPv6 address, ensure that the firewall and
network settings of the system running your TURN server are configured to
accept IPv6 traffic, and that the TURN server is listening on the local
IPv6 address that is mapped by NAT to the external IPv6 address.</p>
</li>
<li>
<p>Logging</p>
<p>If <code>eturnal</code> was started by systemd, log files are written into the
<code>/var/log/eturnal</code> directory by default. In order to log to the <ahref="https://www.freedesktop.org/software/systemd/man/systemd-journald.service.html">journal</a>
instead, the <code>log_dir</code> option can be set to <code>stdout</code> in the configuration file.</p>
</li>
<li>
<p>Security considerations</p>
<p>Consider your security settings. TURN lets users request a relay which will
connect to arbitrary IP addresses and ports. The following configuration is
suggested as a minimum starting point, <ahref="https://eturnal.net/documentation/#blacklist">see also the official documentation</a>:</p>
<pre><codeclass="language-yaml">## Reject TURN relaying from/to the following addresses/networks:
blacklist: # This is the default blacklist.
- "127.0.0.0/8" # IPv4 loopback.
- "::1" # IPv6 loopback.
- recommended # Expands to a number of networks recommended to be
# blocked, but includes private networks. Those
# would have to be 'whitelist'ed if eturnal serves
# local clients/peers within such networks.
</code></pre>
<p>To whitelist IP addresses or specific (private) networks, you need to <strong>add</strong> a
whitelist part into the configuration file, e.g.:</p>
<pre><codeclass="language-yaml">whitelist:
- "192.168.0.0/16"
- "203.0.113.113"
- "2001:db8::/64"
</code></pre>
<p>The more specific, the better.</p>
</li>
<li>
<p>TURNS (TURN via TLS/DTLS)</p>
<p>Also consider supporting TLS/DTLS. To do this, adjust the following settings
in the <code>eturnal.yml</code> configuration file (TLS parts should not be commented anymore):</p>
<pre><codeclass="language-yaml">listen:
- ip: "::"
port: 3478
transport: udp
- ip: "::"
port: 3478
transport: tcp
- ip: "::"
port: 5349
transport: tls
## TLS certificate/key files (must be readable by 'eturnal' user!):
tls_crt_file: /etc/eturnal/tls/crt.pem
tls_key_file: /etc/eturnal/tls/key.pem
</code></pre>
<p>In this case, replace the <code>turn:</code> schemes in homeserver's <code>turn_uris</code> settings
with <code>turns:</code>. More is described <ahref="../../usage/configuration/config_documentation.html#turn_uris">here</a>.</p>
<p>We recommend that you only try to set up TLS/DTLS once you have set up a
basic installation and got it working.</p>
<p>NB: If your TLS certificate was provided by Let's Encrypt, TLS/DTLS will
not work with any Matrix client that uses Chromium's WebRTC library. This
currently includes Element Android & iOS; for more details, see their
<p><code>eturnal</code> offers a handy <ahref="https://eturnal.net/documentation/#Operation">operations script</a>
which can be called e.g. to check, whether the service is up, to restart the service,
to query how many active sessions exist, to change logging behaviour and so on.</p>
<p>Hint: If <code>eturnalctl</code> is not part of your <code>$PATH</code>, consider either sym-linking it (e.g. ´ln -s /opt/eturnal/bin/eturnalctl /usr/local/bin/eturnalctl´) or call it from the default <code>eturnal</code> directory directly: e.g. <code>/opt/eturnal/bin/eturnalctl info</code></p>