Tweaking coturn service, removing TCP and fixing TLS (enforcing >TLS1.2)

matrix/config/turnserver.conf

@@ -746,6 +746,5 @@ syslog
 
 # Do not allow an TLS/DTLS version of protocol
 #
-#no-tlsv1
-#no-tlsv1_1
-#no-tlsv1_2
+no-tlsv1
+no-tlsv1_1

matrix/coturn.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=coTURN STUN/TURN Server
+Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
+After=network.target
+
+[Service]
+User=root
+Group=root
+Type=notify
+ExecStart=/usr/bin/turnserver -c /etc/turnserver.conf --pidfile=
+Restart=on-failure
+InaccessibleDirectories=/home
+PrivateTmp=yes
+
+[Install]
+WantedBy=multi-user.target

matrix/install.sh

@@ -32,8 +32,8 @@ ufw allow 443/tcp
 ufw allow 8448/tcp
 
 # Coturn Ports
-ufw allow 3478/tcp
-ufw allow 5443/tcp
+ufw allow 3478/udp
+ufw allow 5443/udp
 ufw allow 49152:65535/udp
 
 # Enable firewall
@@ -54,6 +54,10 @@ sed -i "s|TURN_PWD|${TURN_PWD}|g" /etc/turnserver.conf
 sed -i "s|EXTERNAL_IP|${EXTERNAL_IP}|g" /etc/turnserver.conf
 sed -i "s|STATIC_SECRET|${TURN_STATIC_SECRET}|g" /etc/turnserver.conf
 
+# Custom coturn SystemD service file to allow coturn access to Letsencrypt SSL certs
+cp "${BASE_DIR}/coturn.service" /lib/systemd/system/coturn.service
+systemctl daemon-reload
+
 # Add Docker's official GPG key
 echo -e "Install docker\n"