diff --git a/src/freedombone b/src/freedombone index 414477e7..3fb8100a 100755 --- a/src/freedombone +++ b/src/freedombone @@ -381,6 +381,9 @@ VOIP_SERVER_PASSWORD= VOIP_PORT=64738 SIP_SERVER_PASSWORD= SIP_PORT=5060 +VOIP_TURN_PORT=3478 +VOIP_TURN_TLS_PORT=5349 +VOIP_TURN_NONCE= # Location of VoIP database and configuration VOIP_DATABASE="mumble-server.sqlite" @@ -1065,6 +1068,15 @@ function read_configuration { # Ensure that a copy of the config exists for upgrade purposes if [[ $CONFIGURATION_FILE != "/root/${PROJECT_NAME}.cfg" ]]; then cp $CONFIGURATION_FILE /root/${PROJECT_NAME}.cfg + fi + if grep -q "VOIP_TURN_PORT" $CONFIGURATION_FILE; then + VOIP_TURN_PORT=$(grep "VOIP_TURN_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "VOIP_TURN_TLS_PORT" $CONFIGURATION_FILE; then + VOIP_TURN_TLS_PORT=$(grep "VOIP_TURN_TLS_PORT" $CONFIGURATION_FILE | awk -F '=' '{print $2}') + fi + if grep -q "VOIP_TURN_NONCE" $CONFIGURATION_FILE; then + VOIP_TURN_NONCE=$(grep "VOIP_TURN_NONCE" $CONFIGURATION_FILE | awk -F '=' '{print $2}') fi if grep -q "DEFAULT_SEARCH" $CONFIGURATION_FILE; then DEFAULT_SEARCH=$(grep "DEFAULT_SEARCH" $CONFIGURATION_FILE | awk -F '=' '{print $2}') @@ -4002,6 +4014,24 @@ function configure_firewall_for_voip { echo 'configure_firewall_for_voip' >> $COMPLETION_FILE } +function configure_firewall_for_voip_turn { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then + return + fi + if grep -Fxq "configure_firewall_for_voip_turn" $COMPLETION_FILE; then + return + fi + if [[ $ONION_ONLY != "no" ]]; then + return + fi + iptables -A INPUT -p udp --dport $VOIP_TURN_PORT -j ACCEPT + iptables -A INPUT -p tcp --dport $VOIP_TURN_PORT -j ACCEPT + iptables -A INPUT -p tcp --dport $VOIP_TURN_TLS_PORT -j ACCEPT + save_firewall_settings + echo 'configure_firewall_for_voip_turn' >> $COMPLETION_FILE +} + + function configure_firewall_for_sip { if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then return @@ -10347,6 +10377,144 @@ function install_sip { echo 'install_sip' >> $COMPLETION_FILE } +function install_sip_turn { + if [[ $SYSTEM_TYPE == "$VARIANT_WRITER" || $SYSTEM_TYPE == "$VARIANT_MAILBOX" || $SYSTEM_TYPE == "$VARIANT_CLOUD" || $SYSTEM_TYPE == "$VARIANT_SOCIAL" || $SYSTEM_TYPE == "$VARIANT_MEDIA" || $SYSTEM_TYPE == "$VARIANT_DEVELOPER" ]]; then + return + fi + if grep -Fxq "install_sip_turn" $COMPLETION_FILE; then + return + fi + + apt-get -y install turnserver + + if [ ! $VOIP_TURN_NONCE ]; then + VOIP_TURN_NONCE="$(openssl rand -base64 32 | cut -c1-30)" + fi + + echo '##' > /etc/turnserver/turnserver.conf + echo '# TurnServer configuration file.' >> /etc/turnserver/turnserver.conf + echo '#' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Public IPv4 address of any relayed address (if not set, no relay for IPv4).' >> /etc/turnserver/turnserver.conf + echo '## To have multiple address, separate addresses with a comma' >> /etc/turnserver/turnserver.conf + echo '## (i.e. listen_address = { "172.16.0.1", "172.17.0.1" }).' >> /etc/turnserver/turnserver.conf + echo "listen_address = { \"192.168.0.1\" }" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Public IPv6 address of any relayed address (if not set, no relay for IPv6).' >> /etc/turnserver/turnserver.conf + echo '## To have multiple address, separate address with a comma' >> /etc/turnserver/turnserver.conf + echo '## (i.e. listen_addressv6 = { "2001:db8:1::1", "2001:db8:2::1" }).' >> /etc/turnserver/turnserver.conf + echo "#listen_addressv6 = { \"2001:db8::1\" }" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## UDP listening port.' >> /etc/turnserver/turnserver.conf + echo "udp_port = $VOIP_TURN_PORT" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## TCP listening port.' >> /etc/turnserver/turnserver.conf + echo "tcp_port = $VOIP_TURN_PORT" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## TLS listening port.' >> /etc/turnserver/turnserver.conf + echo "tls_port = $VOIP_TURN_TLS_PORT" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## TLS support.' >> /etc/turnserver/turnserver.conf + echo 'tls = true' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## DTLS support. It is an experimental feature and is not defined in TURN' >> /etc/turnserver/turnserver.conf + echo '## standard.' >> /etc/turnserver/turnserver.conf + echo 'dtls = false' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Maximum allocation port number.' >> /etc/turnserver/turnserver.conf + echo 'max_port = 65535' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Minimum allocation port number.' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo 'min_port = 49152' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## TURN-TCP support.' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo 'turn_tcp = true' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## TURN-TCP buffering mode:' >> /etc/turnserver/turnserver.conf + echo '## - true, use userspace buffering;' >> /etc/turnserver/turnserver.conf + echo '## - false, use kernel buffering.' >> /etc/turnserver/turnserver.conf + echo 'tcp_buffer_userspace = true' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## TURN-TCP maximum buffer size.' >> /etc/turnserver/turnserver.conf + echo 'tcp_buffer_size = 32768' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Daemon mode.' >> /etc/turnserver/turnserver.conf + echo 'daemon = true' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Unprivileged user.' >> /etc/turnserver/turnserver.conf + echo '## If you want to use this feature create a system user.' >> /etc/turnserver/turnserver.conf + echo '## On Linux: adduser --system --group turnserver' >> /etc/turnserver/turnserver.conf + echo 'unpriv_user = turnserver' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Realm value.' >> /etc/turnserver/turnserver.conf + echo "realm = \"$DEFAULT_DOMAIN_NAME\"" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Nonce key.' >> /etc/turnserver/turnserver.conf + echo "nonce_key = \"$VOIP_TURN_NONCE\"" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Max relay per username.' >> /etc/turnserver/turnserver.conf + echo 'max_relay_per_username = 5' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Allocation lifetime.' >> /etc/turnserver/turnserver.conf + echo 'allocation_lifetime = 1800' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Allocation bandwidth limitation (in KBytes/s).' >> /etc/turnserver/turnserver.conf + echo '## 0 value means bandwidth quota disabled.' >> /etc/turnserver/turnserver.conf + echo 'bandwidth_per_allocation = 150' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Restricted user bandwidth (in KBytes/s).' >> /etc/turnserver/turnserver.conf + echo '## 0 value means bandwidth limitation disabled.' >> /etc/turnserver/turnserver.conf + echo 'restricted_bandwidth = 10' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Denied addresses.' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '# disallow relaying to localhost' >> /etc/turnserver/turnserver.conf + echo 'denied_address {' >> /etc/turnserver/turnserver.conf + echo ' address = "127.0.0.1"' >> /etc/turnserver/turnserver.conf + echo ' mask = "8"' >> /etc/turnserver/turnserver.conf + echo ' port = 0' >> /etc/turnserver/turnserver.conf + echo '}' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '# disallow relaying to ip6-localhost' >> /etc/turnserver/turnserver.conf + echo 'denied_address {' >> /etc/turnserver/turnserver.conf + echo ' address = "::1"' >> /etc/turnserver/turnserver.conf + echo ' mask = "128"' >> /etc/turnserver/turnserver.conf + echo ' port = 0' >> /etc/turnserver/turnserver.conf + echo '}' >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Certification Authority file.' >> /etc/turnserver/turnserver.conf + echo "ca_file = \"/etc/ssl/certs/ca-certificates.crt\"" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Server certificate file.' >> /etc/turnserver/turnserver.conf + if [ -f /etc/ssl/certs/$DEFAULT_DOMAIN_NAME.pem ]; then + echo "cert_file = \"/etc/ssl/certs/$DEFAULT_DOMAIN_NAME.pem\"" >> /etc/turnserver/turnserver.conf + else + if [ -f /etc/ssl/certs/$DEFAULT_DOMAIN_NAME.crt ]; then + echo "cert_file = \"/etc/ssl/certs/$DEFAULT_DOMAIN_NAME.crt\"" >> /etc/turnserver/turnserver.conf + else + + fi + fi + echo '' >> /etc/turnserver/turnserver.conf + echo '## Private key file.' >> /etc/turnserver/turnserver.conf + echo "private_key_file = \"/etc/ssl/certs/$DEFAULT_DOMAIN_NAME.key\"" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Account method.' >> /etc/turnserver/turnserver.conf + echo "account_method = \"file\"" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## Account file (if account_method = file).' >> /etc/turnserver/turnserver.conf + echo "account_file = \"/etc/turnserver/turnusers.txt\"" >> /etc/turnserver/turnserver.conf + echo '' >> /etc/turnserver/turnserver.conf + echo '## mod_tmpuser.' >> /etc/turnserver/turnserver.conf + echo 'mod_tmpuser = false' >> /etc/turnserver/turnserver.conf + + systemctl restart turnserver + + echo 'install_sip_turn' >> $COMPLETION_FILE +} + function install_final { if grep -Fxq "install_final" $COMPLETION_FILE; then return @@ -10361,29 +10529,29 @@ function install_final { clear echo '' echo $" - *** ${PROJECT_NAME} installation is complete. Rebooting... *** + *** ${PROJECT_NAME} installation is complete. Rebooting... *** Now forward these ports from your internet router - HTTP 80 - HTTPS 443 - SSH 2222 - DLNA 1900 - DLNA 8200 - XMPP 5222-5223 - XMPP 5269 - XMPP 5280-5281 - IRC 6697 - Git 9418 - Email 25 - Email 587 - Email 465 - Email 993 - VoIP 64738 - VoIP 5060 - Tox 33445 - IPFS 4001 -" + HTTP 80 + HTTPS 443 + SSH 2222 + DLNA 1900 + DLNA 8200 + XMPP 5222-5223 + XMPP 5269 + XMPP 5280-5281 + IRC 6697 + Git 9418 + Email 25 + Email 587 + Email 465 + Email 993 + VoIP 64738 + VoIP 5060 + Tox 33445 + IPFS 4001 + " if [ -f "/home/$MY_USERNAME/README" ]; then echo $"See /home/$MY_USERNAME/README for post-installation instructions." echo '' @@ -10412,6 +10580,7 @@ configure_firewall_for_dns configure_firewall_for_ftp configure_firewall_for_web_access configure_firewall_for_voip +configure_firewall_for_voip_turn configure_firewall_for_sip configure_firewall_for_avahi configure_firewall_for_zeronet @@ -10501,6 +10670,7 @@ install_voip install_sip update_sipwitch_daemon install_wiki +install_sip_turn install_blog mark_blog_domain install_gnu_social