How to secure a TURN server for WebRTC?

Question

I've just installed rfc5766-turn-server (https://code.google.com/p/rfc5766-turn-server/) on an Amazon server in order to relay my WebRTC calls.

Since authentication username and password will be distributed to every client in WebRTC iceServers, how can I ensure that only my clients use my TURN to relay their call?

if all you've got is a user/pass, how are you planning on detecting if/when a client shares their credentials with someone else? — Marc B, Jan 22 '15 at 15:18
That's my question. Does rfc5766-turn-server provide any other authentication mechanism? — jbescoyez, Jan 22 '15 at 15:23
That turn server implementation allows for a [TURN REST API](https://code.google.com/p/rfc5766-turn-server/wiki/turnserver#TURN_REST_API) that should help secure your client's access. — Benjamin Trent, Jan 22 '15 at 15:25
coturn supports database-based authentication so you can create short-term credentials if you know when your session ended — Oleg Gordeev, Jun 05 '20 at 14:17
despite coturn documentation says database access is for long-term credentials, it reloads the credentials immediately — Oleg Gordeev, Jun 05 '20 at 20:26

score 8 · Answer 1 · edited Oct 07 '21 at 07:13

8

You can use this instead https://code.google.com/p/coturn/. It's evolved from rfc5766-turn-server project.

Supported TURN authentication mechanisms:

'classic' long-term credentials mechanism;
TURN REST API (a modification of the long-term mechanism, for time-limited secret-based authentication, for WebRTC applications: https://datatracker.ietf.org/doc/html/draft-uberti-behave-turn-rest-00)
experimental third-party oAuth-based client authorization option

edited Oct 07 '21 at 07:13

Community

1
1

answered Apr 10 '15 at 09:18

Abdulrazak Alkl

923
8
14

btw, for convenience, the code is moved to github: https://github.com/coturn/coturn – Doz Parp Nov 10 '20 at 04:37

How to secure a TURN server for WebRTC?

1 Answers1

Linked