Which ports should be allowed in firewall to use TURN server?
Asked Answered
P

1

8

I want to set up a turn server (coturn) on our company's servers. And I'm not sure which ports should be allowed by outside access. 8443 is a must, using WebRTC. 3478 is a must for credential use. But there's these gazillions of ports which TURN server uses, do they need to be allowed in firewall?Or which ports should be allowed to use CoTURN without problem?

Peon answered 5/12, 2019 at 10:28 Comment(0)
F
11

I think it depends on the transport protocols you want to use and the level of security.

With Coturn coturn(git):

The default port for sending (or listening to) STUN/TURN requests is 3478.

TURN listener port for UDP and TCP listeners (Default: 3478). Note: actually, TLS & DTLS sessions can connect to the "plain" TCP & UDP port(s), too - if allowed by configuration. For example, the default listening port can be set to 80 or 443, to go around some strict NATs. Remember that ports < 1024 may require superuser privileges to start the turnserver process.

In my project I used also tls listening port but probably it is not necessary:

The default port for sending (or listening to) STUN/TURN over TLS is 5349.

TURN listener port for TLS and DTLS listeners (Default: 5349). Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS port(s), too - if allowed by configuration. For example, the default tls listening port can be set to 443, to go around some strict NATs. Remember that ports < 1024 may require superuser privileges to start the turnserver process. For secure TCP connections, we currently support SSL version 3 and TLS versions 1.0, 1.1, 1.2. For secure UDP connections, we support DTLS version 1.

Also, for establishing at last p2p connection :

Each client will send the data through UDP to the other endpoint: if it’s sending to a TURN server (to a relay candidate) it will send to a port between 49152-65535 (if it’s sending directly to the other party it will send to any port in the 0-65535 range)

--min-port Lower bound of the UDP port range for relay endpoints allocation. Default value is 49152, according to RFC 5766.

--max-port Upper bound of the UDP port range for relay endpoints allocation. Default value is 65535, according to RFC 5766.

Forbiddance answered 6/12, 2019 at 11:11 Comment(7)
So the ports between 49152 and 65535 must be allowed from firewall am I correct? And if I am, on which direction they should be open? (inbound - outbound) Thanks for your time.Peon
inbound ... these are the ports for establishing actual p2p connection: you’ll be sending data to a random port in the 0-65535 range opened by your peer’s device/router during discovery. The same is done towards you.Forbiddance
Can I limit the range of ports that must be allowed from the frontend side? , I tried to limit the range in the coturn setting. Or is it a necessity to open all ports?Gunboat
If data relay happens between ports 49152-65535, does that mean that the theoretical max number of concurrent connections that one coTURN server can support is about 16300 concurrent connections (Subtracting 49152 from 65535)?Brynne
@Brynne did you find an answer to that question?Workman
@Workman It was answered in the comments here.Salliesallow
it seems the port between --min-port and --max-port do not need to be openedAzo

© 2022 - 2025 — McMap. All rights reserved.