Synapse: Enable TURN by default in packages
Voice and video calls require a TURN server, as STUN is not reliable in practice. There are no public TURN servers that I am aware of, so each homeserver must provide one.
Currently, a TURN server is not installed by default. This means that many homeservers do not have a TURN server running. Those who use these homeservers cannot make voice or video calls if they are behind symmetric NAT or a stateful firewall. Configuring a TURN server requires extra manual effort on the part of the administrator, and the server must be configured carefully to avoid security problems.
To solve this problem, I would like for Synapse to enable TURN by default. Container images would bundle a TURN server, while packages would depend on one. The TURN server will be managed by Synapse, without requiring any manual effort on the part of the administrator. This is similar to how NetworkManager and libvirtd both manage dnsmasq, and how NetworkManager also spawns StrongSwan. For privilege separation reasons, it might be preferable for coturn to be a separate service that Synapse controls. This should be possible on Linux distros that use systemd.
DemiMarie
All 9 comments
Yup, this would be good, and would make a lot of sense to include in the docker containers. I'm not totally sure how easy it'd be to add to other packages though. Related: https://github.com/matrix-org/synapse/issues/1219
erikjohnston
on 7 Sep 2020
I suspect it would be hard to do for a lot of environments, docker included. The networking requirements of a TURN server are somewhat exacting (certainly harder than setting up a separate coturn).
richvdh
on 7 Sep 2020
@richvdh One option would be to recommend host networking mode for the container. Another would be to provide a known-good docker command line.
DemiMarie
on 7 Sep 2020
One almost certainly wants to run the TURN server as a separate container (and from a separate image) when using docker.
ptman
on 8 Sep 2020
https://github.com/spantaleev/matrix-docker-ansible-deploy and similar projects take care of managing the TURN server in addition to Synapse
ptman
on 8 Sep 2020
oh a new infrastructure ticket. One option would be to do this properly and have turn running in a different container along side docker? To save it being installed everywhere. Easy to set up via docker-compose, via a one liner though...
What does everyone think? id rather this was a separate image that synapse could talk to, but then that would need another image + tag on dockerhub so its updated when synapse is, otoh, theyd share a base image so delta wouldn't need to be huge.
maquis196
on 8 Sep 2020
What about having running both in the same container? Yes, it鈥檚 a hack, but it is also super easy to implement.
DemiMarie
on 8 Sep 2020
We can run them as separate users if privilege separation is desired (which it is).
DemiMarie
on 8 Sep 2020
oh a new infrastructure ticket. One option would be to do this properly and have turn running in a different container along side docker? To save it being installed everywhere. Easy to set up via docker-compose, via a one liner though...
Still requires manual effort on the administrator鈥檚 part. I want TURN to just work out of the box in the default install, with a warning stating that Synapse does not need (and should not have) a privileged network position.
Without a TURN server, Synapse can鈥檛 provide a significant part of its feature set. To me, the TURN server is really an integral part of Synapse, rather than a separate service, even though it runs in a separate process. The easiest way to do that is for Synapse to fork and exec coturn itself.
DemiMarie
on 21 Sep 2020
Related issues
ukcb
路
4Comments
clokep
路
4Comments
brainscar
路
3Comments
MurzNN
路
5Comments
richvdh
路
3Comments
Most helpful comment
One almost certainly wants to run the TURN server as a separate container (and from a separate image) when using docker.