Re-enable STUN/UDP by default so that old Element mobile clients can work

Partially reverts ac26cc1cb0d6423b751b74ddb06a8c793f63dd56. The configurability introduced there is still available, so people can easily disable this, if necessary.
2025-02-23 23:44:10 +01:00 · 2025-02-23 12:09:06 +02:00 · 2025-02-23 12:09:06 +02:00 · 0d137db283
commit 0d137db283
parent ee431798a6
3 changed files with 29 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,28 @@
+# 2025-02-23
+
+## The playbook defaults to exposing the Coturn STUN port (3478) over UDP once again
+
+Recently, we made the playbook [default to exposing the Coturn STUN port (3478) only over TCP](#the-playbook-now-defaults-to-exposing-the-coturn-stun-port-3478-only-over-tcp) to reduce the severity of DDoS amplification/reflection attacks.
+
+It seems like old Element clients on mobile devices only support talking to the STUN port over UDP, not TCP.
+To accommodate such ancient clients, we're now **reversing this change** and **defaulting to exposing the Coturn STUN port (3478) over UDP once again**.
+
+In light of this new information, you have 2 options:
+
+1. **If you already adapted to the previous change and would like to adapt to this change one again**:
+
+- make sure the `3478/udp` port is whitelisted in your external firewall (if you have one) once again.
+
+2. **If you don't care about old Element clients and wish to reduce the severity of DDoS amplification/reflection attacks**:
+
+- Consider closing the STUN/UDP port with the following configuration:
+
+  ```yaml
+  matrix_coturn_container_stun_plain_host_bind_port_udp: ""
+  ```
+
+- Consider keeping `3478/udp` blocked in your external firewall (if you have one)
+
 # 2025-02-21

 ## Docker daemon options are no longer adjusted when IPv6 is enabled
--- a/docs/prerequisites.md
+++ b/docs/prerequisites.md
@ -60,6 +60,7 @@ We will be using `example.com` as the domain in the following instruction. Pleas
  - `80/tcp`: HTTP webserver
  - `443/tcp` and `443/udp`: HTTPS webserver
  - `3478/tcp`: STUN/TURN over TCP (used by [coturn](./docs/configuring-playbook-turn.md))
+  - `3478/udp`: STUN/TURN over TCP (used by [coturn](./docs/configuring-playbook-turn.md))
  - `5349/tcp`: TURN over TCP (used by [coturn](./docs/configuring-playbook-turn.md))
  - `5349/udp`: TURN over UDP (used by [coturn](./docs/configuring-playbook-turn.md))
  - `8448/tcp` and `8448/udp`: Matrix Federation API HTTPS webserver. Some components like [Matrix User Verification Service](configuring-playbook-user-verification-service.md#open-matrix-federation-port) require this port to be opened **even with federation disabled**.
--- a/roles/custom/matrix-coturn/defaults/main.yml
+++ b/roles/custom/matrix-coturn/defaults/main.yml
@ -60,9 +60,10 @@ matrix_coturn_container_stun_plain_host_bind_port_tcp: "{{ '3478' if matrix_cotu
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
 #
-# This is not done by default to decrease the risk of DDoS amplification attacks.
+# Ideally, we'd like to set this to "" to avoid exposing this port and decrease the risk of DDoS amplification attacks.
 # See: https://stormwall.network/resources/blog/protect-against-ddos-based-on-stun-exploit
-matrix_coturn_container_stun_plain_host_bind_port_udp: ""
+# In practice, old Element clients only support talking to the STUN port over UDP, not TCP, so we need to keep this enabled for now.
+matrix_coturn_container_stun_plain_host_bind_port_udp: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"

 # Controls whether the coturn container exposes its TLS STUN port (tcp/5349 in the container) over TCP.
 #