From 0d137db283c3b029a2ced8d734e5baf414f292aa Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 23 Feb 2025 12:09:06 +0200 Subject: [PATCH] Re-enable STUN/UDP by default so that old Element mobile clients can work Partially reverts ac26cc1cb0d6423b751b74ddb06a8c793f63dd56. The configurability introduced there is still available, so people can easily disable this, if necessary. --- CHANGELOG.md | 25 ++++++++++++++++++++ docs/prerequisites.md | 1 + roles/custom/matrix-coturn/defaults/main.yml | 5 ++-- 3 files changed, 29 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e1d832ba..c5a21d80f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,28 @@ +# 2025-02-23 + +## The playbook defaults to exposing the Coturn STUN port (3478) over UDP once again + +Recently, we made the playbook [default to exposing the Coturn STUN port (3478) only over TCP](#the-playbook-now-defaults-to-exposing-the-coturn-stun-port-3478-only-over-tcp) to reduce the severity of DDoS amplification/reflection attacks. + +It seems like old Element clients on mobile devices only support talking to the STUN port over UDP, not TCP. +To accommodate such ancient clients, we're now **reversing this change** and **defaulting to exposing the Coturn STUN port (3478) over UDP once again**. + +In light of this new information, you have 2 options: + +1. **If you already adapted to the previous change and would like to adapt to this change one again**: + +- make sure the `3478/udp` port is whitelisted in your external firewall (if you have one) once again. + +2. **If you don't care about old Element clients and wish to reduce the severity of DDoS amplification/reflection attacks**: + +- Consider closing the STUN/UDP port with the following configuration: + + ```yaml + matrix_coturn_container_stun_plain_host_bind_port_udp: "" + ``` + +- Consider keeping `3478/udp` blocked in your external firewall (if you have one) + # 2025-02-21 ## Docker daemon options are no longer adjusted when IPv6 is enabled diff --git a/docs/prerequisites.md b/docs/prerequisites.md index 8b813f1bd..b1f891d7c 100644 --- a/docs/prerequisites.md +++ b/docs/prerequisites.md @@ -60,6 +60,7 @@ We will be using `example.com` as the domain in the following instruction. Pleas - `80/tcp`: HTTP webserver - `443/tcp` and `443/udp`: HTTPS webserver - `3478/tcp`: STUN/TURN over TCP (used by [coturn](./docs/configuring-playbook-turn.md)) + - `3478/udp`: STUN/TURN over TCP (used by [coturn](./docs/configuring-playbook-turn.md)) - `5349/tcp`: TURN over TCP (used by [coturn](./docs/configuring-playbook-turn.md)) - `5349/udp`: TURN over UDP (used by [coturn](./docs/configuring-playbook-turn.md)) - `8448/tcp` and `8448/udp`: Matrix Federation API HTTPS webserver. Some components like [Matrix User Verification Service](configuring-playbook-user-verification-service.md#open-matrix-federation-port) require this port to be opened **even with federation disabled**. diff --git a/roles/custom/matrix-coturn/defaults/main.yml b/roles/custom/matrix-coturn/defaults/main.yml index 04d221224..febee5009 100644 --- a/roles/custom/matrix-coturn/defaults/main.yml +++ b/roles/custom/matrix-coturn/defaults/main.yml @@ -60,9 +60,10 @@ matrix_coturn_container_stun_plain_host_bind_port_tcp: "{{ '3478' if matrix_cotu # # Takes an ":" or "" value (e.g. "127.0.0.1:3478"), or empty string to not expose. # -# This is not done by default to decrease the risk of DDoS amplification attacks. +# Ideally, we'd like to set this to "" to avoid exposing this port and decrease the risk of DDoS amplification attacks. # See: https://stormwall.network/resources/blog/protect-against-ddos-based-on-stun-exploit -matrix_coturn_container_stun_plain_host_bind_port_udp: "" +# In practice, old Element clients only support talking to the STUN port over UDP, not TCP, so we need to keep this enabled for now. +matrix_coturn_container_stun_plain_host_bind_port_udp: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}" # Controls whether the coturn container exposes its TLS STUN port (tcp/5349 in the container) over TCP. #