rfc5766-turn-server NAT-白红宇

rfc5766-turn-server NAT

阅读量：2093 次

发布时间：2019-04-29

本文共 35270 字，大约阅读时间需要 117 分钟。

安装：谷歌推荐的开源穿透服务器，包含trun和stun服务，主页：https://code.google.com/p/rfc5766-turn-server/

https://code.google.com/p/rfc5766-turn-server/

The TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server/gateway, too.

This implementation also includes some extra features. Supported RFCs:

TURN specs:

RFC 5766 - base TURN specs
RFC 6062 - TCP relaying TURN extension
RFC 6156 - IPv6 extension for TURN
Experimental DTLS support as client protocol.
STUN specs:

RFC 5389 - base "new" STUN specs
RFC 5769 - test vectors for STUN protocol testing
RFC 5780 - NAT behavior discovery support

版本：turnserver-3.2.3.95.tar.gz 系统环境：centos

下载必要库

yum install -y make auomake gcc cc gcc-c++ wget

yum install -y openssl-devel libevent libevent-devel mysql-devel mysql-server

wget https://github.com/downloads/libevent/libevent/libevent-2.0.21-stable.tar.gz

tar xvfz libevent-2.0.21-stable.tar.gz

cd libevent-2.0.21-stable && ./configure

make && make install && cd ..

下载turnserver-3.2.3.95.tar.gz并安装

wget http://turnserver.open-sys.org/downloads/v3.2.3.95/turnserver-3.2.3.95.tar.gz

tar -xvzf turnserver-3.2.3.95.tar.gz

cd turnserver-3.2.3.95

./configure

make && make install

安装后，配置turnserver.conf和turnuserdb.conf

启动

turnserver -L <public_ip_address> -c turnserver.conf -o -a -b turnuserdb.conf -f -r <system_domain_name>

可以通过以下指令获取帮助

turnserver -h

turnserver.conf配置：

# RFC5766-TURN-SERVER configuration file

# RFC5766-TURN-SERVER配置文件

# Boolean values note: where boolean value is supposed to be used,

# you can use '0', 'off', 'no', 'false', 'f' as 'false,

# and you can use '1', 'on', 'yes', 'true', 't' as 'true'

# If the value is missed, then it means 'true'.

# 布尔值注意: 布尔值应该被使用,

# 您可以使用'0', 'off', 'no', 'false', 'f' 相当于 'false,

# 还有你可以用'1', 'on', 'yes', 'true', 't' 相当于 'true'

# 如果没有值，相当于'true'.

# Listener interface device (optional, Linux only).

# NOT RECOMMENDED.

# 侦听器接口设备(仅可选,Linux)。

# 不推荐。

#listening-device=eth0

# TURN listener port for UDP and TCP (Default: 3478).

# Note: actually, TLS & DTLS sessions can connect to the

# "plain" TCP & UDP port(s), too - if allowed by configuration.

# TURN为UDP和TCP的侦听器端口(默认: 3478)。

# 注:实际上,TLS和DTLS会话可以连接到"清晰的"TCP和UDP端口,——如果允许配置。

#listening-port=3478

listening-port=3478

# TURN listener port for TLS (Default: 5349).

# Note: actually, "plain" TCP & UDP sessions can connect to the TLS & DTLS

# port(s), too - if allowed by configuration. The TURN server

# "automatically" recognizes the type of traffic. Actually, two listening

# endpoints (the "plain" one and the "tls" one) are equivalent in terms of

# functionality; but we keep both endpoints to satisfy the RFC 5766 specs.

# For secure TCP connections, we currently support SSL version 3 and

# TLS version 1.0, 1.1 and 1.2. SSL2 "encapculation mode" is also supported.

# For secure UDP connections, we support DTLS version 1.

# TURN为TLS的侦听器端口(默认: 5349)。

# 注意:事实上,"清晰的"TCP和UDP会话可以连接到TLS和DTLS端口，如果允许配置。

# TURN服务器"自动"识别传输类型。实际上,两个监听终端点("清晰的"端和"TLS"端)是

# 对等的功能;但我们保持两个端点来满足RFC 5766规范。

# 对于安全的TCP连接,我们目前支持SSL的3个版本，是TLS 1.0版本,1.1版本和1.2版本。

# SSL2还支持"encapculation模式"。对于安全的UDP连接,我们支持DTLS版本1。

#tls-listening-port=5349

tls-listening-port=5349

# Alternative listening port for UDP and TCP listeners;

# default (or zero) value means "listening port plus one".

# This is needed for RFC 5780 support

# (STUN extension specs, NAT behavior discovery). The TURN Server

# supports RFC 5780 only if it is started with more than one

# listening IP address of the same family (IPv4 or IPv6).

# RFC 5780 is supported only by UDP protocol, other protocols

# are listening to that endpoint only for "symmetry".

# 选择UDP和TCP监听器监听端口;

# 默认(或者0)是表示监听的端口加1.

# 这是必须的，为了RFC 5780的支持(STUN的扩展规范, NAT后端的发现)。

# TURN服务器支持RFC 5780只有启动与多个监听同一族的IP地址(IPv4或IPv6).

# RFC 5780只有UDP协议,支持其他协议是监听"对称"型端口的。

#alt-listening-port=0

# Alternative listening port for TLS and DTLS protocols.

# Default (or zero) value means "TLS listening port plus one".

# 选择监听端口TLS和DTLS协议。

# 默认(或者0)是表示TLS监听的端口加1.

#alt-tls-listening-port=0

# Listener IP address of relay server. Multiple listeners can be specified.

# If no IP(s) specified in the config file or in the command line options,

# then all IPv4 and IPv6 system IPs will be used for listening.

# 侦听器中继服务器的IP地址。可以指定多个侦听器。

# 如果没有在配置文件或者命令选项中指定监听的IP，

# 那么所有的IPv4和IPv6所有的IP将被监听

#listening-ip=172.17.19.101

#listening-ip=10.207.21.238

#listening-ip=2607:f0d0:1002:51::4

listening-ip=<IP>

# Auxiliary STUN/TURN server listening endpoint.

# Aux servers have almost full TURN and STUN functionality.

# The (minor) limitations are:

# 1) Auxiliary servers do not have alternative ports and

# they do not support STUN RFC 5780 functionality (CHANGE REQUEST).

# 2) Auxiliary servers also are never returning ALTERNATIVE-SERVER reply.

# Valid formats are 1.2.3.4:5555 for IPv4 and [1:2::3:4]:5555 for IPv6.

# There may be multiple aux-server options, each will be used for listening

# to client requests.

# 辅助STUN/TURN服务器监听端口。

# 辅助服务器几乎有齐TURN和STUN功能

# (一些)局限性:

# 1) 辅助服务器没有替代的端口并且他们不支持STUN RFC 5780功能(变更请求)。

# 2) 辅助服务器也不会返回ALTERNATIVE-SERVER回复。

# 有效格式，IPv4的1.2.3.4:5555 和IPv6的[1:2::3:4]:5555。

# 可能会有多个aux-server选项,每个将用于监听客户端请求。

#aux-server=172.17.19.110:33478

#aux-server=[2607:f0d0:1002:51::4]:33478

# (recommended for older Linuxes only)

# Automatically balance UDP traffic over auxiliary servers (if configured).

# The load balancing is using the ALTERNATE-SERVER mechanism.

# The TURN client must support 300 ALTERNATE-SERVER response for this

# functionality.

# (仅推荐老的Linuxes)

# 在辅助服务器自动均衡UDP流量(如果配置)。

# 使用ALTERNATE-SERVER的负载均衡机制。

# TURN客户端必须支持300个ALTERNATE-SERVER响应。

#udp-self-balance

# Relay interface device for relay sockets (optional, Linux only).

# NOT RECOMMENDED.

# 终极接口设备为中继套接字(可选, 仅Linux).

# 不推荐。

#relay-device=eth1

# Relay address (the local IP address that will be used to relay the

# packets to the peer).

# Multiple relay addresses may be used.

# The same IP(s) can be used as both listening IP(s) and relay IP(s).

# If no relay IP(s) specified, then the turnserver will apply the default

# policy: it will decide itself which relay addresses to be used, and it

# will always be using the client socket IP address as the relay IP address

# of the TURN session (if the requested relay address family is the same

# as the family of the client socket).

# 中继地址(本地IP地址将用于传递数据包的给每个端)

# 可以使用多个中继地址。

# 相同的IP可以用作监听IP和继电器IP。

# 如果没有指定中继IP，那么turnserver将应用默认策略：它将自行决定使用那个中继

# 地址，并且它总是会使用客户端套接字的IP地址作为中继的IP地址在TURN会话中(如果

# 请求的中继地址族解决同族的客户端套接字)。

#relay-ip=172.17.19.105

#relay-ip=2607:f0d0:1002:51::5

relay-ip=<IP>

# For Amazon EC2 users:#

# TURN Server public/private address mapping, if the server is behind NAT.

# In that situation, if a -X is used in form "-X <ip>" then that ip will be reported

# as relay IP address of all allocations. This scenario works only in a simple case

# when one single relay address is be used, and no RFC5780 functionality is required.

# That single relay address must be mapped by NAT to the 'external' IP.

# The "external-ip" value, if not empty, is returned in XOR-RELAYED-ADDRESS field.

# For that 'external' IP, NAT must forward ports directly (relayed port 12345

# must be always mapped to the same 'external' port 12345).

# In more complex case when more than one IP address is involved,

# that option must be used several times, each entry must

# have form "-X <public-ip/private-ip>", to map all involved addresses.

# RFC5780 NAT discovery STUN functionality will work correctly,

# if the addresses are mapped properly, even when the TURN server itself

# is behind A NAT.

# By default, this value is empty, and no address mapping is used.

# Amazon EC2用户:

# TURN服务器公开/私有的地址映射，假如服务器是在NAT后端。

# 在这种情况下,如果一个表单中"-X <ip>"使用一个-X，然后该ip将被作为中继ip地址来使用。

# 这种情况只适用于一个简单的例子,当一个中继的地址是被使用,和没有RFC5780功能是必需的。

# 单个中继地址必须通过NAT映射到外部的IP。

# 外部的IP值，假如不为空，通过XOR-RELAYED-ADDRESS字段返回。

# 外部的IP,NAT必须直接转发端口(转发端口12345，必须总是映射到相同的外部端口12345)。

# 在更复杂的情况下,当涉及到多个IP地址,这个选项必须使用几次,每个条目必须形

# 成"-X <public-ip/private-ip>",将所有涉及到的地址。

# RFC5780 NAT发现STUN功能正常工作，如果正确的地址映射,即使TURN服务器本身是

# 在一个NAT后。

# 默认，该值为空，并且没有使用地址映射。

#external-ip=60.70.80.91

#OR:

#external-ip=60.70.80.91/172.17.19.101

#external-ip=60.70.80.92/172.17.19.102

external-ip=<IP>

# Number of relay threads to handle the established connections

# (in addition to authentication thread and the listener thread).

# If set to 0 then application runs relay process in a single thread,

# in the same thread with the listener process (the authentication thread will

# still be a separate thread).

# In the older systems (Linux kernel before 3.9),

# the number of UDP threads is always one thread per network listening endpoint -

# including the auxiliary endpoints - unless 0 (zero) or 1 (one) value is set.

# 数量的中继线程处理建立连接(除了验证线程和侦听器线程)。

# 如果设置为0,那么应用程序中继进程在一个线程中运行,在同一

# 个线程中监听处理(身份验证线程仍然是一个单独的线程)。

# 在旧系统(3.9 Linux内核之前),数量的UDP线程总是一个线程监听一个网络端点,包括辅助端点——除非设置0或1值。

#relay-threads=0

relay-threads=10

# Lower and upper bounds of the UDP relay endpoints:

# (default values are 49152 and 65535)

# UDP中继端点的上下边界:

# (默认是49152至65535)

#min-port=49152

#max-port=65535

# Uncomment to run TURN server in 'normal' 'moderate' verbose mode.

# By default the verbose mode is off.

# 取消TURN服务器运行'normal' 'moderate'详细模式。

# 默认情况下,详细模式是关闭的。

#verbose

# Uncomment to run TURN server in 'extra' verbose mode.

# This mode is very annoying and produces lots of output.

# Not recommended under any normal circumstances.

# 取消TURN服务器运行'extra'详细模式。

# 这种模式是非常恼人的,产生大量的输出。

# 在任何正常情况下不建议。

#Verbose

# Uncomment to use fingerprints in the TURN messages.

# By default the fingerprints are off.

# 取消在TURN消息中使用指纹。

# 默认情况下,指纹是关闭的。

#fingerprint

# Uncomment to use long-term credential mechanism.

# By default no credentials mechanism is used (any user allowed).

# This option can be used with either flat file user database or

# PostgreSQL DB or MySQL DB or Redis DB for user keys storage.

# 取消使用长期证书机制。

# 默认情况下不使用凭证机制(允许任何用户)。

# 这个选项可能使用用户数据文件或PostgreSQL或MySQL或Redis来存储用户密钥。

#lt-cred-mech

lt-cred-mech

# Uncomment to use short-term credential mechanism.

# By default no credentials mechanism is used (any user allowed).

# For short-term credential mechanism you have to use PostgreSQL or

# MySQL or Redis database for user password storage.

# 取消使用短期证书机制。

# 默认情况下不使用凭证机制(允许任何用户)。

# 短期证书机制必须使用PostgreSQL或MySQL或Redis数据库来存储用户密码。

#st-cred-mech

# This option is opposite to lt-cred-mech or st-cred-mech.

# (TURN Server with no-auth option allows anonymous access).

# If neither option is defined, and no users are defined,

# then no-auth is default. If at least one user is defined,

# in this file or in command line or in usersdb file, then

# lt-cred-mech is default.

# 这个选项是lt-cred-mech或st-cred-mech相反。

# (TURN服务器no-auth选项允许匿名访问)。

# 如果没有选项定义,没有用户定义,那么no-auth默认。

# 如果至少定义有一个用户,在这个文件中或在命令行或usersdb文件,

# 那么lt-cred-mech默认。

#no-auth

# TURN REST API flag.

# Flag that sets a special authorization option that is based upon authentication secret.

# This feature can be used with the long-term authentication mechanism, only.

# This feature purpose is to support "TURN Server REST API", see

# "TURN REST API" link in the project's page

# http://code.google.com/p/rfc5766-turn-server/.

# This option is used with timestamp:

# usercombo -> "timestamp:userid"

# turn user -> usercombo

# turn password -> base64(hmac(secret key, usercombo))

# This allows TURN credentials to be accounted for a specific user id.

# If you don't have a suitable id, the timestamp alone can be used.

# This option is just turning on secret-based authentication.

# The actual value of the secret is defined either by option static-auth-secret,

# or can be found in the turn_secret table in the database (see below).

# TURN REST API标志。

# 标志是设置一个特殊的授权选项,是基于身份验证的私密。

# 这个功能可以用于长期验证机制。

# 这个功能的目的是支持"TURN Server REST API",看到"TURN Server REST API"项目的页面的链接

# http://code.google.com/p/rfc5766-turn-server/。

# 这个选项是使用时间戳:

# usercombo -> "timestamp:userid"

# turn user -> usercombo

# turn password -> base64(hmac(secret key, usercombo))

# 这允许TURN凭证占用一个特定的用户id。

# 如果你没有一个合适的id,可以使用单独的时间戳。

# 这个选项只是打开基于私密的身份验证。

# 实际值定义的私密就是通过选择static-auth-secret,或可以在数据库中找到turn_secret表(见下文)。

#use-auth-secret

# 'Static' authentication secret value (a string) for TURN REST API only.

# If not set, then the turn server

# will try to use the 'dynamic' value in turn_secret table

# in user database (if present). The database-stored value can be changed on-the-fly

# by a separate program, so this is why that other mode is 'dynamic'.

# TURN REST API的'Static'身份验证的私密值(字符串)

# 如果没有设置，那么turn服务器将尝试使用'dynamic'值在用户数据库的turn_secret表(如果存在)。

# 数据库存储的值可以随时改变，通过单独的程序，所以这就是'dynamic'模式。

#static-auth-secret

# 'Static' user accounts for long term credentials mechanism, only.

# This option cannot be used with TURN REST API or with short-term credentials

# mechanism.

# 'Static' user accounts are NOT dynamically checked by the turnserver process,

# so that they can NOT be changed while the turnserver is running.

# 'Static'用户长期占凭证机制。

# 这个选项不能用于TURN REST API或短期凭证机制。

# 'Static'用户帐户不是turnserver程序动态检查,所以他们不能改变在turnserver运行时。

#user=username1:key1

#user=username2:key2

# OR:

#user=username1:password1

#user=username2:password2

# Keys must be generated by turnadmin utility. The key value depends

# on user name, realm, and password:

# 钥匙必须由turnadmin实用程序生成。键值取决于用户名称、领域和密码:

# Example:

# 例子,使用以下命令:

# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic

# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee

# 输出是: 0xbc807ee29df3c9ffa736523fb2c4e8ee

# ('0x' in the beginning of the key is what differentiates the key from

# password. If it has 0x then it is a key, otherwise it is a password).

# ('0x'开始的关键是区分从密码的关键。如果它有0x,那么它是一个关键,否则这是一个密码)。

# The corresponding user account entry in the config file will be:

# 相应的配置文件中的用户帐户条目将:

#user=ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee

# Or, equivalently, with open clear password (less secure):

#或者是这样，明文密码(不安全的):

#user=ninefingers:youhavetoberealistic

user=<yourname:yourpsw>

# 'Dynamic' user accounts database file name.

# Only users for long-term mechanism can be stored in a flat file,

# short-term mechanism will not work with option, the short-term

# mechanism required PostgreSQL or MySQL or Redis database.

# 'Dynamic' long-term user accounts are dynamically checked by the turnserver process,

# so that they can be changed while the turnserver is running.

# Default file name is turnuserdb.conf.

# 'Dynamic'用户帐户数据库文件名。

# 只有用户长期机制可以存储在一个文件,短期机制不会处理选项,短期机制需要PostgreSQL或MySQL或

# Redis数据库。

# 'Dynamic'的长期用户帐户在turnserver程序中动态检查的,这样他们可以改变的在turnserver运行时。

# 默认文件名是turnuserdb.conf.

#userdb=/usr/local/etc/turnuserdb.conf

userdb=/etc/turnuserdb.conf

# PostgreSQL database connection string in the case that we are using PostgreSQL

# as the user database.

# This database can be used for long-term and short-term credential mechanisms

# and it can store the secret value for secret-based timed authentication in TURN RESP API.

# See http://www.postgresql.org/docs/8.4/static/libpq-connect.html for 8.x PostgreSQL

# versions connection string format, see

# http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-CONNSTRING

# for 9.x and newer connection string formats.

# PostgreSQL数据库连接字符串,使用PostgreSQL作为用户数据库。

# 该数据库可用于长期和短期证书机制,它可以存储的私密值，为基于私密身份验证的在TURN RESP API中。

# 8.x PostgreSQL版本请参见http://www.postgresql.org/docs/8.4/static/libpq-connect.html的连接字符串

# 格式,9.x和更新的请参阅http://www.postgresql.org/docs/9.2/static/libpq-connect.html LIBPQ-CONNSTRING

# 的连接字符串格式。

#psql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> connect_timeout=30"

# MySQL database connection string in the case that we are using MySQL

# as the user database.

# This database can be used for long-term and short-term credential mechanisms

# and it can store the secret value for secret-based timed authentication in TURN RESP API.

# Use string format as below (space separated parameters, all optional):

# MySQL数据库连接字符串,使用MySQL作为用户数据库。

# 该数据库可用于长期和短期证书机制,它可以存储的私密值，为基于私密身份验证的在TURN RESP API中。

# 使用字符串格式如下(空间分离参数,所有可选):

#mysql-userdb="host=<host> dbname=<database-name> user=<database-user> password=<database-user-password> port=<port> connect_timeout=<seconds>"

# Redis database connection string in the case that we are using Redis

# as the user database.

# This database can be used for long-term and short-term credential mechanisms

# and it can store the secret value for secret-based timed authentication in TURN RESP API.

# Use string format as below (space separated parameters, all optional):

# Redis数据库连接字符串,使用Redis作为用户数据库。

# 该数据库可用于长期和短期证书机制,它可以存储的私密值，为基于私密身份验证的在TURN RESP API中。

# 使用字符串格式如下(空间分离参数,所有可选):

#redis-userdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"

# Redis status and statistics database connection string, if used (default - empty, no Redis stats DB used).

# This database keeps allocations status information, and it can be also used for publishing

# and delivering traffic and allocation event notifications.

# The connection string has the same parameters as redis-userdb connection string.

# Use string format as below (space separated parameters, all optional):

# Redis状态和统计数据库连接字符串,如果使用(默认空,没有Redis统计数据库使用)。

# 这个数据库保持分配状态信息,它也可以用于发布和交付传输和分配事件通知。

# 连接字符串有相同的参数作为redis-userdb连接字符串。

# 使用字符串格式如下(空间分离参数,所有可选):

#redis-statsdb="ip=<ip-address> dbname=<database-number> password=<database-user-password> port=<port> connect_timeout=<seconds>"

# Realm for long-term credentials mechanism and for TURN REST API.

# TURN REST API的长期凭证机制范围。

#realm=mycompany.org

# Per-user allocation quota.

# default value is 0 (no quota, unlimited number of sessions per user).

# 每个用户分配配额。

# 默认值为0(没有配额,每个用户无限数量的会话)。

#user-quota=0

# Total allocation quota.

# default value is 0 (no quota).

# 总分配配额。

# 默认值为0(无配额)。

#total-quota=0

# Max bytes-per-second bandwidth a TURN session is allowed to handle

# (input and output network streams are treated separately). Anything above

# that limit will be dropped or temporary suppressed (within

# the available buffer limits).

# TURN会话允许最大的传输占用带宽(输入和输出网络流分别处理)。

# 高于限制将被删除或暂时抑制(在可用的缓冲区范围内)。

#max-bps=0

max-bps=1024

# Uncomment if no UDP client listener is desired.

# By default UDP client listener is always started.

# 如果没有UDP客户端监听器需要取消。

# 默认情况下UDP客户端监听器总是启动。

#no-udp

# Uncomment if no TCP client listener is desired.

# By default TCP client listener is always started.

# 如果没有TCPP客户端监听器需要取消。

# 默认情况下TCPP客户端监听器总是启动。

#no-tcp

# Uncomment if no TLS client listener is desired.

# By default TLS client listener is always started.

# 如果没有TLS客户端监听器需要取消。

# 默认情况下TLS客户端监听器总是启动。

#no-tls

# Uncomment if no DTLS client listener is desired.

# By default DTLS client listener is always started.

# 如果没有DTLS客户端监听器需要取消。

# 默认情况下DTLS客户端监听器总是启动。

#no-dtls

# Uncomment if no UDP relay endpoints are allowed.

# By default UDP relay endpoints are enabled (like in RFC 5766).

# 如果不允许UDP中继端点需要取消。

# 默认情况下启用UDP继电器端点(如在RFC 5766)。

#no-udp-relay

# Uncomment if no TCP relay endpoints are allowed.

# By default TCP relay endpoints are enabled (like in RFC 6062).

# 如果不允许TCP中继端点需要取消。

# 默认情况下启用TCP继电器端点(如在RFC 5766)。

#no-tcp-relay

# Uncomment if extra security is desired,

# with nonce value having limited lifetime (600 secs).

# By default, the nonce value is unique for a session,

# but it has unlimited lifetime. With this option,

# the nonce lifetime is limited to 600 seconds, after that

# the client will get 438 error and will have to re-authenticate itself.

# 取消如果需要额外的安全,现时已有有限的生命周期(600秒)。

# 默认情况下,一个会话的唯一临界值,但它一般拥有无限的生命周期。这个选项,临界值

# 仅限于600秒,之后,客户端将得到438错误,将不得不重新认证。

#stale-nonce

# Certificate file.

# Use an absolute path or path relative to the

# configuration file.

# 证书文件。

# 使用绝对路径或路径相对于配置文件。

#cert=/usr/local/etc/turn_server_cert.pem

# Private key file.

# Use an absolute path or path relative to the

# configuration file.

# Use PEM file format.

# 私钥文件。

# 使用绝对路径或路径相对于配置文件。使用PEM文件格式。

#pkey=/usr/local/etc/turn_server_pkey.pem

# Private key file password, if it is in encoded format.

# This option has no default value.

# 私有密钥文件密码,如果是在编码格式。

# 这个选项没有默认值。

#pkey-pwd=...

# Allowed OpenSSL cipher list for TLS/DTLS connections.

# Default value is "DEFAULT".

# 允许OpenSSL的密码列表为TLS/DTLS连接。

# 默认值是"DEFAULT"

#cipher-list="DEFAULT"

# CA file in OpenSSL format.

# Forces TURN server to verify the client SSL certificates.

# By default it is not set: there is no default value and the client

# certificate is not checked.

# 在OpenSSL格式的CA文件。

# 强制TURN服务器验证客户端SSL证书。

# 默认情况下它没有设置:没有默认值,不检查的客户端证书。

# Example:

#CA-file=/etc/ssh/id_rsa.cert

# Curve name for EC ciphers, if supported by OpenSSL library (TLS and DTLS).

# The default value is prime256v1.

# 曲线名称的EC密码,如果由OpenSSL库支持(TLS和DTLS)。

# 默认值是prime256v1。

#ec-curve-name=prime256v1

# Use 566 bits predefined DH TLS key. Default size of the key is 1066.

# 使用566位预定义DH TLS键。默认键大小是1066

#dh566

# Use 2066 bits predefined DH TLS key. Default size of the key is 1066.

# 使用2066位预定义DH TLS键。默认键大小是1066

#dh2066

# Use custom DH TLS key, stored in PEM format in the file.

# Flags --dh566 and --dh2066 are ignored when the DH key is taken from a file.

# 使用惯例的DH TLS键，使用PEM格式存储在文件里

# 当DH键从文件里加载，将忽略标志--dh566和--dh2066

#dh-file=<DH-PEM-file-name>

# Flag to prevent stdout log messages.

# By default, all log messages are going to both stdout and to

# the configured log file. With this option everything will be

# going to the configured log only (unless the log file itself is stdout).

# 标志防止输出日志信息

# 默认情况下,所有日志消息将输出到配置的日志文件。采用这一选项都将只配置日志

# (除非日志文件本身是输出的)。

#no-stdout-log

# Option to set the log file name.

# By default, the turnserver tries to open a log file in

# /var/log, /var/tmp, /tmp and current directories directories

# (which open operation succeeds first that file will be used).

# With this option you can set the definite log file name.

# The special names are "stdout" and "-" - they will force everything

# to the stdout. Also, the "syslog" name will force everything to

# the system log (syslog).

# In the runtime, the logfile can be reset with the SIGHUP signal

# to the turnserver process.

# 设置日志文件

# 默认情况下,turnserver尝试一个日志文件在/var/log,/var/tmp,/tmp和

# 当前目录(那个文件先打开成功,文件将被使用)。

# 采用这一选项可以设置明确的日志文件名。

# 特殊的名字是"stdout"和"-"——他们将强制所有的输出。同时,"syslog"名称将强制所有的系统日志(syslog)。

# 在运行时,日志文件可以重置通过SIGHUP信号在turnserver程序中。

#log-file=/var/tmp/turn.log

# Option to redirect all log output into system log (syslog).

# 选择重定向所有日志输出到系统日志(syslog)。

#syslog

# This flag means that no log file rollover will be used, and the log file

# name will be constructed as-is, without PID and date appendage.

# 这个标志意味着没有日志文件将使用翻转,并按原样将创建日志文件名称,没有PID和日期的附加。

#simple-log

# Option to set the "redirection" mode. The value of this option

# will be the address of the alternate server for UDP & TCP service in form of

# <ip>[:<port>]. The server will send this value in the attribute

# ALTERNATE-SERVER, with error 300, on ALLOCATE request, to the client.

# Client will receive only values with the same address family

# as the client network endpoint address family.

# See RFC 5389 and RFC 5766 for ALTERNATE-SERVER functionality description.

# The client must use the obtained value for subsequent TURN communications.

# If more than one --alternate-server options are provided, then the functionality

# can be more accurately described as "load-balancing" than a mere "redirection".

# If the port number is omitted, then the default port

# number 3478 for the UDP/TCP protocols will be used.

# Colon (

characters in IPv6 addresses may conflict with the syntax of

# the option. To alleviate this conflict, literal IPv6 addresses are enclosed

# in square brackets in such resource identifiers, for example:

# [2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 .

# Multiple alternate servers can be set. They will be used in the

# round-robin manner. All servers in the pool are considered of equal weight and

# the load will be distributed equally. For example, if we have 4 alternate servers,

# then each server will receive 25% of ALLOCATE requests. A alternate TURN server

# address can be used more than one time with the alternate-server option, so this

# can emulate "weighting" of the servers.

# 选项设置"redirection"模式。这个选项的值将备用服务器的地址UDP和TCP服务形式的<ip>[:<port>]。

# 服务器将发送这个值属性ALTERNATE-SERVER,错误300,在ALLOCATE请求,客户端。

# 客户端将只接收和自己相同的地址族的客户端的值。查看RFC 5389和RFC 5766为ALTERNATE-SERVER的功能描述。

# 客户端必须使用获得的值为随后的TURN通信。如果不止一个——alternate-server选项提供,那么功能可以更准确

# 地描述为"load-balancing",而不仅仅是一个"redirection"。如果端口号省略,那么为UDP/TCP协议，使用默认端

# 口号是3478。冒号(

在IPv6地址字符可能与选项的语法冲突。缓解这种冲突,文字IPv6地址包含在方括号在这种

# 资源标识符,例如[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478 。

# 可以设置多个备用服务器。他们将用于循环的方式。所有服务器池中被认为是平等的重量和载荷将平均分配的原则。

# 例如,如果我们有4个备用服务器,每个服务器将获得25%的分配请求。备用TURN服务器地址可以使用超过一次

# alternate-server选项,所以这可以效仿的"weighting"服务器。

# Examples:

#alternate-server=1.2.3.4:5678

#alternate-server=11.22.33.44:56789

#alternate-server=5.6.7.8

#alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478

# Option to set alternative server for TLS & DTLS services in form of

# <ip>:<port>. If the port number is omitted, then the default port

# number 5349 for the TLS/DTLS protocols will be used. See the previous

# option for the functionality description.

# 选项设置替代服务器TLS和DTLS服务形式的<ip>:<port>。

# 如果省略的端口号,那么默认端口号5349将使用TLS/DTLS协议。看到前面选择的功能描述。

# Examples:

#tls-alternate-server=1.2.3.4:5678

#tls-alternate-server=11.22.33.44:56789

#tls-alternate-server=[2001:db8:85a3:8d3:1319:8a2e:370:7348]:3478

# Option to suppress TURN functionality, only STUN requests will be processed.

# Run as STUN server only, all TURN requests will be ignored.

# By default, this option is NOT set.

# 选择抑制TURN功能,只有STUN的请求将被处理。

# 作为STUN服务器,所有TURN请求将被忽略。

# 默认情况下,没有设置这个选项。

#stun-only

# Option to suppress STUN functionality, only TURN requests will be processed.

# Run as TURN server only, all STUN requests will be ignored.

# By default, this option is NOT set.

# 选择抑制STUN功能,只有TURN的请求将被处理。

# 作为TURN服务器,所有STUN请求将被忽略。

# 默认情况下,没有设置这个选项。

#no-stun

# This is the timestamp/username separator symbol (character) in TURN REST API.

# The default value is ':'.

# 这是时间戳/用户名分离器符号(字符)在TURN REST API。

# 默认是使用':'

# rest-api-separator=:

# Flag that can be used to disallow peers on the loopback addresses (127.x.x.x and ::1).

# This is an extra security measure.

# 标记用于不接受的端在环回地址(127.x.x.x 和 ::1)。

# 这是一个额外的安全措施。

#no-loopback-peers

# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).

# This is an extra security measure.

# 标记用于不接受的端在广播地址(224.0.0.0和以上的，和FFXX:*)。

# 这是一个额外的安全措施。

#no-multicast-peers

# Option to set the max time, in seconds, allowed for full allocation establishment.

# Default is 60 seconds.

# 选项设置的最大时间,以秒为单位,允许完整的分配。

# 默认60秒

#max-allocate-timeout=60

# Option to allow or ban specific ip addresses or ranges of ip addresses.

# If an ip address is specified as both allowed and denied, then the ip address is

# considered to be allowed. This is useful when you wish to ban a range of ip

# addresses, except for a few specific ips within that range.

# This can be used when you do not want users of the turn server to be able to access

# machines reachable by the turn server, but would otherwise be unreachable from the

# internet (e.g. when the turn server is sitting behind a NAT)

# 选择允许或禁止特定的ip地址或ip地址范围。

# 如果指定一个ip地址允许和拒绝,那么ip地址被认为是允许的。这是有用的,当你希望禁止一个范

# 围的ip地址,除了一些特定的ip范围内。

# 这可以使用当你不希望turn服务器的用户能够访问机器通过turn服务器,但可能是另一方面从互联

# 网上不能到达(例如,当turn服务器是在一个NAT后)

# Examples:

# denied-peer-ip=83.166.64.0-83.166.95.255

# allowed-peer-ip=83.166.68.45

# File name to store the pid of the process.

# Default is /var/run/turnserver.pid (if superuser account is used) or

# /var/tmp/turnserver.pid .

# 存储进程pid的文件名。

# 默认是/var/run/turnserver.pid(超级用户使用)或者是/var/tmp/turnserver.pid

#pidfile="/var/run/turnserver.pid"

pidfile="/var/tmp/turnserver.pid"

# Require authentication of the STUN Binding request.

# By default, the clients are allowed anonymous access to the STUN Binding functionality.

# 需要STUN绑定请求的身份验证。

# 默认情况下,客户允许匿名访问STUN绑定功能。

#secure-stun

# Require SHA256 digest function to be used for the message integrity.

# By default, the server uses SHA1 (as per TURN standard specs).

# With this option, the server

# always requires the stronger SHA256 function. The client application

# must support SHA256 hash function if this option is used. If the server obtains

# a message from the client with a weaker (SHA1) hash function then the

# server returns error code 426.

# 需要SHA256采摘功能用于消息的完整性。

# 默认情况下,服务器使用SHA1(按标准规格)。

# 采用这一选项,服务器总是需要更强的SHA256功能。客户端应用程序必须支持SHA256散列函数

# 如果使用这个选项。如果服务器获得消息从客户端较弱(SHA1)散列函数那么服务器返回错误代码426。

#sha256

# Mobility with ICE (MICE) specs support.

# 移动的ICE(MICE)的规范支持。

#mobility

# User name to run the process. After the initialization, the turnserver process

# will make an attempt to change the current user ID to that user.

# 用户名运行程序。初始化后,turnserver程序将试图改变当前用户的用户ID。

#proc-user=<user-name>

# Group name to run the process. After the initialization, the turnserver process

# will make an attempt to change the current group ID to that group.

# 组名运行程序。初始化后,turnserver程序将试图改变当前组的组ID。

#proc-group=<group-name>

# Turn OFF the CLI support.

# By default it is always ON.

# See also options cli-ip and cli-port.

# 关掉CLI的支持。

# 默认情况下它总是ON。

# 参阅选项cli-ip和cli-port。

#no-cli

#Local system IP address to be used for CLI server endpoint. Default value

# is 127.0.0.1.

# 本地系统的IP地址将用于CLI服务器端点。默认值是127.0.0.1。

#cli-ip=127.0.0.1

# CLI server port. Default is 5766.

# CLI服务器端口。默认是5766。

#cli-port=5766

# CLI access password. Default is empty (no password).

# CLI访问密码。默认是空的(没有密码)。

#cli-password=logen

# Server relay. NON-STANDARD AND DANGEROUS OPTION.

# Only for those applications when we want to run

# server applications on the relay endpoints.

# This option eliminates the IP permissions check on

# the packets incoming to the relay endpoints.

# 中继服务器。NON-STANDARD和DANGEROUS的选择。

# 只对这些应用程序时,我们想在中继服务器上运行服务器应用程序端点。

# 这个选项可以消除IP权限检查传递的数据包传入的端点。

#server-relay

# Maximum number of output sessions in ps CLI command.

# This value can be changed on-the-fly in CLI. The default value is 256.

# 最大数量的输出会议在ps CLI命令。

# 这个值可以动态改变在CLI。默认值是256。

#cli-max-output-sessions

# Set network engine type for the process (for internal purposes).

# 设置网络引擎类型(用于内部目的)的过程。

#ne=[1|2|3]

# Do not allow an SSL/TLS version of protocol

# 不允许一个SSL/TLS版本的协议

#no-sslv2

#no-sslv3

#no-tlsv1

#no-tlsv1_1

#no-tlsv1_2

turnuserdb.conf

#This file can be used as user accounts storage for long-term credentials mechanism.

#这个文件可以用作长期用户帐户存储凭证机制。

#username1:key1

#username2:key2

# OR:

#username1:password1

#username2:password2

# Keys must be generated by turnadmin utility. The key value depends

# on user name, realm, and password:

# 钥匙必须由turnadmin实用程序生成。键值取决于用户名称、领域和密码:

# Example:

# 例子,使用以下命令:

# $ turnadmin -k -u ninefingers -r north.gov -p youhavetoberealistic

# Output: 0xbc807ee29df3c9ffa736523fb2c4e8ee

# 输出是: 0xbc807ee29df3c9ffa736523fb2c4e8ee

# ('0x' in the beginning of the key is what differentiates the key from

# password. If it has 0x then it is a key, otherwise it is a password).

# ('0x'开始的关键是区分从密码的关键。如果它有0x,那么它是一个关键,否则这是一个密码)。

# The corresponding user account entry in the userdb file will be:

# 相应的用户帐号在userdb文件中是：

#ninefingers:0xbc807ee29df3c9ffa736523fb2c4e8ee

# Or, equivalently (less secure):

#或者是这样(不安全的):

#ninefingers:youhavetoberealistic

yourname:yourpsw

同时笔者也提供了一个小工具用于检测你所在网络的NAT类型，源文件是有c程序版本和python脚本两种，可以从获取，如果你是windows，那么还可以本文末尾的附件下载预编译打包好的.exe文件。

NAT话题，主要涉及：

- NAT 与防火墙

- NAT 基本类型与原理

- NAT 穿透方式及原理

- 基于NAT穿透的网络应用

- NAT穿透相关的工具和开源项目

焦点集中在NAT类型以及对应的穿透方式，下面分别收录几篇文章做进一步了解。

1 网络与 NAT 和防火墙

公网/内网IP分配及NAT地址转换协议

2007-12-04 20:32:48

http://yanshiwen2007.blog.163.com/blog/static/38688705200711483248456/

防火墙和NAT

From: 百度文库

http://wenku.baidu.com/view/1c5ccba10029bd64783e2c94.html

NAT的四种类型及类型检测

Posted on 2010-12-16 19:30 bw_0927

http://www.cnblogs.com/my_life/articles/1908552.html

多媒体通讯中防火墙和NAT问题的解决

2002-12-26 9:57:00 信息源:赛迪网作者:袁帅

http://it.rising.com.cn/newSite/Channels/Safety/SafeDefend/Defender/200212/26-095709141.htm

Linux下的NAT及防火墙的混合应用

时间:2003-12-29 08:00 来源:BitsCN.com

http://www.bitscn.com/os/linux/200604/7934.html

2 NAT 穿透

NAT穿透

From: wikipedia 维基百科

http://zh.wikipedia.org/wiki/NAT%E7%A9%BF%E8%B6%8A

NAT的完全分析及其UDP穿透的完全解决方案

2006-07-18

http://zongtongyi.blogbus.com/logs/2857757.html

相关的其他文章：http://zongtongyi.blogbus.com/tag/%E7%A9%BF%E9%80%8FNAT/

NAT穿透

2010-05-09 12:15

http://blog.csdn.net/feiren127/article/details/5571636

NAT穿透之NAT类型检测

发布时间:2011-01-01 12:07文章来源:黑客防线文章作者:张东辉

http://www.yunsec.net/a/special/wlgf/wlrq/2011/0101/7820.html

P2P网络“自由”穿越NAT的“秘密”

Posted on 2008-10-12 14:05 chen eric

http://www.cnblogs.com/lovko/archive/2008/10/12/1309094.html

Symmetric NAT Traversal

http://www.dialogic.com/webhelp/bordernet2020/1.0.0/webhelp/nat_traversal.htm

3 STUN 和 TURN 协议

旧版本STUN http://www.ietf.org/rfc/rfc3489.txt

新版本STUN http://www.ietf.org/rfc/rfc5389.txt

TURN http://www.ietf.org/rfc/rfc5766.txt

Symmetric NAT Traversal using STUN

http://tools.ietf.org/id/draft-takeda-symmetric-nat-traversal-00.txt

PS: 此协议是草稿，主要是关于基于 STUN 来做 Symmetric 类型的NAT穿透；但这不是100%可以成功的，有一定的概率。

PS: 新旧STUN协议及TURN协议在实现和使用上的差异？

久版的STUN主要是基于判断NAT类型的，而新版本的STUN以及其扩展的TURN协议，摒弃了原来的思路，以获得一个可靠可用的通信地址和端口为目标；

新版的STUN重在获得改地址，而TURN则提供了基于已知地址的数据传递协议规范。所以实践中，如果STUN告诉我们地址后，可以P2P，则优先P2P，否则TURN中转。

新旧版本的STUN协议完全不同，协议设计也不同，无法兼容；新版的STUN则和TURN关系密切，后者是基于前者扩展设计的，大多数服务端也兼容二者。

4 工具与开源项目

NAT 类型检测

NAT Check：Check Your Network Address Translator for Compatibility with Peer-to-Peer Protocols

http://midcom-p2p.sourceforge.net/

VC++实现NAT穿透之NAT类型检测

http://blog.csdn.net/yincheng01/article/details/4486359

- STUN

stund

http://sourceforge.net/projects/stun

pystun

http://code.google.com/p/pystun/

stunclient

http://code.google.com/p/stunclient/source/browse/#svn%2Ftrunk%2Fstun

- STUN & TURN

turnserver

http://turnserver.sourceforge.net/ (http://www.turnserver.org/)

turn-client

https://github.com/node/turn-client

PS: 下载按时时请注意,以上工具和项目中大多使用标准C和python(cpython) .

STUNMAN

http://www.stunprotocol.org/ , https://github.com/jselbie/stunserver

Features:

Compliant with the latest RFCs including 5389, 5769, and 5780. Also includes backwards compatibility for RFC 3489.

Supports both UDP and TCP on both IPv4 and IPv6.

Client test app provided.

STUNMAN 使用C++开发，实现了新版的STUN和TURN协议，同时兼容处理旧版的STUN协议请求。

Java STUN/TURN 相关：

jstun

http://jstun.javawi.de/

stung4j

https://stun4j.dev.java.net/

5 总结

- Q: 是否所有NAT都可以穿透？

A: 不是！简单说，只要是cone类型的NAT，则可以穿透，100%地穿透，

即 full cone NAT, address restricted cone NAT 和 port restricted cone NAT 都可以穿透；

而 symmetric NAT则不能保证100%穿透，也就是说不可靠无法依赖穿透symmetric NAT来通信，必须提供备选方式如代理中转等。

- Q: 对于无法穿透的NAT该怎么办？

A: 既然有STUN和TURN甚至SOCK5等协议，那么在确定无法穿透或者不能确定穿透时，选择服务器中转是上策。

- Q: 实践中哪种类型的NAT更多一些？

A: 有时候应用只需要面对大多数用户即可，无需严格考虑所有情况，则需要参考实践中的NAT类型比例；

这个数据我没有实际调查过，但结合网络上提供的资料，目前大多数NAT都属于cone的，不是symmetric的；但典型的sysmmetric仍然存在，比如可能有：

- 安全要求较高的内部专属网/局域网

- 互联网与EGDE网络之间，互联网与3G网之间

- Q: Symmetric NAT 的穿透状况到底如何？

A: 可以穿透，但不是100%成功；那么如何提高成功率呢？ http://www.goto.info.waseda.ac.jp/~wei/file/wei-apan-v10.pdf

这篇很早的文章显示他们的办法可以达到99%的NAT穿透率，高于当时SKYPE的46% 。其中的难点，主要在于不断变化的端口映射，导致mapping address无法稳定下来用于两个peer的通信。

6 辅助工具

在线NAT类型检测

nattest.net.in.tum.de

从外部测试本地端口是否可访问

http://canyouseeme.org/

你可能感兴趣的文章

Linux下Tomcat重新启动

查看>>

使用HttpClient请求另一个项目接口获取内容

查看>>

HttpClient get和HttpClient Post请求的方式获取服务器的返回数据

查看>>

net.sf.json Maven依赖配置

查看>>

Could not initialize class net.sf.json.JsonConfig错误解决

查看>>

Java编程思想重点笔记（Java开发必看）

查看>>

eclipse 创建maven 项目动态web工程完整示例

查看>>

前端JSP与Spring MVC交互实用例子

查看>>

使用maven一步一步构建spring mvc项目

查看>>

hadoop map reduce 阶段笔记

查看>>

java jackcess 操作 access

查看>>

Git问题Everything up-to-date解决

查看>>

Hadoop HDFS文件操作的Java代码

查看>>

Hadoop学习笔记—3.Hadoop RPC机制的使用

查看>>

Hadoop学习笔记—22.Hadoop2.x环境搭建与配置

java学习总结之文件操作--ByteArrayOutputStream的用法

查看>>

Java生成和操作Excel文件

查看>>