WebRTC TURN server ip range access restrictions

Question

We have a STUN/TURN Server (coturn) running. It will relay (over TURN) a video feed from a device on the internet to a device in a fixed IP range. (There is currently no stream in the other direction, but this might change in the future)

I know about the TURN REST API spec to generate temporary credentials to access the TURN Server. Now we would also like to restrict access in a more fine grained way: Is it possible to restrict the TURN server such that only streams TO a device in a certain IP range or streams FROM a device in this certain IP range is relayed and all other traffic would get dropped?

Is there a way to configure this in coturn or would it be possible to put a NGINX proxy in between to handle this?

Answer 1

Expert from coturn docs, one of the optional parameters while starting the TURN server:

--denied-peer-ip=<IPaddr[-IPaddr]>, --allowed-peer-ip=<IPaddr[-IPaddr]> - Options to ban or allow specific ip addresses or ranges of ip addresses. If an ip address is specified as both allowed and denied, then the ip address is considered to be allowed. This is useful when you wish to ban a range of ip addresses, except for a few specific ips within that range. This can be used when you do not want users of the turn server to be able to access machines reachable by the turn server, but would otherwise be unreachable from the internet (e.g. when the turn server is sitting behind a NAT). The allowed/denied addresses (white/black lists) functionality is very simple:

• If there is no rule for an address, then it is allowed;

• If there is an explicit allowed rule that fit an address then it is allowed - no matter what;

• If there is no explicit allowed rule for an address, and if there is a denied rule that fits the address, then it is denied. The "white" and "black" peer IP ranges can be dynamically changed in the database.