All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.
1.12.1 - 2024-10-24
- Docker: Offer a container
VARIANT
which includes theacme.sh
cert creation script. The variant has a tag suffix-acme
or justacme
aslatest
synonym and can be configured with environment variables. - Docker: Add Docker secrets support. Any environment variable with a
__FILE
suffix is treated as a Docker secret. (#64)
- The
eturnalctl status
call now checks whether eturnal is actually ready to handle STURN/TURN clients (and prints a line to the standard output in that case). If this call is issued early during startup, it will block (up to 15 seconds) until eturnal is responsive. The old behavior was to (silently) return success as soon as the underlying VM is alive. - Binary release: Update Erlang/OTP from 26.0.2 to 27.1.2.
- Binary release: Update Rebar3 from 3.22.1 to 3.24.0.
- Binary release: Update OpenSSL from 3.1.3 to 3.4.0.
1.12.0 - 2023-09-28
- The new
blacklist_clients
andblacklist_peers
options may be used to specify blocklists for TURN clients and TURN peers separately. The oldblacklist
option that affected both clients and peers has been deprecated. The same applies to thewhitelist
option, which has been deprecated in favor of the newwhitelist_clients
andwhitelist_peers
options. By default, theblacklist_peers
option is set to a list of networks recommended to be blocked. The other three lists are empty by default.
- Binary release: Update OpenSSL from 3.1.2 to 3.1.3.
- Binary release: Update zlib from 1.2.13 to 1.3.
- Binary release: Use new (GCC-13.2-based) version of build toolchain.
- Don't fail to ping the systemd watchdog under certain conditions.
- Drop support for container image for architecture
s390x
. If you need it, please contact us.
1.11.1 - 2023-08-06
- Don't fail to build with
SKIP_DEPS
set totrue
.
1.11.0 - 2023-08-06
- Allow for specifying static
credentials
in theeturnal.yml
configuration file. They can be used instead of (or in addition to) a sharedsecret
. - Allow for overriding the
build.config
settings using environment variables (of the same name, but upper-case). - Docker: Container images can now be pulled from Docker Hub as well. The name
is
docker.io/eturnal/eturnal:latest
. When pulling withDocker
,docker.io
may be omitted. - Provide a homebrew Formula for macOS.
- The environment variable
ETURNAL_ETC_PREFIX
has been deprecated in favor ofETURNAL_ETC_DIR
. If the former was used with previous releases,ETURNAL_ETC_DIR
should now be set to$ETURNAL_ETC_PREFIX/etc
. mod_stats_prometheus
: Fine tune bucket sizes for TURN sessions, e.g., drop the 1 KiB bucket, as the 4 KiB bucket size should be sufficient to identify "inactive" sessions. Also, slightly alter the other bucket sizes.- Binary release: Update Erlang/OTP from 25.0.3 to 26.0.2.
- Binary release: Update Rebar3 from 3.19.0 to 3.22.1.
- Binary release: Update OpenSSL from 1.1.1q to 3.1.2.
- Binary release: Update zlib from 1.2.12 to 1.2.13.
- Binary release: Build Erlang/OTP without Termcap support.
- Docker: Always use the same Erlang/OTP version as the binary release.
- Windows: Update Erlang/OTP to 26.x.
- Fix a small memory leak (about 200 bytes per TURN session).
- Include the
ssl
library with non-distro builds, as it's required for enabling TLS for themod_stats_prometheus
endpoint. - Docker: Include libcap libraries into the image to enable binding to
privileged ports (<1024) directly.
Hint: Depending on the container runtime in use, if the
docker run
option--cap-drop=ALL
is used,CAP_NET_BIND_SERVICE
may be included again to make the container work (see examples).
1.10.1 - 2022-08-02
- Improve TCP/TLS performance if no traffic shaper is configured using the
max_bps
option. mod_stats_prometheus
: Add a counter for STUN/TURN protocol errors, bucketed by transport and error condition.build.config
: Addcode_loading
option to specify whether code is loaded statically during eturnal startup or dynamically on demand. The latter may be desirable for (distribution) builds that use separately packaged Erlang dependencies, as it avoids hard-coding dependency versions at build time.- Docker: Include STUN lookup at container start for an IPv6 address as well.
- Docker: Allow to define a different external STUN service for IP address
lookups by adding the container-image-specific environment variable
STUN_SERVICE
, defaulting to:STUN_SERVICE="stun.conversations.im 3478"
. This same variable may also be used to disable the STUN lookup by definingSTUN_SERVICE=false
.
build.config
: Rename theeturnal_bin_prefix
option toeturnal_prefix
.- Binary release: Reduce code size by omitting an unused transitive dependency (which had slipped back into the previous release).
build.config
: Remove theeturnal_etc_prefix
option.
- Fix dynamic loading of
mod_stats_prometheus
dependencies (for distribution builds). - Docker: Keep list of installed packages, so that image scanners like Trivy can check the image for vulnerabilities.
1.10.0 - 2022-07-27
- Include
mod_stats_prometheus
, a module for exporting metrics to Prometheus. - Include an example configuration for logrotate.
- Include an example OpenRC init (and configuration) file.
- If an EPMD process was spawned during eturnal startup, stop it on shutdown, unless it's used by other Erlang nodes.
- Avoid permission issues in the case where
eturnalctl
was invoked by root from a directory the user running eturnal isn't permitted to change into. - Make sure
eturnalctl daemon
won't hang on the very first startup when using Erlang/OTP 23 or newer.
1.9.1 - 2022-07-17
- Allow for adding the special keywords
default
orrecommended
to theblacklist
. The former expands to the addresses blocked by default, the latter includes the former and additionally expands to a number of networks recommended to be blocked. - Fall back to reading the relay port range boundaries from environment
variables when
relay_min_port
and/orrelay_max_port
aren't specified. - Docker: Adjust image
ENTRYPOINT
to provide a way to autodetect (in most cases) the Docker host's IPv4 address during container startup within isolated network environments, without explicitly defining the IPv4 address (with anENV
variable or a configuration file).
- If an EPMD process is spawned during eturnal startup, let it listen on
localhost
only (#9). (Note that our Linux packages and container images are configured to not start an EPMD process.) - Omit the code location from log messages, except when debug logging is enabled.
- Apply other minor logging improvements.
- Docker: Reduce image size. IMPORTANT: A custom
eturnal.yml
configuration file should be mounted to the default path/etc/eturnal.yml
or to a custom path defined withETURNAL_ETC_PREFIX
, as mounting it to/opt/eturnal/etc/eturnal.yml
will prevent the container to start up successfully. - Binary release: Update Erlang/OTP from 25.0.2 to 25.0.3.
- Windows: Update to LibYAML 0.2.5.
- Windows: Update to OpenSSL 3.0.5.
1.9.0 - 2022-07-07
- Publish Docker images and provide configuration examples for Docker/Kubernetes (many thanks to Saarko) (#20).
- Fall back to reading the relay IP addresses from environment variables when
relay_ipv4_address
and/orrelay_ipv6_address
aren't specified (#24).
- Binary release: Update Erlang/OTP from 24.3.4 to 25.0.2.
- Binary release: Update Rebar3 from 3.18.0 to 3.19.0.
- Binary release: Update OpenSSL from 1.1.1m to 1.1.1q.
- Binary release: Update minimum glibc version from 2.17 to 2.19.
- Binary release: Reduce code size by omitting an unused transitive dependency.
- Avoid crashes in the case where no
secret
is configured in theeturnal.yml
file (#21). - Don't log misleading complaints about
proxy_protocol
option. - Gracefully handle errors while receiving UDP data (#23).
- Restart listeners on failure.
- Reduce log level for network issues that may occur during normal operation.
- Windows: Support custom installation path (#22).
1.8.3 - 2022-05-12
- Specifying an
ip
address forlisten
entries is no longer mandatory. The default value is now"::"
. - Make sure eturnal's
log_dir
is used for the additional log files created byeturnalctl daemon
. - Keep TURN session IDs unique across eturnal restarts.
- Binary release: Update Erlang/OTP from 24.2.2 to 24.3.4.
- Binary release: Update OpenSSL from 1.1.1m to 1.1.1o.
- Binary release: Update zlib from 1.2.11 to 1.2.12.
- Binary release: Use new (GCC-11.2-based) version of build toolchain.
- Binary release: Provide self-extracting installer for non-DEB/RPM systems.
- Windows: Don't fail to start up after reboot.
1.8.2 - 2022-03-02
- Use a (pseudo)random
secret
by default. - Improve autodetection of relay IP addresses used by default if the
relay_ipv4_addr
and/orrelay_ipv6_addr
options aren't specified. - Binary release: Update Erlang/OTP from 24.2 to 24.2.2.
- Don't crash without explicit
listen
configuration. This bug was introduced with version 1.7.0. - Don't crash if the configuration file is empty (i.e., has no
eturnal
section). - Don't crash if TURN is enabled without a public IPv6 relay address being available.
1.8.1 - 2022-01-10
- Don't fail to handle the
$user
argument of theeturnalctl sessions
andeturnalctl disconnect
calls.
1.8.0 - 2022-01-10
- Allow for configuring TLS connection properties using the new
tls_options
,tls_ciphers
, andtls_dh_file
options (#6). - Allow for specifying a
whitelist
of IP addresses/subnets which will be accepted even if they would otherwise be rejected due to being matched by ablacklist
(#12). - Don't close active TURN sessions when ephemeral credentials expire, by
default. The new
strict_expiry
option allows for enabling the previous behavior. - Add
eturnalctl disconnect $user
command for closing any TURN session(s) of the specified$user
name. - Let the
eturnalctl sessions
command accept an optional$user
argument to list only the TURN session(s) of the specified$user
name. - Support running eturnal without the
Erlang Port Mapper Daemon (EPMD) by specifying the environment variable
ERL_DIST_PORT
(requires at least Erlang/OTP 23.1 and Rebar3 3.18.0).
- Binary release: Run eturnal without EPMD (as described above).
- Don't log bogus error messages if no eturnal modules are enabled when using Erlang/OTP version 21.0, 21.1, or 21.2.
- Binary release: Don't let Erlang/OTP link against libnsl.so.1, which is no longer shipped by default on RedHat-based distributions, and isn't actually needed (#19).
1.7.0 - 2021-12-15
- Introduce the
listen
optionproxy_protocol
for enabling HAproxy protocol (version 1 and 2) support (#18).
- Binary release: Update Erlang/OTP from 24.1.7 to 24.2.
- Binary release: Update OpenSSL from 1.1.1l to 1.1.1m.
- Binary release: Link
asn1
andcrypto
NIFs statically into BEAM. - Binary release: Reduce size by a few MiB by omitting a test suite file.
- Binary release: Don't forget to strip ERTS binaries.
- Don't crash when multiple
secret
s are configured on Erlang/OTP 23 or later.
1.6.0 - 2021-12-04
- Add
eturnalctl credentials
andeturnalctl password
commands for generating ephemeral TURN credentials. - Support the
listen
optiontransport: auto
for accepting unencrypted TCP and TLS connections on the same port (thanks to Annika Hannig). Requires Erlang/OTP 23 or later.
- Binary release: Update Erlang/OTP from 24.1.4 to 24.1.7.
1.5.0 - 2021-11-02
- Allow for specifying a list of shared secrets in order to facilitate key rollover (#16).
- Improve UDP receive performance.
- Reduce risk of UDP packet loss.
- Binary release: Update Erlang/OTP from 24.1.2 to 24.1.4.
- Handle the case where a
tls_crt_file
but notls_key_file
is specified (by assuming thetls_crt_file
includes both the certificate and the key). - Don't forget to check for new PEM files on reload if the configuration wasn't modified (#17).
1.4.6 - 2021-10-11
- Don't abort (but log an appropriate warning) if TURN is enabled without a shared secret.
- Drop the runtime dependency on the
openssl
command for generating self-signed certificates. - Binary release: Update Erlang/OTP from 23.2 to 24.1.2.
- Binary release: Update OpenSSL from 1.1.1i to 1.1.1l.
- Drop the
mod_example
module.
1.4.5 - 2021-01-28
- Don't include timestamp when logging to the systemd journal.
- Let
eturnalctl sessions
cope with non-latin characters in user names. - Binary release: Let
eturnalctl remote_console
actually connect to the running eturnal instance.
1.4.4 - 2021-01-21
- Reject Teredo and 6to4 peers unconditionally.
- Reject 0.0.0.0/8 and ::/128 peers unconditionally.
- Never request certificates from TLS clients.
1.4.3 - 2020-12-16
- Binary release: Update Erlang/OTP from 22.2 to 23.2.
- Binary release: Update OpenSSL from 1.1.1g to 1.1.1i.
- Don't log stack traces if clients attempt authentication while TURN is disabled.
1.4.2 - 2020-11-04
- Make sure the
eturnal.yml
file isn't installed world-readable, as it might contain the shared TURN secret (#10).
1.4.1 - 2020-09-09
- Fix systemd watchdog interval recalculation during configuration reloads.
1.4.0 - 2020-09-06
- Add
mod_log_stun
for logging STUN requests. Without this module, they will now only show up in the debug log output. - Add list of TURN permissions to the
eturnalctl sessions
output.
- Always log reason for TCP/TLS connection termination (at info level).
- Omit Erlang process ID from log messages (now that a session ID is logged).
- Make the
eturnalctl sessions
command work with recent versions of thestun
application.
1.3.0 - 2020-08-26
- Add
eturnalctl info
command, which prints some details regarding the running eturnal instance. - Add the TURN session duration to the
eturnalctl sessions
output. - Document the module API for developers.
- Refactor the module API to avoid bottlenecks.
1.2.1 - 2020-08-16
- Strip the BEAM files shipped with the binary release. Due to a bug in the build tooling, this didn't happen for the previous release.
1.2.0 - 2020-08-16
- Add experimental support for modules and include a
mod_example
with the source code. The APIs aren't documented yet and may change in the future. - Include
mod_stats_influx
, a module for logging STUN/TURN events/statistics to InfluxDB (contributed by Marc Schink).
1.1.0 - 2020-07-22
- Add
eturnalctl session
command, which lists some details about the currently active TURN sessions.
- Append session ID, transport, username, and client IP addresses/ports to STUN/TURN log messages.
- Append relay/peer IP addresses/ports to TURN log messages.
- Log amount of relayed traffic per TURN session.
- Log plain STUN (Binding) responses.
- Log more info level messages during TURN sessions.
- Log error responses sent to STUN/TURN clients.
- Make configuration reloads performed after changing the
listen
configuration more robust against timing issues. - Let eturnalctl commands that query the running node fail gracefully if eturnal isn't running.
1.0.0 - 2020-07-13
- Allow for setting the
log_dir
option to the special valuestdout
, which tells eturnal to print log messages to the standard output rather than logging to a file. - Publish DEB and RPM packages, and adjust the documentation accordingly.
- Allow for binding to privileged ports (if started via systemd).
- Disable TURN support in the example configuration file.
- If the distribution provides an
epmd.service
, make sure eturnal uses it rather than starting its own EPMD instance. - Don't bind EPMD to 127.0.0.1 by default.
- Only signal readiness to systemd if eturnal's startup actually was successful.
0.8.0 - 2020-07-08
- Support systemd's
notify
startup type. - Support systemd's service watchdog feature.
- Remove
max_allocations
option from the documentation and from the example configuration. Thestun
application currently ignores this option, and it's not all that useful with ephemeral TURN credentials anyway.
- Don't ignore the
log_level
option when the configuration is reloaded.
0.7.0 - 2020-07-07
- Ship documentation and license with binary release archive.
- Add reference documentation which can be built by calling
rebar3 edoc
within the source directory. - Allow for starting up eturnal without release boot file by calling a command
such as
erl -conf file '"/etc/eturnal.yml"' -s eturnal
(assuming the BEAM files are in the code path).
- Refuse TURN relaying from/to loopback addresses by default.
0.6.0 - 2020-07-02
- Include an example init script for non-systemd platforms.
- Log more (and improved) info and debug level messages.
- Allow for starting up eturnal without configured secret if TURN is disabled.
0.5.0 - 2020-06-30
- Let
eturnalctl version
print the version string of the running release. - Add an initial version of a test suite.
- Allow non-root users to run the eturnalctl script if they have eturnal's Erlang cookie.
- Make the release directory freely relocatable.
0.4.0 - 2020-06-28
- Fix TURN authentication on Erlang/OTP versions older than 22.1.
0.3.0 - 2020-06-28
- Change systemd service type in order to support systemd versions older than 240.
- Make sure the eturnalctl script can be invoked by the superuser.
- Fix compatibility with Erlang/OTP 21.0, 21.1, and 21.2.
0.2.0 - 2020-06-25
- Add Erlang process ID to log messages.
0.1.0 - 2020-06-24
- Allow for configuring the same (port, transport) combination on different IP addresses.
- Fix parameter expansion in eturnalctl script which prevented eturnal from starting up.
- In the README section that describes building from source, don't forget to mention that rebar3 needs to be made executable.
0.0.1 - 2020-06-23
- Initial (pre-)release of the eturnal STUN/TURN server.