coturn/man/man1/turnutils.1

.\" Text automatically generated by txt2man
.TH TURN 1 "05 June 2021" "" ""
.SH GENERAL INFORMATION

A set of turnutils_* programs provides some utility functionality to be used
for testing and for setting up the TURN server.
.TP
.B
1.
\fIturnutils_uclient\fP: emulates multiple UDP,TCP,TLS or DTLS clients.
(this program is provided for the testing purposes only !)
The compiled binary image of this program is located in bin/
sub\-directory.
.TP
.B
2.
\fIturnutils_peer\fP: a simple stateless UDP\-only "echo" server,
to be used as the final server in relay pattern ("peer"). For every incoming
UDP packet, it simply echoes it back.
(this program is provided for the testing purposes only !)
When the test clients are communicating in the client\-to\-client manner
(when the "\fIturnutils_uclient\fP" program is used with "\fB\-y\fP" option) then the
\fIturnutils_peer\fP is not needed.
.PP
The compiled binary image of this program is located in bin/ subdirectory.
.TP
.B
3.
\fIturnutils_stunclient\fP: a simple STUN client example.
The compiled binary image of this program is located in bin/ subdirectory.
.TP
.B
4.
\fIturnutils_rfc5769check\fP: a utility that checks the correctness of the
STUN/TURN protocol implementation. This utility is used only for the compilation
check procedure, it is not copied to the installation destination.
.PP
In the "examples/scripts" subdirectory, you will find the examples of command lines to be used
to run the programs. The scripts are meant to be run from examples/ subdirectory, for example:
.PP
$ cd examples
.PP
$ ./scripts/secure_relay.sh
.TP
.B
5.
\fIturnutils_natdiscovery\fP: a utility that provides NAT behavior discovery
according RFC5780. This utility discovers the actual NAT Mapping and Filtering
behavior, etc. Be aware that on TURN server side two different listening IP
addresses should be configured to be able to work properly!
.TP
.B
6.
\fIturnutils_oauth\fP: a utility that provides OAuth access_token
\fBgeneration\fP(AEAD encryption), validation and decryption. This utility inputs
all the keys and lifetimes and any related information that needed for
creation and validationi of an access_token. It outputs a JSON with all OAuth
PoP parameters that need to pass to the client. Output is generated accoriding
RFC7635 Appendix B, Figure 8.
.PP
For more details, and for the access_token structure, read rfc7635, and see
script in examples/scripts/oauth.sh.
.RE
.PP

.SH =====================================

.SS  NAME
\fB
\fBturnutils_uclient \fP\- this client emulation application is supplied for the test purposes only.
\fB
.SS  SYNOPSIS
.nf
.fam C

$ \fIturnutils_uclient\fP [\fB\-tTSvsyhcxg\fP] [\fIoptions\fP] <TURN\-Server\-IP\-address>

.fam T
.fi
.fam T
.fi
.SS  DESCRIPTION

It was designed to simulate multiple clients. It uses asynch IO API in
libevent to handle multiple clients. A client connects to the relay,
negotiates the session, and sends multiple (configured number) messages to the server (relay),
expecting the same number of replies. The length of the messages is configurable.
The message is an arbitrary octet stream.
The number of the messages to send is configurable.
.PP
Flags:
.TP
.B
\fB\-t\fP
Use TCP for communications between client and TURN server (default is UDP).
.TP
.B
\fB\-b\fP
Use SCTP for communications between client and TURN server (default is UDP).
.TP
.B
\fB\-T\fP
Use TCP for the relay transport (default \- UDP). Implies \fIoptions\fP \fB\-t\fP, \fB\-y\fP, \fB\-c\fP,
and ignores flags and \fIoptions\fP \fB\-s\fP, \fB\-e\fP, \fB\-r\fP and \fB\-g\fP. Can be used together
with \fB\-b\fP.
.TP
.B
\fB\-P\fP
Passive TCP (RFC6062 with active peer). Implies \fB\-T\fP.
.TP
.B
\fB\-S\fP
Secure SSL connection: SSL/TLS for TCP, DTLS for UDP, TLS/SCTP for SCTP.
.TP
.B
\fB\-U\fP
Secure unencrypted connection (suite eNULL): SSL/TLS for TCP, DTLS for UDP.
.TP
.B
\fB\-v\fP
Verbose.
.TP
.B
\fB\-s\fP
Use "Send" method in TURN; by default, it uses TURN Channels.
.TP
.B
\fB\-y\fP
Use client\-to\-client connections:
RTP/RTCP pair of channels to another RTP/RTCP pair of channels.
with this option the \fIturnutils_peer\fP application is not used,
as the allocated relay endpoints are talking to each other.
.TP
.B
\fB\-h\fP
Hang on indefinitely after the last sent packet.
.TP
.B
\fB\-c\fP
Do not create rtcp connections.
.TP
.B
\fB\-x\fP
Request IPv6 relay address (RFC6156).
.TP
.B
\fB\-X\fP
IPv4 relay address explicitly requested.
.TP
.B
\fB\-g\fP
Set DONT_FRAGMENT parameter in TURN requests.
.TP
.B
\fB\-D\fP
Do mandatory channel padding even for UDP (like pjnath).
.TP
.B
\fB\-N\fP
do negative tests (some limited cases only).
.TP
.B
\fB\-R\fP
do negative protocol tests.
.TP
.B
\fB\-O\fP
DOS attack mode.
.TP
.B
\fB\-M\fP
Use TURN ICE Mobility.
.TP
.B
\fB\-I\fP
Do not set permissions on TURN relay endpoints
(for testing the non\-standard server relay functionality).
.TP
.B
\fB\-G\fP
Generate extra requests (create permissions, channel bind).
.TP
.B
\fB\-B\fP
Random disconnect after a few initial packets.
.TP
.B
\fB\-Z\fP
Dual allocation (SSODA). Implies \fB\-c\fP option.
.TP
.B
\fB\-J\fP
Use oAuth with default test key kid='north'.
.PP
Options with required values:
.TP
.B
\fB\-l\fP
Message length (Default: 100 Bytes).
.TP
.B
\fB\-i\fP
Certificate file (for secure connections only, optional).
.TP
.B
\fB\-k\fP
Private key file (for secure connections only).
.TP
.B
\fB\-E\fP
CA file for server certificate verification,
if the server certificate to be verified.
.TP
.B
\fB\-p\fP
\fBTURN Server\fP port (Defaults: 3478 unsecure, 5349 secure).
.TP
.B
\fB\-n\fP
Number of messages to send (Default: 5).
.TP
.B
\fB\-d\fP
Local interface device (optional, Linux only).
.TP
.B
\fB\-L\fP
Local IP address (optional).
.TP
.B
\fB\-m\fP
Number of clients (Default: 1, 2 or 4, depending on \fIoptions\fP).
.TP
.B
\fB\-e\fP
Peer address.
.TP
.B
\fB\-r\fP
Peer port (Default: 3480).
.TP
.B
\fB\-z\fP
Per\-session packet interval in milliseconds (Default: 20).
.TP
.B
\fB\-u\fP
STUN/TURN user name.
.TP
.B
\fB\-w\fP
STUN/TURN user password.
.TP
.B
\fB\-W\fP
TURN REST API secret. The "plain text" secret e.g. "north"
that is stored in the value column of the turn_secret
table in the database if dynamic, or the static\-auth\-secret
value set in the configuration file if using static.
.TP
.B
\fB\-C\fP
This is the timestamp/username separator symbol (character) in
TURN REST API. The default value is :.
.TP
.B
\fB\-F\fP
Cipher suite for TLS/DTLS. Default value is DEFAULT.
.TP
.B
\fB\-o\fP
the ORIGIN STUN attribute value.
.TP
.B
\fB\-a\fP
Bandwidth for the bandwidth request in ALLOCATE. The default value is zero.
.PP
See the examples in the "examples/scripts" directory.
.SH ======================================

.SS  NAME
\fB
\fBturnutils_peer \fP\- a simple UDP\-only echo backend server.
\fB
.SS  SYNOPSIS
.nf
.fam C

$ \fIturnutils_peer\fP [\fB\-v\fP] [\fIoptions\fP]

.fam T
.fi
.fam T
.fi
.SS  DESCRIPTION

This application is used for the test purposes only, as a peer for the \fIturnutils_uclient\fP application.
.PP
Options with required values:
.TP
.B
\fB\-p\fP
Listening UDP port (Default: 3480).
.TP
.B
\fB\-d\fP
Listening interface device (optional)
.TP
.B
\fB\-L\fP
Listening address of \fIturnutils_peer\fP server. Multiple listening addresses can be used, IPv4 and IPv6.
If no listener \fBaddress\fP(es) defined, then it listens on all IPv4 and IPv6 addresses.
.TP
.B
\fB\-v\fP
Verbose
.SH ========================================

.SS  NAME
\fB
\fBturnutils_stunclient \fP\- a basic STUN client.
\fB
.SS  SYNOPSIS
.nf
.fam C

$ \fIturnutils_stunclient\fP [\fIoptions\fP] <STUN\-Server\-IP\-address>

.fam T
.fi
.fam T
.fi
.SS  DESCRIPTION

It sends a "new" STUN RFC 5389 request (over UDP) and shows the reply information.
.PP
Options with required values:
.TP
.B
\fB\-p\fP
STUN server port (Default: 3478).
.TP
.B
\fB\-L\fP
Local address to use (optional).
.TP
.B
\fB\-f\fP
Force RFC 5780 processing.
.PP
The \fIturnutils_stunclient\fP program checks the results of the first request,
and if it finds that the STUN server supports RFC 5780
(the binding response reveals that) then the \fIturnutils_stunclient\fP makes a couple more
requests with different parameters, to demonstrate the NAT discovery capabilities.
.PP
This utility does not support the "old" "classic" STUN protocol (RFC 3489).
.SH =====================================

.SS  NAME
\fB
\fBturnutils_rfc5769check \fP\- a utility that tests the correctness of STUN protocol implementation.
\fB
.SS  SYNOPSIS
.nf
.fam C

$ \fIturnutils_rfc5769check\fP

.fam T
.fi
.fam T
.fi
.SS  DESCRIPTION

\fIturnutils_rfc5769check\fP tests the correctness of STUN protocol implementation
against the test vectors predefined in RFC 5769 and prints the results of the
tests on the screen. This utility is used only for the compilation
check procedure, it is not copied to the installation destination.
.PP
Usage:
.PP
$ \fIturnutils_rfc5769check\fP
.SH =====================================

.SS  NAME
\fB
\fBturnutils_natdiscovery \fP\- a utility that discovers NAT mapping and filtering
\fBbehavior according RFC5780.
\fB
.SS  SYNOPSIS
.nf
.fam C

$ \fIturnutils_natdiscovery\fP [\fIoptions\fP] <STUN\-Server\-FQDN\-or\-IP\-address>

.fam T
.fi
.fam T
.fi
.SS  DESCRIPTION

\fIturnutils_natdiscovery\fP discovers the NAT Mapping and Filtering behavior, to
determine if that NAT is currently using Endpoint\-Independent,
Address\-Dependent, or Address and Port\-Dependent Mapping and/or to determine if
that NAT is currently using Endpoint\-Independent, Address\-Dependent, or Address
and Port\-Dependent Filtering.
.PP
Use either \fB\-m\fP, \fB\-f\fP, \fB\-c\fP, \fB\-H\fP flag to discover NAT behavior.
.PP
Flags:
.TP
.B
\fB\-m\fP
NAT mapping behavior discovery
.TP
.B
\fB\-f\fP
NAT filtering behavior discovery
.TP
.B
\fB\-t\fP
NAT mapping lifetime behavior discovery
Requires a timer (\fB\-T\fP)
.TP
.B
\fB\-c\fP
NAT collision behavior discovery
.TP
.B
\fB\-H\fP
NAT hairpinning behavior discovery
.TP
.B
\fB\-P\fP
Add 1500 byte Padding to the behavior discovery
Applicable with all except NAT mapping Lifetime discovery
.PP
Options with required values:
.TP
.B
\fB\-p\fP
STUN server port (Default: 3478)
.TP
.B
\fB\-L\fP
Local address to use (optional)
.TP
.B
\fB\-l\fP
Local port to use (use with \fB\-L\fP)
.TP
.B
\fB\-A\fP
Secondary Local address (optional)
Required for collision discovery
.TP
.B
\fB\-T\fP
Mapping lifetime timer (sec)
Used by mapping lifetime behavior discovery
.PP
Usage:
.PP
$ \fIturnutils_natdiscovery\fP \fB\-m\fP \fB\-f\fP stun.example.com
.SH =====================================

.SS  NAME
\fB
\fBturnutils_oauth \fP\- a utility that helps OAuth access_token generation/encryption and validation/decyption
\fB
.SS  SYNOPSIS
.nf
.fam C

$ \fIturnutils_oauth\fP [\fIoptions\fP]

.fam T
.fi
.fam T
.fi
.SS  DESCRIPTION

\fIturnutils_oauth\fP utility provides help in OAuth access_token encryption and/or
decryption with AEAD (Atuthenticated Encryption with Associated Data). It helps
for an Auth Server in access_token creation, and also for debugging purposes it
helps the access_token validation and decryption. This utility inputs all the
keys and lifetimes and any related information that are needed for encryption
or decryption of an access_token. It outputs a JSON with all OAuth PoP
parameters that need to pass to the client. Output is generated accoriding
RFC7635 Appendix B, Figure 8. This utility could help to build an Auth Server
service, but be awere that this utility does not generate "session key" /
"mac_key" and not verifies lifetime of "session key" / "mac_key" or "Auth key".
For more details, and for the access_token structure, read rfc7635, and see
the example in examples/scripts/oauth.sh.
.PP
Use either \fB\-e\fP and/or \fB\-d\fP flag to encrypt or decrypt access_token.
.PP
Flags:
.TP
.B
\fB\-h\fP, \fB\-\-help\fP
usage
.TP
.B
\fB\-v\fP, \fB\-\-verbose\fP
verbose mode
.TP
.B
\fB\-e\fP, \fB\-\-encrypt\fP
encrypt token
.TP
.B
\fB\-d\fP, \fB\-\-decrypt\fP
decrypt validate token
.PP
Options with required values:
.TP
.B
\fB\-i\fP, \fB\-\-server\-name\fP
server name (max. 255 char)
.TP
.B
\fB\-j\fP, \fB\-\-auth\-key\-id\fP
Auth key id (max. 32 char)
.TP
.B
\fB\-k\fP, \fB\-\-auth\-key\fP
base64 encoded Auth key
.TP
.B
\fB\-l\fP
\fB\-\-auth\-key\-timestamp\fP       Auth key timestamp (sec since epoch)
.TP
.B
\fB\-m\fP, \fB\-\-auth\-key\-lifetime\fP
Auth key lifetime in sec
.TP
.B
\fB\-n\fP, \fB\-\-auth\-key\-as\-rs\-alg\fP
Authorization \fBServer\fP(AS) \- Resource \fBServer\fP(RS) encryption algorithm
.TP
.B
\fB\-o\fP, \fB\-\-token\-nonce\fP
base64 encoded nonce \fBbase64\fP(12 octet) = 16 char
.TP
.B
\fB\-p\fP, \fB\-\-token\-mac\-key\fP
base64 encoded MAC key \fBbase64\fP(32 octet) = 44 char
.TP
.B
\fB\-q\fP, \fB\-\-token\-timestamp\fP
timestamp in format 64 bit unsigned (Native format \- Unix),
so 48 bit for secs since epoch UTC + 16 bit for 1/64000 fractions of a second.
e.g.: the actual unixtimestamp 16 bit left shifted. (Default: actual gmtime)
.TP
.B
\fB\-r\fP, \fB\-\-token\-lifetime\fP
lifetime in sec (Default: 3600)
.TP
.B
\fB\-t\fP, \fB\-\-token\fP
base64 encoded encrypted token for validation and decryption
.TP
.B
\fB\-u\fP, \fB\-\-hmac\-alg\fP
stun client hmac algorithm
.PP
Usage:
.PP
$ \fIturnutils_natdiscovery\fP
.SH ===================================

.SH DOCS

After installation, run the command:
.PP
$ man \fIturnutils\fP
.PP
or in the project root directory:
.PP
$ man \fB\-M\fP man \fIturnutils\fP
.PP
to see the man page.
.SH =====================================

.SH FILES

/etc/turnserver.conf
.PP
/var/db/turndb
.PP
/usr/local/var/db/turndb
.PP
/var/lib/turn/turndb
.PP
/usr/local/etc/turnserver.conf
.SH =================================

.SH DIRECTORIES

/usr/local/share/\fIturnserver\fP
.PP
/usr/local/share/doc/\fIturnserver\fP
.PP
/usr/local/share/examples/\fIturnserver\fP
.SH ===================================

.SH STANDARDS

new STUN RFC 5389
.SH TURN RFC 5766

TURN\-TCP extension RFC 6062
.PP
TURN IPv6 extension RFC 6156
.PP
STUN/TURN test vectors RFC 5769
.PP
STUN NAT behavior discovery RFC 5780
.SH ====================================

.SH SEE ALSO

\fIturnserver\fP, \fIturnadmin\fP
.SH ======================================

.SS  WEB RESOURCES

project page:
.PP
https://github.com/coturn/coturn/
.PP
Wiki page:
.PP
https://github.com/coturn/coturn/wiki
.PP
forum:
.PP
https://groups.google.com/forum/?fromgroups=#!forum/turn\-server\-project\-rfc5766\-turn\-server/
.SH ======================================

.SS  AUTHORS

See the AUTHORS.md file in the coturn source distribution.