Re-enable STUN/UDP by default so that old Element mobile clients can work

Partially reverts ac26cc1cb0. The configurability introduced there is still available, so people can easily disable this, if necessary.
1 年之前 · 0d137db283
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,28 @@
 # 2025-02-23

 ## The playbook defaults to exposing the Coturn STUN port (3478) over UDP once again

 Recently, we made the playbook [default to exposing the Coturn STUN port (3478) only over TCP](#the-playbook-now-defaults-to-exposing-the-coturn-stun-port-3478-only-over-tcp) to reduce the severity of DDoS amplification/reflection attacks.

 It seems like old Element clients on mobile devices only support talking to the STUN port over UDP, not TCP.
 To accommodate such ancient clients, we're now **reversing this change** and **defaulting to exposing the Coturn STUN port (3478) over UDP once again**.

 In light of this new information, you have 2 options:

 1. **If you already adapted to the previous change and would like to adapt to this change one again**:

 - make sure the `3478/udp` port is whitelisted in your external firewall (if you have one) once again.

 2. **If you don't care about old Element clients and wish to reduce the severity of DDoS amplification/reflection attacks**:

 - Consider closing the STUN/UDP port with the following configuration:

  ```yaml
  matrix_coturn_container_stun_plain_host_bind_port_udp: ""
  ```

 - Consider keeping `3478/udp` blocked in your external firewall (if you have one)

 # 2025-02-21

 ## Docker daemon options are no longer adjusted when IPv6 is enabled
--- a/docs/prerequisites.md
+++ b/docs/prerequisites.md
@@ -60,6 +60,7 @@ We will be using `example.com` as the domain in the following instruction. Pleas
  - `80/tcp`: HTTP webserver
  - `443/tcp` and `443/udp`: HTTPS webserver
  - `3478/tcp`: STUN/TURN over TCP (used by [coturn](./docs/configuring-playbook-turn.md))
  - `3478/udp`: STUN/TURN over TCP (used by [coturn](./docs/configuring-playbook-turn.md))
  - `5349/tcp`: TURN over TCP (used by [coturn](./docs/configuring-playbook-turn.md))
  - `5349/udp`: TURN over UDP (used by [coturn](./docs/configuring-playbook-turn.md))
  - `8448/tcp` and `8448/udp`: Matrix Federation API HTTPS webserver. Some components like [Matrix User Verification Service](configuring-playbook-user-verification-service.md#open-matrix-federation-port) require this port to be opened **even with federation disabled**.
--- a/roles/custom/matrix-coturn/defaults/main.yml
+++ b/roles/custom/matrix-coturn/defaults/main.yml
@@ -60,9 +60,10 @@ matrix_coturn_container_stun_plain_host_bind_port_tcp: "{{ '3478' if matrix_cotu
 #
 # Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:3478"), or empty string to not expose.
 #
 # This is not done by default to decrease the risk of DDoS amplification attacks.
 # Ideally, we'd like to set this to "" to avoid exposing this port and decrease the risk of DDoS amplification attacks.
 # See: https://stormwall.network/resources/blog/protect-against-ddos-based-on-stun-exploit
 matrix_coturn_container_stun_plain_host_bind_port_udp: ""
 # In practice, old Element clients only support talking to the STUN port over UDP, not TCP, so we need to keep this enabled for now.
 matrix_coturn_container_stun_plain_host_bind_port_udp: "{{ '3478' if matrix_coturn_container_network != 'host' else '' }}"

 # Controls whether the coturn container exposes its TLS STUN port (tcp/5349 in the container) over TCP.
 #