From fd80c4167349a7761eed4cca071c4515448aa74d Mon Sep 17 00:00:00 2001
From: cruizba <carlos.ruizbal@gmail.com>
Date: Tue, 24 Mar 2026 15:20:46 +0100
Subject: [PATCH] openvidu-deployment: pro - improve turn security

---
 .../enterprise-ha/docker-compose/node/docker-compose.yml      | 1 +
 openvidu-server/deployments/enterprise/docker-compose/.env    | 4 ++--
 .../deployments/enterprise/docker-compose/docker-compose.yml  | 1 +
 .../pro/docker-compose/mono-node/docker-compose.yml           | 4 ++++
 .../deployments/pro/docker-compose/openvidu-server-pro/.env   | 4 ++--
 .../pro/docker-compose/openvidu-server-pro/docker-compose.yml | 1 +
 6 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/openvidu-server/deployments/enterprise-ha/docker-compose/node/docker-compose.yml b/openvidu-server/deployments/enterprise-ha/docker-compose/node/docker-compose.yml
index 1c5c6022e..6e3fd0058 100644
--- a/openvidu-server/deployments/enterprise-ha/docker-compose/node/docker-compose.yml
+++ b/openvidu-server/deployments/enterprise-ha/docker-compose/node/docker-compose.yml
@@ -123,6 +123,7 @@ services:
             - --verbose
             - --use-auth-secret
             - --static-auth-secret=$${COTURN_SHARED_SECRET_KEY}
+            - --no-tcp-relay
         logging:
             options:
                 max-size: "${DOCKER_LOGS_MAX_SIZE:-100M}"
diff --git a/openvidu-server/deployments/enterprise/docker-compose/.env b/openvidu-server/deployments/enterprise/docker-compose/.env
index c9fd6d355..4ee0b2793 100644
--- a/openvidu-server/deployments/enterprise/docker-compose/.env
+++ b/openvidu-server/deployments/enterprise/docker-compose/.env
@@ -402,8 +402,8 @@ OPENVIDU_PRO_COTURN_IN_MEDIA_NODES=false
 # TURN traffic through internal network
 # --------------------------
 # Wether to route TURN traffic through the internal network
-# Default value is COTURN_INTERNAL_RELAY=true
-COTURN_INTERNAL_RELAY=true
+# Default value is COTURN_INTERNAL_RELAY=false
+COTURN_INTERNAL_RELAY=false
 
 
 # Private Docker registries for custom images
diff --git a/openvidu-server/deployments/enterprise/docker-compose/docker-compose.yml b/openvidu-server/deployments/enterprise/docker-compose/docker-compose.yml
index ad1057d2f..4dd6c0370 100644
--- a/openvidu-server/deployments/enterprise/docker-compose/docker-compose.yml
+++ b/openvidu-server/deployments/enterprise/docker-compose/docker-compose.yml
@@ -107,6 +107,7 @@ services:
             - --verbose
             - --use-auth-secret
             - --static-auth-secret=$${COTURN_SHARED_SECRET_KEY}
+            - --no-tcp-relay
         logging:
             options:
                 max-size: "${DOCKER_LOGS_MAX_SIZE:-100M}"
diff --git a/openvidu-server/deployments/pro/docker-compose/mono-node/docker-compose.yml b/openvidu-server/deployments/pro/docker-compose/mono-node/docker-compose.yml
index a5f4a7df0..0f170c330 100644
--- a/openvidu-server/deployments/pro/docker-compose/mono-node/docker-compose.yml
+++ b/openvidu-server/deployments/pro/docker-compose/mono-node/docker-compose.yml
@@ -60,6 +60,8 @@ services:
     coturn:
         image: openvidu/openvidu-coturn:2.32.1
         restart: on-failure
+        extra_hosts:
+            - "host.docker.internal:host-gateway"
         env_file:
             - .env
         ports:
@@ -80,6 +82,8 @@ services:
             - --verbose
             - --use-auth-secret
             - --static-auth-secret=$${COTURN_SHARED_SECRET_KEY}
+            - --no-tcp-relay
+            - --allowed-peer-ip=$$(discover-host-internal-ip.sh)
         logging:
             options:
                 max-size: "${DOCKER_LOGS_MAX_SIZE:-100M}"
diff --git a/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/.env b/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/.env
index d0d297798..3bad84247 100644
--- a/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/.env
+++ b/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/.env
@@ -398,8 +398,8 @@ OPENVIDU_PRO_COTURN_IN_MEDIA_NODES=false
 # TURN traffic through internal network
 # --------------------------
 # Wether to route TURN traffic through the internal network
-# Default value is COTURN_INTERNAL_RELAY=true
-COTURN_INTERNAL_RELAY=true
+# Default value is COTURN_INTERNAL_RELAY=false
+COTURN_INTERNAL_RELAY=false
 
 # Private Docker registries for custom images
 # --------------------------
diff --git a/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/docker-compose.yml b/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/docker-compose.yml
index 0ed7a2bcd..352f71f0e 100644
--- a/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/docker-compose.yml
+++ b/openvidu-server/deployments/pro/docker-compose/openvidu-server-pro/docker-compose.yml
@@ -74,6 +74,7 @@ services:
             - --verbose
             - --use-auth-secret
             - --static-auth-secret=$${COTURN_SHARED_SECRET_KEY}
+            - --no-tcp-relay
         logging:
             options:
                 max-size: "${DOCKER_LOGS_MAX_SIZE:-100M}"