dataforge/fn_registry
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
master
fn_registry/dev/issues/completed/0167-matrix-livekit-stun-leak.md
T
egutierrez 00c7fc728e chore(issues): close 0167+0168+0169+0170 livekit hardening bundle 
VPS commit: 8eef89b (egutierrez/element_matrix_chat)

- 0167: STUN leak fixed (use_external_ip:false + node_ip hardcoded)
- 0168: UDP range expanded 50000-50200 -> 50000-50500
- 0169: API secret rotated (old key LK44e009c6e92b -> new LK5f6b38bb)
- 0170: livekit.example.yaml refreshed + header comments cleaned

Verification:
- 0 STUN packets to Google during restart (tcpdump 60s window)
- Endpoint /livekit/sfu/ HTTP 200
- LiveKit logs: nodeIP=135.125.201.30, portICERange=[50000,50500]
- Containers livekit + livekit-jwt healthy

New secret stored in pass: matrix/livekit-secret-rotation-2026-05-25
2026-05-25 00:44:15 +02:00

1.8 KiB
Raw Permalink Blame History

id, title, status, type, domain, scope, priority, depends, blocks, related, created, updated, tags
id title status type domain scope priority depends blocks related created updated tags
0167 Eliminar STUN leak a Google en LiveKit (hardcode external_ip) pendiente infra
matrix
app:element_matrix_chat baja
0166
2026-05-24 2026-05-24
matrix
livekit
privacy
stun

0167 — Eliminar STUN leak a Google en LiveKit (hardcode external_ip)

Status: pendiente Created: 2026-05-24 Type: infra Priority: baja Domain: matrix Scope: app:element_matrix_chat Depends:Blocks:

Problema

rtc.use_external_ip: true con external_ip vacio → LiveKit hace STUN query a stun.l.google.com:19302 cada arranque para descubrir IP publica. Leak metadata server (IP del VPS) a Google. Contradice premisa "self-host privacy first".

Objetivo

LiveKit conoce su IP publica sin contactar STUN externos.

Plan

  1. Determinar IP publica VPS: curl -s ifconfig.me.
  2. Editar configs/livekit/livekit.yaml: 
    rtc:
  use_external_ip: false
  node_ip: "<IP_PUBLICA>"
  3. Si TURN propio desplegado (issue 0166), usar coturn como STUN propio.
  4. Restart element_matrix_chat-livekit-1.
  5. Test: call funciona igual.
  6. Auditar: docker logs element_matrix_chat-livekit-1 | grep -i stun no muestra queries a google.

Acceptance

  • tcpdump -i eth0 dst stun.l.google.com no captura paquetes tras restart.
  • Calls Element Call siguen funcionando 1:1 y grupo.

Definition of Done

  • Repetibilidad: reboot VPS, 0 paquetes a stun.l.google.com.
  • Observabilidad: log LiveKit confirma IP hardcoded.

Notas

Bajo impacto operacional pero alta consistencia con doctrina self-host. Si IP del VPS cambia (rara vez con VPS estatico), actualizar config manual o automatizar con script de healthcheck.

Reference in New Issue View Git Blame Copy Permalink