dataforge/fn_registry
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
1cbbad9ff9cb361479b51437057ad74db9141f1a
fn_registry/dev/issues/0167-matrix-livekit-stun-leak.md
T
egutierrez 1cbbad9ff9 feat(matrix): 4 synapse quick wins applied + 6 follow-up issues 
Server-side homeserver.yaml on organic-machine VPS:
- encryption_enabled_by_default_for_room_type: invite -> all
- presence.enabled: false (block EDU metadata leak)
- url_preview_enabled: false (block SSRF + IP leak)
- msc4108 rendezvous endpoint uncommented (QR login)

Synapse restarted, /versions shows e2ee_forced.* + msc4108 unstable
features active. Backup at synapse_data/homeserver.yaml.bak.1779659423.

Issues opened for remaining gaps:
- 0165 LUKS for media_store (at-rest encryption)
- 0166 LiveKit TURN deploy (NAT traversal gap)
- 0167 STUN leak to Google (hardcode external_ip)
- 0168 UDP range expand 200 -> 500
- 0169 LIVEKIT_SECRET rotation (audit exposure)
- 0170 livekit.example.yaml rename hygiene

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 23:53:37 +02:00

1.8 KiB
Raw Blame History

id, title, status, type, domain, scope, priority, depends, blocks, related, created, updated, tags
id title status type domain scope priority depends blocks related created updated tags
0167 Eliminar STUN leak a Google en LiveKit (hardcode external_ip) pendiente infra
matrix
app:element_matrix_chat baja
0166
2026-05-24 2026-05-24
matrix
livekit
privacy
stun

0167 — Eliminar STUN leak a Google en LiveKit (hardcode external_ip)

Status: pendiente Created: 2026-05-24 Type: infra Priority: baja Domain: matrix Scope: app:element_matrix_chat Depends:Blocks:

Problema

rtc.use_external_ip: true con external_ip vacio → LiveKit hace STUN query a stun.l.google.com:19302 cada arranque para descubrir IP publica. Leak metadata server (IP del VPS) a Google. Contradice premisa "self-host privacy first".

Objetivo

LiveKit conoce su IP publica sin contactar STUN externos.

Plan

  1. Determinar IP publica VPS: curl -s ifconfig.me.
  2. Editar configs/livekit/livekit.yaml: 
    rtc:
  use_external_ip: false
  node_ip: "<IP_PUBLICA>"
  3. Si TURN propio desplegado (issue 0166), usar coturn como STUN propio.
  4. Restart element_matrix_chat-livekit-1.
  5. Test: call funciona igual.
  6. Auditar: docker logs element_matrix_chat-livekit-1 | grep -i stun no muestra queries a google.

Acceptance

  • tcpdump -i eth0 dst stun.l.google.com no captura paquetes tras restart.
  • Calls Element Call siguen funcionando 1:1 y grupo.

Definition of Done

  • Repetibilidad: reboot VPS, 0 paquetes a stun.l.google.com.
  • Observabilidad: log LiveKit confirma IP hardcoded.

Notas

Bajo impacto operacional pero alta consistencia con doctrina self-host. Si IP del VPS cambia (rara vez con VPS estatico), actualizar config manual o automatizar con script de healthcheck.

Reference in New Issue View Git Blame Copy Permalink