From 428d6b6822731acc42549ac5b5bb4752b5182bfa Mon Sep 17 00:00:00 2001
From: Frank Wall <fw@moov.de>
Date: Wed, 22 Jan 2025 12:09:25 +0100
Subject: [PATCH] new plugin: net/turnserver, closes #4473

based on devel/helloworld plugin
---
 net/turnserver/Makefile                       |   7 +
 net/turnserver/pkg-descr                      |   4 +
 .../src/etc/inc/plugins.inc.d/turnserver.inc  |  71 ++++++++++
 .../Turnserver/Api/ServiceController.php      |  42 ++++++
 .../Turnserver/Api/SettingsController.php     |  44 ++++++
 .../OPNsense/Turnserver/IndexController.php   |  47 +++++++
 .../OPNsense/Turnserver/forms/settings.xml    | 127 ++++++++++++++++++
 .../models/OPNsense/Turnserver/ACL/ACL.xml    |   9 ++
 .../models/OPNsense/Turnserver/Menu/Menu.xml  |   5 +
 .../models/OPNsense/Turnserver/Turnserver.php |  53 ++++++++
 .../models/OPNsense/Turnserver/Turnserver.xml |  97 +++++++++++++
 .../app/views/OPNsense/Turnserver/index.volt  |  57 ++++++++
 .../OPNsense/Turnserver/export_certs.php      |  61 +++++++++
 .../scripts/OPNsense/Turnserver/setup.sh      |   3 +
 .../conf/actions.d/actions_turnserver.conf    |  26 ++++
 .../templates/OPNsense/Turnserver/+TARGETS    |   2 +
 .../templates/OPNsense/Turnserver/rc.conf.d   |   5 +
 .../OPNsense/Turnserver/turnserver.conf       |  60 +++++++++
 18 files changed, 720 insertions(+)
 create mode 100644 net/turnserver/Makefile
 create mode 100644 net/turnserver/pkg-descr
 create mode 100644 net/turnserver/src/etc/inc/plugins.inc.d/turnserver.inc
 create mode 100644 net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/Api/ServiceController.php
 create mode 100644 net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/Api/SettingsController.php
 create mode 100644 net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/IndexController.php
 create mode 100644 net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml
 create mode 100644 net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml
 create mode 100644 net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml
 create mode 100644 net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.php
 create mode 100644 net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
 create mode 100644 net/turnserver/src/opnsense/mvc/app/views/OPNsense/Turnserver/index.volt
 create mode 100755 net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/export_certs.php
 create mode 100755 net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/setup.sh
 create mode 100644 net/turnserver/src/opnsense/service/conf/actions.d/actions_turnserver.conf
 create mode 100644 net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/+TARGETS
 create mode 100644 net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/rc.conf.d
 create mode 100644 net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf

diff --git a/net/turnserver/Makefile b/net/turnserver/Makefile
new file mode 100644
index 0000000000..dfe3b1ce6e
--- /dev/null
+++ b/net/turnserver/Makefile
@@ -0,0 +1,7 @@
+PLUGIN_NAME=		turnserver
+PLUGIN_VERSION=		1.0
+PLUGIN_COMMENT=		The coturn STUN/TURN Server
+PLUGIN_DEPENDS=		turnserver
+PLUGIN_MAINTAINER=	opnsense@moov.de
+
+.include "../../Mk/plugins.mk"
diff --git a/net/turnserver/pkg-descr b/net/turnserver/pkg-descr
new file mode 100644
index 0000000000..f801217423
--- /dev/null
+++ b/net/turnserver/pkg-descr
@@ -0,0 +1,4 @@
+Coturn is a free open source implementation of TURN and STUN Server.
+The TURN Server is a VoIP media traffic NAT traversal server and gateway.
+
+WWW: https://github.com/coturn/coturn
diff --git a/net/turnserver/src/etc/inc/plugins.inc.d/turnserver.inc b/net/turnserver/src/etc/inc/plugins.inc.d/turnserver.inc
new file mode 100644
index 0000000000..26757713ba
--- /dev/null
+++ b/net/turnserver/src/etc/inc/plugins.inc.d/turnserver.inc
@@ -0,0 +1,71 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Frank Wall
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+function turnserver_enabled()
+{
+    global $config;
+
+    return isset($config['OPNsense']['turnserver']['settings']['Enabled']) &&
+    $config['OPNsense']['turnserver']['settings']['Enabled'] == 1;
+}
+
+/**
+ *  register legacy service
+ * @return array
+ */
+function turnserver_services()
+{
+    $services = array();
+
+    if (!turnserver_enabled()) {
+        return $services;
+    }
+
+    $services[] = array(
+        'description' => gettext('coturn STUN/TURN Server'),
+        'pidfile' => '/var/run/turnserver.pid',
+        'configd' => array(
+            'restart' => array('turnserver restart'),
+            'start' => array('turnserver start'),
+            'stop' => array('turnserver stop'),
+        ),
+        'name' => 'turnserver',
+    );
+
+    return $services;
+}
+
+function turnserver_xmlrpc_sync()
+{
+    $result = array();
+    $result['id'] = 'turnserver';
+    $result['section'] = 'OPNsense.turnserver';
+    $result['description'] = gettext('coturn STUN/TURN Server');
+    $result['services'] = ['turnserver'];
+    return array($result);
+}
diff --git a/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/Api/ServiceController.php b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/Api/ServiceController.php
new file mode 100644
index 0000000000..3973ff2e60
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/Api/ServiceController.php
@@ -0,0 +1,42 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Frank Wall
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Turnserver\Api;
+
+use OPNsense\Base\ApiMutableServiceControllerBase;
+
+class ServiceController extends ApiMutableServiceControllerBase
+{
+    protected static $internalServiceClass = '\OPNsense\Turnserver\Turnserver';
+    protected static $internalServiceTemplate = 'OPNsense/Turnserver';
+    protected static $internalServiceEnabled = 'settings.Enabled';
+    protected static $internalServiceName = 'turnserver';
+}
diff --git a/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/Api/SettingsController.php b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/Api/SettingsController.php
new file mode 100644
index 0000000000..e489777643
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/Api/SettingsController.php
@@ -0,0 +1,44 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Frank Wall
+ *    Copyright (C) 2015-2019 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Turnserver\Api;
+
+use OPNsense\Base\ApiMutableModelControllerBase;
+
+/**
+ * Class SettingsController Handles settings related API actions
+ * @package OPNsense\Turnserver
+ */
+class SettingsController extends ApiMutableModelControllerBase
+{
+    protected static $internalModelClass = 'OPNsense\Turnserver\Turnserver';
+    protected static $internalModelName = 'turnserver';
+}
diff --git a/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/IndexController.php b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/IndexController.php
new file mode 100644
index 0000000000..e709b4c228
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/IndexController.php
@@ -0,0 +1,47 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Frank Wall
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Turnserver;
+
+/**
+ * Class IndexController
+ * @package OPNsense\Turnserver
+ */
+class IndexController extends \OPNsense\Base\IndexController
+{
+    public function indexAction()
+    {
+        // pick the template to serve
+        $this->view->pick('OPNsense/Turnserver/index');
+        // fetch form data
+        $this->view->settingsForm = $this->getForm("settings");
+    }
+}
diff --git a/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml
new file mode 100644
index 0000000000..37f6633cb3
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/controllers/OPNsense/Turnserver/forms/settings.xml
@@ -0,0 +1,127 @@
+<form>
+    <field>
+        <label>General Settings</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>turnserver.settings.Enabled</id>
+        <label>Enable Service</label>
+        <type>checkbox</type>
+        <help>Enable the Turnserver service</help>
+    </field>
+    <field>
+        <id>turnserver.settings.ListenIP</id>
+        <label>Listen IPs</label>
+        <style>tokenize</style>
+        <type>select_multiple</type>
+        <allownew>true</allownew>
+        <help><![CDATA[Listener IP address of relay server. Multiple listeners can be specified. Use 0.0.0.0 or :: to listen on all IPv4 or IPv6 addresses respectively.]]></help>
+    </field>
+    <field>
+        <id>turnserver.settings.ListenPort</id>
+        <label>Listen Port</label>
+        <type>text</type>
+        <help>TURN listener port for UDP and TCP (Default: 3478). NOTE: Do NOT set this to 80 or 443 when listening on all IPs, this may block access to the OPNsense WebUI.</help>
+    </field>
+    <field>
+        <id>turnserver.settings.MinPort</id>
+        <label>Min UDP Port</label>
+        <type>text</type>
+        <help>Lower bound of the UDP relay endpoints (Default: 49152).</help>
+    </field>
+    <field>
+        <id>turnserver.settings.MaxPort</id>
+        <label>Max UDP Port</label>
+        <type>text</type>
+        <help>Upper bound of the UDP relay endpoints (Default: 65535).</help>
+    </field>
+    <field>
+        <label>TLS Support</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>turnserver.settings.TlsEnabled</id>
+        <label>Enable TLS</label>
+        <type>checkbox</type>
+        <help>Enable TLS/DTLS support. This requires a valid TLS certificate.</help>
+    </field>
+    <field>
+        <id>turnserver.settings.TlsCertificate</id>
+        <label>TLS Certificate</label>
+        <type>dropdown</type>
+        <style>style_tls</style>
+        <help>Select a valid TLS certificate.</help>
+    </field>
+    <field>
+        <id>turnserver.settings.TlsPort</id>
+        <label>TLS Port</label>
+        <type>text</type>
+        <help>TURN listener port for TLS (Default: 5349). NOTE: Do NOT set this to 80 or 443 when listening on all IPs, this may block access to the OPNsense WebUI.</help>
+    </field>
+    <field>
+        <label>Security</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>turnserver.settings.UseAuthSecret</id>
+        <label>Use Auth Secret</label>
+        <type>checkbox</type>
+        <help>This sets a special authorization option that is based upon authentication secret. Enables TURN REST API.</help>
+    </field>
+    <field>
+        <id>turnserver.settings.StaticAuthSecret</id>
+        <label>Auth Secret</label>
+        <type>password</type>
+        <help>The authentication secret value for TURN REST API. It is recommended to use a long random string, at least 32 characters long.</help>
+    </field>
+    <field>
+        <label>Features</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>turnserver.settings.Realm</id>
+        <label>Realm</label>
+        <type>text</type>
+        <help>The default realm to be used for the users. Must be used with TURN REST API. A good choice may be the domain name of the company.</help>
+    </field>
+    <field>
+        <id>turnserver.settings.FingerprintsEnabled</id>
+        <label>Enable Fingerprints</label>
+        <type>checkbox</type>
+        <help>Use fingerprints in the TURN messages.</help>
+    </field>
+    <field>
+        <label>Tuning</label>
+        <type>header</type>
+    </field>
+    <field>
+        <id>turnserver.settings.UserQuota</id>
+        <label>User Quota</label>
+        <type>text</type>
+        <help>Per-user allocation quota. Default value is 0 (no quota, unlimited number of sessions per user).</help>
+    </field>
+    <field>
+        <id>turnserver.settings.TotalQuota</id>
+        <label>Total Quota</label>
+        <type>text</type>
+        <help>Total allocation quota. Default value is 0 (no quota).</help>
+    </field>
+    <field>
+        <id>turnserver.settings.StaleNonce</id>
+        <label>Stale Nonce Lifetime</label>
+        <type>text</type>
+        <help>Limit the nonce lifetime (in seconds) for extra security. Default value is 600 secs (10 minutes).</help>
+    </field>
+    <field>
+        <id>turnserver.settings.ChannelLifetime</id>
+        <label>Channel Lifetime</label>
+        <type>text</type>
+        <help>The lifetime for the channel (in seconds). Default value is 600 secs (10 minutes).</help>
+    </field>
+    <field>
+        <id>turnserver.settings.PermissionLifetime</id>
+        <label>Permission Lifetime</label>
+        <type>text</type>
+        <help>The permission lifetime (in seconds). Default value is 300 secs (5 minutes).</help>
+    </field>
+</form>
diff --git a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml
new file mode 100644
index 0000000000..2fa8a37a6d
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/ACL/ACL.xml
@@ -0,0 +1,9 @@
+<acl>
+    <page-services-turnserver>
+        <name>Services: Turnserver</name>
+        <patterns>
+            <pattern>ui/turnserver/*</pattern>
+            <pattern>api/turnserver/*</pattern>
+        </patterns>
+    </page-services-turnserver>
+</acl>
diff --git a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml
new file mode 100644
index 0000000000..8b40dc89a1
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Menu/Menu.xml
@@ -0,0 +1,5 @@
+<menu>
+    <Services>
+        <Turnserver VisibleName="Turnserver" cssClass="fa fa-comment-o fa-fw" url="/ui/turnserver"/>
+    </Services>
+</menu>
diff --git a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.php b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.php
new file mode 100644
index 0000000000..3d004cb77d
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.php
@@ -0,0 +1,53 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Frank Wall
+ *    Copyright (C) 2015 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Turnserver;
+
+use OPNsense\Base\BaseModel;
+
+/**
+ * Class Turnserver
+ * @package OPNsense\Turnserver
+ */
+class Turnserver extends BaseModel
+{
+    /**
+     * check if module is enabled
+     * @return bool is the Turnserver service enabled
+     */
+    public function isEnabled()
+    {
+        if ((string)$this->settings->enabled === "1") {
+            return true;
+        }
+        return false;
+    }
+}
diff --git a/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
new file mode 100644
index 0000000000..1acae266f7
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/models/OPNsense/Turnserver/Turnserver.xml
@@ -0,0 +1,97 @@
+<model>
+    <mount>//OPNsense/turnserver</mount>
+    <version>1.0.0</version>
+    <description>The coturn STUN/TURN Server</description>
+    <items>
+        <settings>
+            <Enabled type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </Enabled>
+            <ListenIP type="NetworkField">
+                <default>127.0.0.1</default>
+                <FieldSeparator>,</FieldSeparator>
+                <asList>Y</asList>
+                <Required>Y</Required>
+            </ListenIP>
+            <ListenPort type="PortField">
+                <Default>3478</Default>
+                <Required>Y</Required>
+            </ListenPort>
+            <MinPort type="PortField">
+                <Default>49152</Default>
+                <Required>Y</Required>
+            </MinPort>
+            <MaxPort type="PortField">
+                <Default>65535</Default>
+                <Required>Y</Required>
+            </MaxPort>
+            <TlsEnabled type="BooleanField">
+                <default>0</default>
+                <Required>Y</Required>
+            </TlsEnabled>
+            <TlsCertificate type="CertificateField">
+                <Required>N</Required>
+                <Multiple>N</Multiple>
+                <ValidationMessage>Please select a valid certificate from the list.</ValidationMessage>
+            </TlsCertificate>
+            <TlsPort type="PortField">
+                <Default>5349</Default>
+                <Required>Y</Required>
+            </TlsPort>
+            <UseAuthSecret type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </UseAuthSecret>
+            <StaticAuthSecret type="TextField">
+                <Required>N</Required>
+                <mask>/^.{16,128}$/u</mask>
+                <ValidationMessage>Should be a string between 16 and 128 characters.</ValidationMessage>
+            </StaticAuthSecret>
+            <Realm type="TextField">
+                <Required>N</Required>
+                <mask>/^.{1,128}$/u</mask>
+                <ValidationMessage>Should be a string between 1 and 128 characters.</ValidationMessage>
+            </Realm>
+            <FingerprintsEnabled type="BooleanField">
+                <default>1</default>
+                <Required>Y</Required>
+            </FingerprintsEnabled>
+            <UserQuota type="IntegerField">
+                <default>0</default>
+                <MinimumValue>0</MinimumValue>
+                <MaximumValue>1000000000</MaximumValue>
+                <ValidationMessage>Please specify a value between 0 and 1000000000.</ValidationMessage>
+                <Required>Y</Required>
+            </UserQuota>
+            <TotalQuota type="IntegerField">
+                <default>0</default>
+                <MinimumValue>0</MinimumValue>
+                <MaximumValue>1000000000</MaximumValue>
+                <ValidationMessage>Please specify a value between 0 and 1000000000.</ValidationMessage>
+                <Required>Y</Required>
+            </TotalQuota>
+            <StaleNonce type="IntegerField">
+                <default>600</default>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>1000000000</MaximumValue>
+                <ValidationMessage>Please specify a value between 1 and 1000000000.</ValidationMessage>
+                <Required>Y</Required>
+            </StaleNonce>
+            <ChannelLifetime type="IntegerField">
+                <default>600</default>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>1000000000</MaximumValue>
+                <ValidationMessage>Please specify a value between 1 and 1000000000.</ValidationMessage>
+                <Required>Y</Required>
+            </ChannelLifetime>
+            <PermissionLifetime type="IntegerField">
+                <default>300</default>
+                <MinimumValue>1</MinimumValue>
+                <MaximumValue>1000000000</MaximumValue>
+                <ValidationMessage>Please specify a value between 1 and 1000000000.</ValidationMessage>
+                <Required>Y</Required>
+            </PermissionLifetime>
+        </settings>
+    </items>
+</model>
diff --git a/net/turnserver/src/opnsense/mvc/app/views/OPNsense/Turnserver/index.volt b/net/turnserver/src/opnsense/mvc/app/views/OPNsense/Turnserver/index.volt
new file mode 100644
index 0000000000..950b9d7685
--- /dev/null
+++ b/net/turnserver/src/opnsense/mvc/app/views/OPNsense/Turnserver/index.volt
@@ -0,0 +1,57 @@
+{#
+
+Copyright (C) 2025 Frank Wall
+OPNsense® is Copyright © 2014 – 2015 by Deciso B.V.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+1.  Redistributions of source code must retain the above copyright notice,
+this list of conditions and the following disclaimer.
+
+2.  Redistributions in binary form must reproduce the above copyright notice,
+this list of conditions and the following disclaimer in the documentation
+and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGE.
+
+#}
+
+<script>
+    $( document ).ready(function() {
+        mapDataToFormUI({'frm_Settings':"/api/turnserver/settings/get"}).done(function(data){
+            formatTokenizersUI();
+        });
+
+        // link save button to API set action
+        $("#saveAct").click(function(){
+            saveFormToEndpoint("/api/turnserver/settings/set",'frm_Settings',function(){
+                // reconfigure service
+                ajaxCall(url="/api/turnserver/service/reconfigure", sendData={},callback=function(data,status) {
+                });
+            });
+        });
+    });
+</script>
+
+<div class="alert alert-info hidden" role="alert" id="responseMsg">
+
+</div>
+
+<div  class="col-md-12">
+    {{ partial("layout_partials/base_form",['fields':settingsForm,'id':'frm_Settings'])}}
+</div>
+
+<div class="col-md-12">
+    <button class="btn btn-primary" id="saveAct" type="button"><b>{{ lang._('Apply') }}</b></button>
+</div>
diff --git a/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/export_certs.php b/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/export_certs.php
new file mode 100755
index 0000000000..247d301fee
--- /dev/null
+++ b/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/export_certs.php
@@ -0,0 +1,61 @@
+#!/usr/local/bin/php
+<?php
+
+/*
+ *    Copyright (C) 2025 Frank Wall
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ */
+
+require_once('script/load_phalcon.php');
+
+use OPNsense\Core\Config;
+use OPNsense\Trust\Cert;
+use OPNsense\Trust\Store as CertStore;
+
+$cert_filename = '/usr/local/etc/turnserver_cert.pem';
+$pkey_filename = '/usr/local/etc/turnserver_pkey.pem';
+
+$configObj = Config::getInstance()->object();
+if (isset($configObj->OPNsense->turnserver->settings->TlsCertificate) and !empty((string)$configObj->OPNsense->turnserver->settings->TlsCertificate)) {
+    $cert_refid = (string)$configObj->OPNsense->turnserver->settings->TlsCertificate;
+    foreach ((new Cert())->cert->iterateItems() as $cert) {
+        $refid = (string)$cert->refid;
+
+        if ($cert_refid == $refid) {
+            $cert_content = str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->crt)));
+            $pkey_content = str_replace("\n\n", "\n", str_replace("\r", "", base64_decode((string)$cert->prv)));
+
+            if (!empty((string)$cert->caref)) {
+                $ca = CertStore::getCaChain((string)$cert->caref);
+                if ($ca) {
+                    $cert_content .= "\n" . $ca;
+                }
+            }
+
+            file_put_contents($cert_filename, $cert_content);
+            file_put_contents($pkey_filename, $pkey_content);
+            chmod($pkey_filename, 0600);
+        }
+    }
+}
diff --git a/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/setup.sh b/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/setup.sh
new file mode 100755
index 0000000000..137843af5f
--- /dev/null
+++ b/net/turnserver/src/opnsense/scripts/OPNsense/Turnserver/setup.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+/usr/local/opnsense/scripts/OPNsense/Turnserver/export_certs.php > /dev/null 2>&1
+exit 0
diff --git a/net/turnserver/src/opnsense/service/conf/actions.d/actions_turnserver.conf b/net/turnserver/src/opnsense/service/conf/actions.d/actions_turnserver.conf
new file mode 100644
index 0000000000..372e02aa3b
--- /dev/null
+++ b/net/turnserver/src/opnsense/service/conf/actions.d/actions_turnserver.conf
@@ -0,0 +1,26 @@
+[start]
+command:/usr/local/opnsense/scripts/OPNsense/Turnserver/setup.sh; /usr/local/etc/rc.d/turnserver start
+parameters:
+type:script
+description:Start Turnserver
+message:starting turnserver
+
+[stop]
+command:/usr/local/etc/rc.d/turnserver onestop
+parameters:
+type:script
+description:Stop Turnserver
+message:stopping turnserver
+
+[restart]
+command:/usr/local/opnsense/scripts/OPNsense/Turnserver/setup.sh; /usr/local/etc/rc.d/turnserver restart
+parameters:
+type:script
+description:Restart Turnserver
+message:restarting turnserver
+
+[status]
+command:/usr/local/etc/rc.d/turnserver status || exit 0
+parameters:
+type:script_output
+message:requesting turnserver status
diff --git a/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/+TARGETS b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/+TARGETS
new file mode 100644
index 0000000000..52ca689507
--- /dev/null
+++ b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/+TARGETS
@@ -0,0 +1,2 @@
+turnserver.conf:/usr/local/etc/turnserver.conf
+rc.conf.d:/etc/rc.conf.d/turnserver
diff --git a/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/rc.conf.d b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/rc.conf.d
new file mode 100644
index 0000000000..f292a04861
--- /dev/null
+++ b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/rc.conf.d
@@ -0,0 +1,5 @@
+{% if helpers.exists('OPNsense.turnserver.settings.Enabled') and OPNsense.turnserver.settings.Enabled|default("0") == "1" %}
+turnserver_enable=YES
+{% else %}
+turnserver_enable=NO
+{% endif %}
diff --git a/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf
new file mode 100644
index 0000000000..67c96cbabb
--- /dev/null
+++ b/net/turnserver/src/opnsense/service/templates/OPNsense/Turnserver/turnserver.conf
@@ -0,0 +1,60 @@
+# General
+{% if helpers.exists('OPNsense.turnserver.settings.ListenIP') and OPNsense.turnserver.settings.ListenIP|default("") != "" %}
+{%   for listenip in OPNsense.turnserver.settings.ListenIP.split(",") %}
+listening-ip={{ listenip }}
+{%   endfor %}
+{% endif %}
+listening-port={{ OPNsense.turnserver.settings.ListenPort }}
+min-port={{ OPNsense.turnserver.settings.MinPort }}
+max-port={{ OPNsense.turnserver.settings.MaxPort }}
+
+# TLS
+{% if helpers.exists('OPNsense.turnserver.settings.TlsEnabled') and OPNsense.turnserver.settings.TlsEnabled|default("") == "1" %}
+{%   if OPNsense.turnserver.settings.TlsCertificate|default("") != "" %}
+tls-listening-port={{ OPNsense.turnserver.settings.TlsPort }}
+cert=/usr/local/etc/turnserver_cert.pem
+pkey=/usr/local/etc/turnserver_pkey.pem
+{%   else %}
+# ERROR: Required TLS certificate was not specified. TLS support will be disabled.
+no-tls
+no-dtls
+{%   endif %}
+{% else %}
+no-tls
+no-dtls
+{% endif %}
+
+# Security
+{% if helpers.exists('OPNsense.turnserver.settings.UseAuthSecret') and OPNsense.turnserver.settings.UseAuthSecret|default("") == "1" %}
+{%   if OPNsense.turnserver.settings.StaticAuthSecret|default("") != "" %}
+use-auth-secret
+static-auth-secret={{ OPNsense.turnserver.settings.StaticAuthSecret }}
+{%   else %}
+# ERROR: Required Auth Secret was not specified; this feature will be disabled.
+{%   endif %}
+{% endif %}
+
+# Features
+{% if OPNsense.turnserver.settings.Realm|default("") != "" %}
+realm={{ OPNsense.turnserver.settings.Realm }}
+{% endif %}
+{% if OPNsense.turnserver.settings.FingerprintsEnabled|default("") == "1" %}
+fingerprint
+{% endif %}
+
+# Tuning
+user-quota={{ OPNsense.turnserver.settings.UserQuota }}
+total-quota={{ OPNsense.turnserver.settings.TotalQuota }}
+stale-nonce={{ OPNsense.turnserver.settings.StaleNonce }}
+channel-lifetime={{ OPNsense.turnserver.settings.ChannelLifetime }}
+permission-lifetime={{ OPNsense.turnserver.settings.PermissionLifetime }}
+
+# Defaults
+no-cli
+no-software-attribute
+no-multicast-peers
+no-tlsv1
+no-tlsv1_1
+no-rfc5780
+no-stun-backward-compatibility
+response-origin-only-with-rfc5780