From 046b4085cbaa221c007b21fc93fa11bea3657f17 Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Sat, 5 Mar 2022 20:34:58 +0000
Subject: prosodyctl: check turn: Add check for private IP returned from STUN.

---
 util/prosodyctl/check.lua | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/util/prosodyctl/check.lua b/util/prosodyctl/check.lua
index 7400ba07..56c2c3f8 100644
--- a/util/prosodyctl/check.lua
+++ b/util/prosodyctl/check.lua
@@ -63,6 +63,7 @@ end
 
 local function check_turn_service(turn_service, ping_service)
 	local stun = require "net.stun";
+	local ip = require "util.ip";
 
 	-- Create UDP socket for communication with the server
 	local sock = assert(require "socket".udp());
@@ -103,6 +104,9 @@ local function check_turn_service(turn_service, ping_service)
 		result.error = "STUN server did not return an address";
 		return result;
 	end
+	if ip.new_ip(result.external_ip.address).private then
+		table.insert(result.warnings, "STUN returned a private IP! Is the TURN server behind a NAT and misconfigured?");
+	end
 
 	-- Send a TURN "allocate" request. Expected to fail due to auth, but
 	-- necessary to obtain a valid realm/nonce from the server.
-- 
cgit v1.2.3