What is the main difference between TURN and STUN servers?

TURN servers relay all media traffic, while STUN servers only help discover public IP addresses. TURN is used when direct peer-to-peer connectivity fails.

How do I secure my TURN server against abuse?

Use authentication secrets, limit allowed IPs, block private address ranges, and regularly update your TURN server software.

Which ports do TURN servers use by default?

Common default ports are 3478 (UDP/TCP) and 5349 (TLS over TCP). These can be customized in your configuration.

Can I run multiple TURN servers for redundancy?

Yes, you can deploy multiple TURN servers and use DNS SRV records to provide failover and load balancing.

How do I test if my TURN server is working?

You can use WebRTC testing tools or application-specific diagnostics to verify connectivity and relay functionality.

Is it necessary to use systemd or can I run TURN server manually?

You can run the TURN server manually, but using systemd ensures automatic startup and better process management.

The Ultimate Guide to TURN Servers: Setup, Configuration, and Best Practices

Comprehensive guide to TURN servers: setup, configuration, and best practices for secure WebRTC, VoIP, and video conferencing. Includes DNS, security, and integration tips.

Introduction to TURN Servers

In today's world of real-time communication, reliable connectivity across networks is crucial for applications like VoIP, video conferencing, and WebRTC. TURN servers (Traversal Using Relays around NAT) play a vital role in ensuring smooth and secure media transmission, especially when users are behind complex NATs or firewalls. Unlike STUN servers, which help clients discover their public IPs, TURN servers actively relay media, acting as intermediaries when peer-to-peer direct connections fail.

Popular platforms such as Nextcloud Talk, Jitsi Meet, and Matrix Synapse rely heavily on TURN servers to maintain call quality and reliability. Without a properly configured TURN server, users may encounter issues like one-way audio, failed video calls, or dropped connections. TURN servers are especially critical for scenarios where network address translation (NAT) traversal is challenging or security policies restrict direct communications.

This guide will walk you through the fundamentals, setup, configuration, and best practices for deploying TURN servers—focusing on open-source solutions like Coturn. Whether you're building a secure video conferencing app or enhancing VoIP reliability, mastering TURN servers ensures robust, secure, and seamless communication for your users.

How TURN Servers Work

Understanding how TURN servers fit into the architecture of real-time communications is key. TURN servers assist in NAT traversal by relaying media traffic between clients when peer-to-peer connections cannot be established due to restrictive network configurations. While STUN servers reveal public IP and port mapping, TURN servers actually transmit the data, making them indispensable for applications like WebRTC.

The main difference between TURN and STUN lies in their operation: STUN is used when direct connections are possible, while TURN acts as a fall-back relay when direct communication is blocked. This ensures voice, video, or data streams remain uninterrupted.

Here's a simple diagram illustrating the TURN/STUN flow:

Prerequisites and DNS Setup for TURN Servers

Before installing a TURN server, ensure your environment meets these requirements:

A dedicated Linux server (Debian/Ubuntu recommended)
Sufficient bandwidth and CPU for media relay (consider server performance)
Public static IP address
Open UDP and TCP ports (default: 3478, plus 49152-65535 for relayed traffic)

Proper DNS setup is crucial for discoverability and reliability:

A/AAAA records: Point your TURN server FQDN to its public IP
SRV records: Advertise TURN services (_turn.", _turns.", _stun.")
NAPTR records: Advanced service discovery (optional)

Example DNS zone entries:

1; A record
2turn.example.com.    3600    IN    A      203.0.113.10
3; AAAA record
4turn.example.com.    3600    IN    AAAA   2001:db8::10
5; SRV records
6_turn._udp.example.com.   3600 IN SRV 10 60 3478 turn.example.com.
7_turn._tcp.example.com.   3600 IN SRV 10 60 3478 turn.example.com.
8; NAPTR (optional)
9example.com. 3600 IN NAPTR 100 50 "" "S" "SIP+D2U" "!^.*$!turn.example.com!" .
10

Installing a TURN Server (Coturn) on Linux

Coturn is a widely-used open-source TURN/STUN server. Here's how to install it on Debian/Ubuntu:

1sudo apt-get update
2sudo apt-get install coturn
3

Once installed, Coturn can be enabled as a system service. For other operating systems (e.g., CentOS, Fedora), refer to the

Coturn GitHub repository

for platform-specific instructions.

After installation, verify that the turnserver binary is present:

1which turnserver
2

You should see output like /usr/bin/turnserver. If you're planning to run Coturn as a systemd service, ensure it's enabled and started:

1sudo systemctl enable coturn
2sudo systemctl start coturn
3sudo systemctl status coturn
4

Coturn defaults to /etc/turnserver.conf for its configuration.

Main Configuration Options in turnserver.conf

Configuring Coturn involves tuning options in turnserver.conf to match your needs. Here are the most important settings:

Basic Server Settings

1listening-port=3478
2fingerprint
3lt-cred-mech
4use-auth-secret
5static-auth-secret=YourStrongSecretKeyHere
6realm=turn.example.com
7cert=/etc/ssl/certs/turn-cert.pem
8pkey=/etc/ssl/private/turn-key.pem
9

listening-port: Main UDP/TCP port (default: 3478)
realm: Authentication domain (should match DNS and application settings)
static-auth-secret: Shared secret for secure authentication

Network and Security Options

1min-port=49160
2max-port=49200
3
4no-multicast-peers
5no-loopback-peers
6
7user-quota=12
8total-quota=120
9

min-port/max-port: Range for relayed connections (open in firewall)
user-quota/total-quota: Limits to prevent abuse

Example: Authentication Secret Generation

1openssl rand -base64 32
2

Running Coturn as a systemd Service

To run Coturn continuously and ensure auto-restart, use systemd:

1sudo systemctl enable coturn
2sudo systemctl restart coturn
3

Check logs for startup or error details:

1sudo journalctl -u coturn
2

Integrating TURN Servers with Popular Applications

Many modern collaboration platforms support TURN server integration to enhance connection reliability.

Nextcloud Talk

In Nextcloud, go to Settings > Talk > TURN/STUN Servers and enter your Coturn details:

turn:turn.example.com:3478?transport=udp (and/or tcp)
Username: leave blank if using secret-based auth
Password: shared secret or generated credential

Jitsi Meet

Edit your Jitsi Meet config (/etc/jitsi/meet/your-domain-config.js):

1const config = {
2    p2p: {
3        stunServers: [
4            { urls: \"turn:turn.example.com:3478\", username: \"user\", credential: \"pass\" }
5        ]
6    }
7}
8

Matrix Synapse

In your homeserver.yaml:

1turn_uris: [\"turn:turn.example.com:3478?transport=udp\"]
2turn_shared_secret: \"YourStrongSecretKeyHere\"
3turn_user_lifetime: 86400000
4

For each application, ensure your TURN server's realm and shared secret match the client configuration. Test with real connections to verify media relaying works as expected.

Securing and Hardening Your TURN Server

TURN servers are high-value targets for abuse, such as open relay attacks. Follow these security best practices:

Firewall and Allowed IPs

Restrict incoming connections to only necessary ports and interfaces:

1sudo ufw allow 3478/udp
2sudo ufw allow 3478/tcp
3sudo ufw allow 49160:49200/udp
4

Block all unused ports and restrict allowed IPs where possible.

Preventing Open Relay Abuse

Always require authentication (lt-cred-mech and use-auth-secret)
Use strong, random shared secrets
Set quotas (user-quota, total-quota)
Monitor logs for unusual activity

Updates and Monitoring

Regularly update Coturn:

1sudo apt-get update
2sudo apt-get upgrade coturn
3

Monitor the service:

1sudo journalctl -u coturn
2

Use tools like Fail2ban for automatic blocking of suspicious IPs.

Troubleshooting Common TURN Server Issues

Troubleshooting TURN servers often involves checking connectivity, authentication, and logs.

Port Conflicts: Ensure no other process is using the configured ports
Firewall Issues: Verify all required UDP/TCP ports are open
Authentication Errors: Check realm and secret consistency between client and server

Check Coturn logs for errors:

1sudo journalctl -u coturn
2

Increase verbosity for debugging:

1turnserver -v -c /etc/turnserver.conf
2

Test connectivity using test tools or by initiating a call between clients.

Conclusion

A well-configured TURN server is essential for robust, reliable, and secure real-time communication. By following best practices in setup, configuration, and security, you ensure users experience seamless VoIP, video, and messaging—regardless of network restrictions. Don't wait until users report issues; proactively deploy and maintain TURN servers for the best results.

Get 10,000 Free Minutes Every Months

No credit card required to start.

Want to level-up your learning? Subscribe now

Subscribe to our newsletter for more tech based insights

FAQ

Free 10,000 minutes for video calls

RELEVANT BLOGS