(1) Create or edit the config file in
/etc/turnserver.conf. The relevant lines, with example values, are:
static-auth-secret=[your secret key here]
turnserver.conf for explanations of the options. One way to generate the
static-auth-secret is with
pwgen -s 64 1
realm must be specified, but its value is somewhat arbitrary. (It is sent to clients as part of the authentication flow.) It is conventional to set it to be your server name.
(2) You will most likely want to configure coturn to write logs somewhere. The easiest way is normally to send them to the syslog:
(in which case, the logs will be available via
journalctl -u coturn on a systemd system). Alternatively, coturn can be configured to write to a logfile - check the example config file supplied with coturn.
(3) Consider your security settings. TURN lets users request a relay which will connect to arbitrary IP addresses and ports. The following configuration is suggested as a minimum starting point:
# VoIP traffic is all UDP. There is no reason to let users connect to arbitrary TCP endpoints via the relay.
# don't let the relay ever try to connect to private IP address ranges within your network (if any)
# given the turn server is likely behind your firewall, remember to include any privileged public IPs too.
# recommended additional local peers to block, to mitigate external access to internal services.
# special case the turn server itself so that client->TURN->TURN->client flows work
# this should be one of the turn server's listening IPs
# consider whether you want to limit the quota of relayed streams per user (or total) to avoid risk of DoS.
user-quota=12 # 4 streams per video call, so 12 streams = 3 simultaneous relayed calls per user.
(4) Also consider supporting TLS/DTLS. To do this, add the following settings to
# TLS certificates, including intermediate certs.
# For Let's Encrypt certificates, use `fullchain.pem` here.
# TLS private key file
# Ensure the configuration lines that disable TLS/DTLS are commented-out or removed
In this case, replace the
turn: schemes in the
turn_uris settings below with
We recommend that you only try to set up TLS/DTLS once you have set up a basic installation and got it working.NB: If your TLS certificate was provided by Let’s Encrypt, TLS/DTLS will not work with any Matrix client that uses Chromium’s WebRTC library. This currently includes Element Android & iOS; for more details, see their respective issues as well as the underlying WebRTC issue. Consider using a ZeroSSL certificate for your TURN server as a working alternative.
(5) Ensure your firewall allows traffic into the TURN server on the ports you’ve configured it to listen on (By default: 3478 and 5349 for TURN traffic (remember to allow both TCP and UDP traffic), and ports 49152-65535 for the UDP relay.)
(6) If your TURN server is behind NAT, the NAT gateway must have an external, publicly-reachable IP address. You must configure coturn to advertise that address to connecting clients:
You may optionally limit the TURN server to listen only on the local address that is mapped by NAT to the external address:
If your NAT gateway is reachable over both IPv4 and IPv6, you may configure coturn to advertise each available address:
When advertising an external IPv6 address, ensure that the firewall and network settings of the system running your TURN server are configured to accept IPv6 traffic, and that the TURN server is listening on the local IPv6 address that is mapped by NAT to the external IPv6 address.