Webitel: Documentation
Webitel: Documentation
Breadcrumbs

coTURN on Debian 12 — STUN/TURN Server Configuration

The server is configured to simultaneously function as a STUN server (determining the client’s external IP address) and a TURN server (relaying traffic when a direct P2P connection is not possible).

1. Preparation and Installation

  1. Update the package lists and install coTURN:

sudo apt update 
sudo apt install coturn -y

  1. After installation, stop the service for further configuration:

sudo systemctl stop coturn

2. Server Configuration

The default configuration file is quite large and contains many commented parameters.

  1. To create a clean configuration, it is recommended to move the default file to a backup and create a new one:

sudo mv /etc/turnserver.conf /etc/turnserver.conf.backup 
sudo vi /etc/turnserver.conf

  1. Add the following parameters:

listening-port=3478
listening-ip=0.0.0.0

# IMPORTANT: Your EXTERNAL (public) IP.
# If the server is behind NAT (AWS/Azure):
# external-ip=PUBLIC_IP/INTERNAL_IP
# Example: external-ip=203.0.113.5/192.168.1.5
external-ip=YOUR_PUBLIC_IP

fingerprint

min-port=49152
max-port=65535

log-file=/var/tmp/turnserver.log
verbose
no-cli

lt-cred-mech
user=testuser:strongpassword
realm=your-domain.com

  1. Save the file.

3. Service Startup Configuration

On Debian, you may need to explicitly allow the daemon to start.

  1. Open the following file:

sudo vi /etc/default/coturn

  1. Find the parameter TURNSERVER_ENABLED and uncomment it so it looks like this:

TURNSERVER_ENABLED=1

  1. Restart the service and enable it at boot:

sudo systemctl daemon-reload
sudo systemctl start coturn
sudo systemctl enable coturn

  1. Check the service status:

sudo systemctl status coturn

4. Firewall Configuration (UFW)

A TURN server requires open ports for signaling (3478) and a wide UDP port range for media traffic.

If you are using ufw:

  1. Ports for client connections (TCP/UDP):

sudo ufw allow 3478/tcp 
sudo ufw allow 3478/udp

  1. Port range for media streams (UDP only):

sudo ufw allow 49152:65535/udp

  1. Reload firewall rules:

sudo ufw reload

Note! If your server is behind a cloud provider's NAT (e.g., AWS Security Groups), make sure to open the same ports in the provider’s management panel.

5. Testing STUN/TURN functionality

The simplest way to test the server is by using the Trickle ICE tool (from the WebRTC team).

  1. Open the Trickle ICE website.

  2. Remove the default Google server from the list.

  3. Add your own server:

    • STUN or TURN URI: turn:YOUR_PUBLIC_IP:3478

    • Username: testuser (as specified in the configuration)

    • Password: strongpassword

  4. Click “Add Server”, then click “Gather candidates” at the bottom.

As a result, you should see a list of ICE candidates:

  • srflx — indicates that STUN is working (the server detected your public IP).

  • relay — indicates that TURN is working (traffic is being relayed through your server).

If relay candidates appear with your IP address, the server is configured correctly.

6. Enabling TLS and the secure port

In a production environment, sending passwords in plain text is unsafe. The next step is to enable TLS (SSL certificates, for example via Let’s Encrypt) so that the secure turns protocol can be used on port 5349.

  1. Open the configuration file:

/etc/turnserver.conf

  1. Add the SSL settings:

# Standard port for secure connections
tls-listening-port=5349

# Paths to the certificate files
cert=/etc/coturn/certs/turn_server_cert.pem
pkey=/etc/coturn/certs/turn_server_pkey.pem

# Specify your actual domain as the realm
realm=turn.your-domain.com

  1. Update firewall rules:

sudo ufw allow 5349/tcp
sudo ufw allow 5349/udp

7. Configuring ENGINE to use TURN

To enable TURN for operator screen recordings, add the following parameter to the engine configuration:

RTC_CONFIGURATION={"iceServers":
[{"urls":"stun:51.15.16.187:3478","username":"1","credential":"1"},
{"urls":"turn:51.15.16.187:3478","username":"1","credential":"1"}]}