Configure Your Own TURN/STUN Server

TURN Server

Traversal Using Relays around NAT (TURN) is a protocol that assists in traversal of network address translators (NAT) or firewalls for multimedia applications. It may be used with the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). It is most useful for clients on networks masqueraded by symmetric NAT devices. TURN does not aid in running servers on well known ports in the private network through a NAT; it supports the connection of a user behind a NAT to only a single peer, as in telephony, for example.

Herein we will cover using CoTURN, a free open-source server which provides a feature-rich and standards compliant option for those wanting control over their own TURN/STUN server.

Red5 Pro WebRTC uses STUN over UDP as our default implementation.

Step-by-step Install on an Ubuntu Linux Server

Pre-build steps

1 - Update the install via apt

sudo apt-get update

2 - Ensure that build tools are installed

sudo apt-get -y install build-essential

All coturn downloads may be found here; the latest at the time of writing this guide is turnserver- download the tarball.

1 - Install the support libraries

sudo apt-get -y install sqlite libsqlite3-dev libevent-dev libssl-dev

2 - Download the source

wget http://turnserver.open-sys.org/downloads/v4.5.0.8/turnserver-

3 - Un-tar the source

tar -xzvf turnserver-

4 - Run configure from source directory

cd turnserver-

5 - Run make


6 - Run make install as sudo

sudo make install

If all goes well, you'll see this at the end when make install finishes:

1) If your system supports automatic start-up system daemon services,
    then, to enable the turnserver as an automatically started system
    service, you have to:

    a) Create and edit /etc/turnserver.conf or
    /usr/local/etc/turnserver.conf .
    Use /usr/local/etc/turnserver.conf.default as an example.

    b) For user accounts settings: set up SQLite or PostgreSQL or
    MySQL or MongoDB or Redis database for user accounts.
    Use /usr/local/share/turnserver/schema.sql as SQL database schema,
    or use /usr/local/share/turnserver/schema.userdb.redis as Redis
    database schema description and/or
    as Redis status & statistics database schema description.

    If you are using SQLite, the default database location is in
    /var/db/turndb or in /usr/local/var/db/turndb or in /var/lib/turn/turndb.

    c) add whatever is necessary to enable start-up daemon for the

2) If you do not want the turnserver to be a system service,
   then you can start/stop it "manually", using the "turnserver"
   executable with appropriate options (see the documentation).

3) To create database schema, use schema in file

4) For additional information, run:
   $ man turnserver
   $ man turnadmin
   $ man turnutils

7 - Configure the database

We're using the fastest available sqlite. The db file is located at /usr/local/var/db/turndb. By default, coturn uses SQLite database for users and settings. That database is automatically created (empty) when the process turnserver starts the first time. This step is only here for reference and flow.

8 - Add Admin User

Add the long-term TURN users with the turnadmin utility. For example, this command adds user prouser with password 3TptDG7cAfz5TaXsda, realm red5pro.com, to the default sqlite database:

sudo turnadmin -a -u prouser -r red5pro.com -p 3TptDG7cAfz5TaXsda

Add the admin user(s) to the database, with turnadmin utility. If you added those users, they will be able to connect to the TURN server ports over HTTPS from your browser and perform admin tasks with the web interface.

9 - Configure the server

Copy /usr/local/etc/turnserver.conf.default to /usr/local/etc/turnserver.conf (sudo cp /usr/local/etc/turnserver.conf.default /usr/local/etc/turnserver.conf) then edit the turnserver.conf file. Add or modify the following lines:

  • listening-ip= set this to the IP of your server instance.

    • note: if your VM/server has a private IP and a public IP, then you will need to set the listening-ip to your private IP, and also configure external-ip= to its public IP
  • realm= set to your domain (eg, realm=company.com)
  • uncomment no-loopback-peers
  • uncomment listening-port=3478

10 - Start the server

Options used for WebRTC with CoTURN:

  • Run server process as daemon -o
  • Use long-term credentials mechanism -a
  • Fingerprinting -f Use fingerprints in the TURN messages. If an incoming request contains fingerprint, then TURN server will always add fingerprints to the messages in this session, regardless of the per-server setting.
  • Authentication realm -r The default realm to be used for the users when no explicit origin/realm relationship was found in the database. Must be used with long-term credentials mechanism or with TURN REST API.
  • If running CoTURN behind a NAT, you'll also need -X
  • To limit relay endpoint port ranges, use --min-port and --max-port
  • For verbose output, use -v

Special note for AWS:

  • The -L option is not needed and may cause a failure to resolve server reflexive addresses

Command formats:

Provide only STUN over UDP without TURN / relay:

sudo turnserver -o --stun-only --no-tcp

Provide STUN and TURN functionality over UDP and TCP (options: a, f, and r are needed):

sudo turnserver -o -a -f -r red5pro.com

Click links for additional details on the turnserver and its configuration options.


Open a browser to Trickle ICE and add the server in the ICE servers box, remove the google entry and then click Gather candidates; if everything is working you'll see output like this:

Time    Component    Type    Foundation    Protocol    Address        Port    Priority
0.001 1          host    89435858      udp       35948   126 | 32542 | 255
0.037 1            srflx   976374523     udp  35948   100 | 32542 | 255
0.101 1            host    1272402466    tcp 9   9         0 | 32542 | 255
0.101 Done

Using your TURN/STUN Server with Red5 Pro

No modifications are required in Red5 Pro server since it has an internal harvester for ICE connectivity. Utilization of your TURN/STUN server, will require modification of the html-sdk or your own javascript to include the URI for your TURN/STUN server. The URI will be stun:<turn server's IP address>:3478.

If you are using the default, live, webapp, you will want to modify the following:

In webapps/live/script/r5pro-publisher-failover.js and r5pro-subscriber-failover.js, change the line var iceServers = window.r5proIce; to var iceServers = [{ urls: "stun:stun.yourstunserver.domain.com:3478" }]

If you are using the webrtcexamples, you can set the stun server address on the index.html page.

For further details about configuring the html-sdk see the Configure & Publish section at the link.

Lastly, in previous releases the {red5pro}/conf/red5pro-webrtc.xml could be modified, but if you don't modify the front-end/SDK settings then those will overrule the server-side configuration.


If you want to try testing with a specific TURN/STUN server that is not the default Google, you can find a list of STUN servers here: STUN + TURN servers list. For example, http://numb.viagenie.ca allows you to create a free account and use their TURN server.