24. Install Coturn

by Cover Tower - Updated June 7, 2021

Coturn is both a ‘Traversal Using Relays around NAT’ (TURN) server and a ‘Session Traversal Utilities for NAT’ (STUN) server. It supports many client-to-TURN-server protocols (UDP (per RFC 5766), TCP (per RFC 5766 and RFC 6062), TLS (per RFC 5766 and RFC 6062), DTLS, SCTP) and relay protocols (UDP (per RFC 5766), TCP (per RFC 6062)). It has been included in ‘RED SCARF Suite’ to assist Roundpin during video communication sessions, as a STUN server. It can also be used with Nextcloud Talk, if you choose to install and use Nextcloud Talk. Its main role in this setup is to help WebRTC clients behind routers to communicate with other WebRTC clients on the Internet. Since we won’t use its TURN functionality, we’ll disable it during setup.

Install the coturn package:

apt-get install coturn

Make a copy of the original configuration file:

cp /etc/turnserver.conf /etc/turnserver.conf_orig

Generate a random hexadecimal number by running:

openssl rand -hex 32

Open the /etc/turnserver.conf file:

nano /etc/turnserver.conf

The file should contain the following lines:

listening-port=8443
#alt-listening-port=3478
fingerprint
#lt-cred-mech
use-auth-secret
static-auth-secret=c49ae806ec4e33748727fe446a1afdd9564cfa5f7d2d88edbc4a5d4c37fe46b4
realm=123.123.123.123
total-quota=100
bps-capacity=0
#stale-nonce
#cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5"
log-file=/var/log/coturn.log
#syslog
simple-log
stun-only
#allow-loopback-peers
no-multicast-peers
#cert=/etc/letsencrypt/live/cloud.example.com/fullchain.pem
#pkey=/etc/letsencrypt/live/cloud.example.com/privkey.pem

Replace c49ae806ec4e33748727fe446a1afdd9564cfa5f7d2d88edbc4a5d4c37fe46b4 with the random hexadecimal number generated earlier. Replace 123.123.123.123 with the public IP of your server. The bold lines should be commented out, just as they appear above.

Please note that the syslog parameter is commented out, since we want the log output to be directed to the /var/log/coturn.log file. All the other lines in this file should be commented out.

Open the necessary port in the firewall:

ufw allow 8443

Coturn comes with its own coturn.service script: /lib/systemd/system/coturn.service

We’ll edit this script to add the log file option:

nano /lib/systemd/system/coturn.service

Add -l /var/log/coturn.log --simple-log at the end of the ExecStart line, to make it look like this:

ExecStart=/usr/bin/turnserver --daemon -c /etc/turnserver.conf --pidfile /run/turnserver/turnserver.pid -l /var/log/coturn.log --simple-log

Run:

systemctl daemon-reload

Before restarting Coturn, create the log file and set the proper ownership and permissions:

touch /var/log/coturn.log
chown turnserver:turnserver /var/log/coturn.log
chmod 640 coturn.log

Then run:

systemctl restart coturn
systemctl enable coturn.service

Check status with:

systemctl status coturn

24.1. Configure logrotate to rotate Coturn logs

Create the /etc/logrotate.d/coturn file:

nano /etc/logrotate.d/coturn

Add the following content inside this file:

/var/log/coturn.log {
     rotate 4
     weekly
     copytruncate
     notifempty
     missingok
     create 0640 turnserver root
}

24.2. Test Coturn

To test if Coturn as a STUN server works as expected navigate to https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/ . There, in the ‘ICE Servers’ text area, select ‘stun:stun.l.google.com:19302’, then click ‘Remove Server’, then in the ‘STUN or TURN URI’ text box add:

stun:123.123.123.123:8443

where 123.123.123.123 is the public IP of your server, click ‘Add Server’, then click on the ‘Gather candidates’ button. If the last line of the output is ‘Done’, it means that the STUN server that you have just installed is working properly.

You can send your questions and comments to: