Coturn Server: Basic Setup Guide

1. What is Coturn?

Coturn is a free open-source implementation of a STUN (Session Traversal Utilities for NAT) and TURN (Traversal Using Relays around NAT) server. It's primarily used in WebRTC (Web Real-Time Communication) applications.

STUN: Helps clients discover their public IP address and the type of NAT they are behind. This is often enough for direct peer-to-peer connections.
TURN: Acts as a relay when a direct P2P connection isn't possible (e.g., due to symmetric NATs or firewalls). Media traffic is then routed through the TURN server.

Essentially, Coturn helps WebRTC applications establish connections between users even when they are behind complex network configurations.

2. Why Do We Need It?

When building applications that use WebRTC (like video/audio chat, file sharing, etc.), users are often behind NATs (Network Address Translators), which can prevent direct connections.

NAT Traversal: Coturn provides the mechanisms (STUN/TURN) to overcome these NAT-related issues.
Reliability: Ensures that your WebRTC application can establish connections for a wider range of users, irrespective of their network setup.
Privacy: While TURN relays traffic, it can be configured securely. STUN helps discover public IPs without relaying media.

3. Basic Configuration (`turnserver.conf`)

Coturn is configured via the /etc/turnserver.conf file (or /usr/local/etc/turnserver.conf depending on installation). Here’s a basic setup:

# --- Listening IPs and Ports ---
# IPs the TURN server listens on. Use your VPS's public IP.
# If you have multiple IPs, you can list them.
listening-ip=YOUR_VPS_PUBLIC_IP

# Port for STUN/TURN. Default is 3478 for UDP and TCP.
listening-port=3478

# TLS listener port (for TURNS). Default is 5349.
# You'll need SSL certificates for this.
# tls-listening-port=5349

# --- External IP ---
# The public IP address that clients will use to connect to the server.
# If you have one public IP, Coturn can often detect it.
# If behind NAT or for clarity, specify it:
external-ip=YOUR_VPS_PUBLIC_IP
# or if Coturn is on a private IP behind a NAT router:
# external-ip=YOUR_VPS_PUBLIC_IP/YOUR_VPS_PRIVATE_IP

# --- Realm and Server Name ---
# Realm is used for authentication. Choose something unique to your service.
realm=yourdomain.com
server-name=turn.yourdomain.com

# --- Authentication ---
# For simplicity, we'll use static user accounts.
# Format: user=password
user=webrtc_user:SomeStrongPassword123
user=another_user:AnotherSecurePass456

# For more security, use long-term credentials mechanism (more complex setup)
# or disable auth for STUN only (not recommended for TURN).
# no-auth (allows STUN requests without auth - generally okay)
# stun-only (disables TURN, only STUN - useful if you have separate TURN)

# --- Logging ---
log-file=/var/log/turnserver.log
verbose # More detailed logging, good for troubleshooting
# no-stdout-log # Uncomment to disable logging to stdout if running as a service

# --- Relay Ports ---
# Range of ports for relaying media. Ensure your firewall allows these.
min-port=49152
max-port=65535

# --- Security (Optional but Recommended) ---
# If using TLS (highly recommended for production):
# cert=/etc/letsencrypt/live/yourdomain.com/fullchain.pem
# pkey=/etc/letsencrypt/live/yourdomain.com/privkey.pem
# no-tlsv1
# no-tlsv1_1

# Deny connections from bogon (unroutable) IP addresses
no-bogon

# Consider mobility for ICE-TCP (RFC6062) if needed by clients
# mobility

Important: Replace YOUR_VPS_PUBLIC_IP, yourdomain.com, and credentials with your actual values. Ensure the relay port range (min-port to max-port) is open in your VPS firewall for UDP traffic.

4. Running Coturn

How you run Coturn depends on how it was installed.

As a Service (Systemd - Common on modern Linux):

Enable the configuration: Some distributions require you to uncomment a line in /etc/default/coturn to tell it to use the turnserver.conf file. Open it and look for a line like TURNSERVER_ENABLED=1 or ensure it's not set to 0.
Start Coturn:
```
sudo systemctl start coturn
```
Enable on boot:
```
sudo systemctl enable coturn
```
Check status:
```
sudo systemctl status coturn
```
You should see it active and running. Check the logs (/var/log/turnserver.log) for any errors.

Manually (for testing or if not using systemd):

sudo turnserver -c /etc/turnserver.conf -o -v

-c /etc/turnserver.conf: Specifies the configuration file.
-o: Log to stdout (daemon mode off).
-v: Verbose logging.

5. Testing Your Coturn Server

The best way to test is using a WebRTC application or a dedicated testing tool.

WebRTC Samples Trickle ICE: A popular online tool is the Trickle ICE page.
1. Add your STUN/TURN server details:
  - STUN URI: stun:YOUR_VPS_PUBLIC_IP:3478 or stun:turn.yourdomain.com:3478
  - TURN URI: turn:YOUR_VPS_PUBLIC_IP:3478 or turn:turn.yourdomain.com:3478
  - Username: webrtc_user (or your configured user)
  - Password: SomeStrongPassword123 (or your configured password)
2. Click "Gather candidates".
3. Look for candidates of type srflx (server reflexive, from STUN) and relay (from TURN). If you see these with your server's IP, it's working! A "Done" message usually indicates success.
Check Logs: While testing, monitor your Coturn server logs (/var/log/turnserver.log or stdout if running manually). You should see activity related to STUN binding requests and TURN allocations if the tests are reaching your server.

Firewall: Double-check your VPS firewall (e.g., ufw, firewalld, or cloud provider's firewall). You need to allow UDP and TCP traffic on port 3478 (or your configured listening-port) and the UDP relay port range (49152-65535 by default).

Example UFW commands:

sudo ufw allow 3478/udp
sudo ufw allow 3478/tcp
sudo ufw allow 49152:65535/udp
sudo ufw reload

6. Next Steps & Security Considerations

TLS for TURNS: For production, set up TLS (tls-listening-port, cert, pkey) using certificates (e.g., from Let's Encrypt). This encrypts the signaling between the client and the TURN server. URIs will be turns:turn.yourdomain.com:5349.
Long-Term Credentials: Instead of static user=password, use the long-term credential mechanism. This involves your application generating temporary credentials for users.
Monitoring: Set up monitoring for your Coturn server (CPU, memory, network traffic, log analysis).
Keep Updated: Regularly update Coturn to the latest stable version for security patches and bug fixes.
Fail2Ban: Consider using Fail2Ban to protect against brute-force attacks on your TURN server if you expose it widely.

This guide provides a starting point. Coturn has many more configuration options for advanced scenarios. Always refer to the official Coturn documentation for detailed information.