Complete Guide to a Complete Linux Server

24. Install Coturn

by Double Bastion - Updated March 17, 2022

Coturn is both a ‘Traversal Using Relays around NAT’ (TURN) server and a ‘Session Traversal Utilities for NAT’ (STUN) server. It supports many client-to-TURN-server protocols (UDP (per RFC 5766), TCP (per RFC 5766 and RFC 6062), TLS (per RFC 5766 and RFC 6062), DTLS, SCTP) and relay protocols (UDP (per RFC 5766), TCP (per RFC 6062)). It has been included in ‘RED SCARF Suite’ to assist Roundpin during video communication sessions, as a STUN server. It can also be used with Nextcloud Talk, if you choose to install and use Nextcloud Talk. Its main role in this setup is to help WebRTC clients behind routers to communicate with other WebRTC clients on the Internet. Since we won’t use its TURN functionality, we’ll disable it during setup.

Install the coturn package:

apt-get install coturn

Make a copy of the original configuration file:

cp /etc/turnserver.conf /etc/turnserver.conf_orig

Generate a random hexadecimal number by running:

openssl rand -hex 32

Open the /etc/turnserver.conf file:

nano /etc/turnserver.conf

The file should contain the following lines:

listening-port=8443
#alt-listening-port=0
fingerprint
#lt-cred-mech
use-auth-secret
static-auth-secret=c49ae806ec4e33748727fe446a1afdd9564cfa5f7d2d88edbc4a5d4c37fe46b4
realm=123.123.123.123
total-quota=100
bps-capacity=0
#stale-nonce=600
#cert=/usr/local/etc/turn_server_cert.pem
#pkey=/usr/local/etc/turn_server_pkey.pem
#cipher-list="DEFAULT"
log-file=/var/log/coturn/coturn.log
#syslog
simple-log
stun-only
#allow-loopback-peers
no-multicast-peers
cli-password=q6we51rfa5s1d9fas5

Replace c49ae806ec4e33748727fe446a1afdd9564cfa5f7d2d88edbc4a5d4c37fe46b4 with the random hexadecimal number generated earlier. Replace 123.123.123.123 with the public IP of your server and q6we51rfa5s1d9fas5 with a password that you will use if you want to send commands to your Coturn server using the command line interface. The bold lines should be commented out, just as they appear above.

Please note that the syslog parameter is commented out, since you want the log output to be directed to the /var/log/coturn/coturn.log file. All the other lines in this file should be commented out.

Open the necessary port in the firewall:

ufw allow 8443

Before restarting Coturn, create the log directory and set the proper ownership for it:

mkdir /var/log/coturn
chown turnserver:turnserver /var/log/coturn

Then run:

systemctl enable coturn.service
systemctl restart coturn

Check status with:

systemctl status coturn

24.1. Configure logrotate to rotate Coturn logs

Create the /etc/logrotate.d/coturn file:

nano /etc/logrotate.d/coturn

Add the following content inside this file:

/var/log/coturn/coturn.log {
     rotate 4
     weekly
     copytruncate
     notifempty
     missingok
     create 0640 turnserver root
}

24.2. Test Coturn

To test if Coturn as a STUN server works as expected, navigate to https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/ . There, in the ‘ICE Servers’ text area, select ‘stun:stun.l.google.com:19302’, then click ‘Remove Server’, then in the ‘STUN or TURN URI’ text box add:

stun:123.123.123.123:8443

where 123.123.123.123 is the public IP of your server, click ‘Add Server’, then click on the ‘Gather candidates’ button. If the last line of the output is ‘Done’, it means that the STUN server that you have just installed is working properly.

24.3. Upgrading Coturn

Since Coturn has been installed from the official Debian repository, to upgrade it, all you need to do is to run apt-get update && apt-get dist-upgrade with a specific frequency, as described in the Maintenance steps chapter. This command will upgrade Coturn if there is a new version available. Also, during these upgrades, the configuration changes implemented as described above, will be preserved.

You can send your questions and comments to: