This page documents the TURN server configuration installed directly on the host system.

Snapshot date: 2026-02
Installation mode: System package (not Docker)
Service: coturn (systemd)

---

1. Purpose

The TURN server provides:

• NAT traversal for WebRTC
• Media relay fallback
• Support for restrictive firewalls

Required for Mattermost Calls.

---

2. Installation

Install coturn:

sudo apt update
sudo apt install coturn

---

3. Enable Coturn (Ubuntu Specific Step)

On Ubuntu/Debian systems, coturn is installed but disabled by default.

Edit:

sudo nano /etc/default/coturn

Set:

TURNSERVER_ENABLED=1

Save and exit.

Enable and start service:

sudo systemctl enable coturn
sudo systemctl restart coturn

Verify:

sudo systemctl status coturn

---

4. Main Configuration File

Primary configuration file:

/etc/turnserver.conf

Minimal secure configuration:

listening-port=3478
min-port=49160
max-port=49200

fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=<SECRET>
realm=your-domain.com

no-loopback-peers
no-multicast-peers
no-cli

---

5. Secret Generation

Generate strong secret:

openssl rand -base64 48

Insert the generated value into:

static-auth-secret=

Restart service after modification:

sudo systemctl restart coturn

---

6. Firewall Configuration

Required ports:

sudo ufw allow 3478/udp
sudo ufw allow 49160:49200/udp

Verify:

sudo ufw status

---

7. Verification

Check listening ports:

sudo ss -ulpn | grep 3478

Check relay range:

sudo ss -ulpn | grep 49160

Check logs:

sudo journalctl -u coturn -f

---

8. Security Notes

• Never allow anonymous relay
• Always use static-auth-secret
• Restrict relay port range
• Disable CLI (no-cli)
• Monitor bandwidth usage
• Keep coturn updated
• Verify that only UDP ports 3478 and relay range are exposed

Misconfiguration may expose the server as an open relay.

---