Step-by-Step Setup Guide Coturn - TURN Server
GabrielTanner Website
This step-by-step article will guide you through setting up Coturn, a TURN server, using Docker Swarm and Traefik as a reverse proxy. You will configure Coturn to help WebRTC function by handling NAT traversal issues in peer-to-peer connections.
Prerequisites
- Linux server with Docker Swarm and Traefik installed. -> Check this Article
- A domain name for the TURN server (optional but recommended).
- GlusterFS or similar shared storage system (optional for Docker Swarm). -> Check this Article
- Knowledge of setting up Docker, Docker Compose, and basic networking. -> Check this Article
Step 1: Set Up Data Directory in GlusterFS
If you use Docker Swarm and want data shared across all nodes, create a directory in GlusterFS for persistent data.
mkdir -p /mnt/glustermount/data/coturn_dataStep 2: Create and Customize turnserver.conf
Create a configuration file for Coturn (turnserver.conf) that defines essential settings like server realm, authentication, ports, and SSL certificates.
sudo nano /mnt/glustermount/data/coturn_data/turnserver.confAlso Create a Logfile for Persistant Data in GlusterFS:
sudo nano /mnt/glustermount/data/coturn_data/turnserver.logSingle Configure Steps
- Add the following content to define your Coturn server realm and server name. Replace the placeholder values according to your needs.
# TURN server name and realm realm=<DOMAIN> server-name=<SERVER_NAME> - After that, add the
external-ipkey to define your server’s IP-Address and thelistening-ipkey to specify which IP-Addresses the Coturn server should listen to (0.0.0.0 tells the server to listen to all IP-Addresses).
# IPs the TURN server listens to listening-ip=0.0.0.0 # External IP-Address of the TURN server external-ip=IP_ADDRESS - Next you can define the port your server will listen on and the ports for further configuration.
# Main listening port listening-port=3478 # Further ports that are open for communication min-port=10000 max-port=20000 - Then you can continue by defining the directory for your logs and enable the verbose logging mode.
# Use fingerprint in TURN message fingerprint # Log file path log-file=/var/log/turnserver.log # Enable verbose logging verbose - Lastly, you can enable authentication for your TURN server using the
userandlt-cred-mechkeys.
# Specify the user for the TURN authentication user=test:test123 # Enable long-term credential mechanism lt-cred-mech
These configuration blocks will result in the following file:
# TURN server name and realm
realm=DOMAIN
server-name=turnserver
# Use fingerprint in TURN message
fingerprint
# IPs the TURN server listens to
listening-ip=0.0.0.0
# External IP-Address of the TURN server
external-ip=IP_ADDRESS
# Main listening port
listening-port=3478
# Further ports that are open for communication
min-port=10000
max-port=20000
# Log file path
log-file=/mnt/glustermount/data/coturn_data/turnserver.log
# Enable verbose logging
verbose
# Specify the user for the TURN authentification
user=test:test123
# Enable long-term credential mechanism
lt-cred-mech
# If running coturn version older than 4.5.2, uncomment these rules and ensure
# that you have listening-ip set to ipv4 addresses only.
# Prevent Loopback bypass https://github.com/coturn/coturn/security/advisories/GHSA-6g6j-r9rf-cm7p
#denied-peer-ip=0.0.0.0-0.255.255.255
#denied-peer-ip=127.0.0.0-127.255.255.255
#denied-peer-ip=::1Once you’re done, save and exit your file.
You can further customize your configuration for your own needs by changing the give keys’ values or by adding new ones. You can reference the original configuration, which provides essential documentation for the most important options.
Step 3: Create PID Folder & Create CoturnUser
1. Create a System User for Coturn: This command creates a system user for Coturn with no login shell for security purposes:
sudo useradd -r -s /bin/false coturn2. Set Ownership: Change the ownership of the Coturn data directory to the newly created Coturn user:
sudo chown -R coturn:coturn /mnt/glustermount/data/coturn_data3. Set Correct Permissions: Ensure that only the Coturn user has access to this directory by setting the proper permissions:
sudo chmod -R 700 /mnt/glustermount/data/coturn_dataThese steps will ensure that Coturn has the correct permissions to access and write files in its data directory.
Step 4: Set Up Docker Compose for Coturn
Now, set up a docker-compose.yaml file to run Coturn inside Docker Swarm.
nano /mnt/glustermount/data/coturn_data/docker-compose.yamlAdd the following Docker Compose configuration:
coturn:
image: coturn/coturn:4.5.2
environment:
- TURN_REALM=<DOMAIN>
- TURN_LISTEN_PORT=3478
volumes:
- /mnt/glustermount/data/coturn_data/turnserver.conf:/etc/coturn/turnserver.conf:ro
- /mnt/glustermount/data/coturn_data/pid:/var/run
networks:
- management_net
deploy:
mode: replicated
replicas: 1
networks:
management_net:
external: trueStep 5: Port Forwarding
For external access, you need to set up port forwarding on your router or firewall. Forward the following ports:
- 3478 TCP/UDP: TURN Port.
- 49152–65535 UDP: Ensure this range of ports (or at least some) is open for relayed media traffic.
These ports allow external clients to connect to your VPN server and administrators to access the web interface.
If you dont know how to do that go visit this Website from NordVPN.
Conclusion
Setting up a TURN server with Coturn in Docker Swarm can simplify peer-to-peer communication in WebRTC applications, especially in networks where NAT traversal is required. With Traefik as a reverse proxy, you can easily manage your server through HTTPS and make it accessible from the internet. By following this guide, you’ve built a robust, scalable, and secure TURN server setup.