Choosing and using CoTurn as a STUN and TURN server for ICE
Internet Protocol (IP) based voice and messaging are very popular and increasingly so. SIP phone systems such as Lynx and Asterisk and XMPP based instant messengers (IM) from Facebook and Google are gradually replacing traditional phone systems and older IM clients. I have written previously on the good client Jitsi that handles both protocols. Another development is the rise of WebRTC for in-browser conferencing.
However, to enable systems to communicate, they have to see each other. Many devices have “hidden” private IP addresses because we don’t have enough IPv4 addresses and therefore use Network Address Translation (NAT). NAT makes it difficult for devices to transmit files, video and voice. A method to bypass NAT is ICE. ICE makes use of other protocols, notably STUN and TURN. In order to use ICE (and make those nice phone calls), you want a server that implements both protocols. Actually, there are quite a few that do.
But what is the best STUN and TURN server for your ICE based NAT traversals? (The rest of the article is rather technical.)
Lots of choices
I prefer C/C++ implementations over Java ones because better CPU and memory usage — not unimportant on your server or maybe your small Raspberry Pi! So I will leave out most of the Java implementations. This is one of the well-known Java implementations:
These are C/C++ servers but they lack some features:
apt-get install turnserver
apt-get install resiprocate-turn-server
not in debian repo's AFAIK
A C/C++ server with many features is CoTurn:
abandoned, use coturn instead
fork by the same author with more features
From the INSTALL file for v220.127.116.11:
Debian “jessie” (and the recent version of Ubuntu and Mint) have the predecessor of this project packaged as “rfc5766-turn-server”, see the link: http://packages.qa.debian.org/r/rfc5766-turn-server.html
So we need to install a newer version.
If you are using the Debian package from the project download site, then follow these instructions:
Unpack the archive:
$ tar xvfz turnserver-<...>.tar.gz
Read the INSTALl file:
$ cat INSTALL
Install the *.deb file:
$ sudo apt-get update $ sudo apt-get install gdebi-core $ sudo gdebi coturn*.deb
(to install the bare package without any dependencies, type:
$ sudo dpkg -i coturn_*_*.deb)
And enable coturn:
$ vim /etc/default/coturn
After the install, read the documentation in
All binaries will be installed in
The turn*.conf config files are in /etc directory.
The service start-up control scripts will be in /etc/init.d/coturn and in /etc/defaults/coturn files.
Builing your own is needed if you have a Raspberry Pi or whatever.
apt-get install gcc build-essential apt-get install libssl-dev libevent-dev libpq-dev mysql-client libmysqlclient-dev libhiredis-dev wget URL-TO-SOURCES tar xzf SOURCES.tgz cd SOURCES make make install
ArchLinux has this TURN server package:
1) If you system supports automatic start-up system daemon services, the, to enable the turnserver as an automatically started system service, you have to: a) Create and edit /etc/turnserver.conf or /usr/local/etc/turnserver.conf . Use /usr/local/etc/turnserver.conf.default as an example. b) For user accounts settings, if using the turnserver with authentication: create and edit /etc/turnuserdb.conf file, or set up PostgreSQL or MySQL or MongoDB or Redis database for user accounts. Use /usr/local/etc/turnuserdb.conf.default as example for flat file DB, or use /usr/local/share/turnserver/schema.sql as SQL database schema, or use /usr/local/share/turnserver/schema.userdb.redis as Redis database schema description and/or /usr/local/share/turnserver/schema.stats.redis as Redis status & statistics database schema description. c) add whatever is necessary to enable start-up daemon for the /usr/local/bin/turnserver. 2) If you do not want the turnserver to be a system service, then you can start/stop it "manually", using the "turnserver" executable with appropriate options (see the documentation). 3) To create database schema, use schema in file /usr/local/share/turnserver/schema.sql 4) For additional information, run: $ man turnserver $ man turnadmin $ man turnutils
Create a self-signed certificate
openssl req -x509 -newkey rsa:4096 -keyout turnserver.key -out turnserver.crt -days 9999 -nodes
Ports needed on your firewall
(UDP & TCP)
Deze blogpost werd in december 2022 overgezet van WordPress naar een methode gebaseerd op Markdown; het is mogelijk dat hierbij fouten of wijzigingen zijn ontstaan t.o.v. de originele blogpost.