MeetrixIO team is well experienced with WebRTC related technologies. We provide commercial support for Jitsi Meet, Kurento, OpenVidu, BigBlue Button, Coturn Server and other webRTC related opensource projects.
Coturn is an opensource turn server. This guide has been tested on Ubuntu 18.04.
First Make sure that you have opened up following ports in your firewall. You can always change the ports you want to use for the setup.
80 : TCP # if you need to setup coturn with SSL 443 : TCP # if you need to setup coturn with SSL 3478 : UDP 10000–20000 : UDP
Login to Ubuntu shell and enter following command to install Coturn
sudo apt-get -y update sudo apt-get -y install coturn
Start the Coturn Daemon at Startup
To setup coturn start at system startup
sudo vim /etc/default/coturn
Uncomment the following line by removing the
# at the beginning to run Coturn as an automatic system service daemon
For any application or to user use the turn server, they need to have a username and a password. Depending on how the username and passoword are created there are two main methods that we can configure the turn server.
Long Term Credentials Mechanism
The Long Term Credentials Mechanism is simple. A pair of username and password is shared between the Turn Server and the application/user. This credentials will not expire. Anyone who has these credentials can use the turn server. This mechanism is suitable for applications where the turn server credentials are not exposed to end users but used only by the servers.
Time-Limited Credentials Mechanism
In Time-Limited Credentials Mechanism (described here), a static key is shared between the turn server and the appliaction. This shared secred then will be used to generate dynamic usernames and passwords by the application which can be . These dynamic usernames and passwords then can be used by the applications and they will expire within a predefined time period. This mechanism is more suitable for the applications where the turn server credentials should be exposed to the end users. Jitsi, SimpleWebRTC, SpreedWebRTC supports Time-limited Credentials Mechanism.
More information can be found in Coturn Wiki.
With Long Term Credential Mechanism
This method should work with most of the versions of Coturn.
Open (or create)
/etc/turnserver.conf file and past the following content. Replace
<YOUR_PUBLIC_IP_ADDRESS> values with your own ones.
realm=coturn.meetrix.io fingerprint listening-ip=0.0.0.0 external-ip=<EXTERNAL_IP>/<INTERNAL_IP> #or just the external ip listening-port=3478 min-port=10000 max-port=20000 log-file=/var/log/turnserver.log verbose user=<YOUR_USERNAME>:<YOUR_PASSWORD> lt-cred-mech
Now restart the coturn service
sudo service coturn restart
With Time-Limited Credentials Mechanism
When a turn server is installed, we can start the turn server with Time-limited Credentials Mechanism using
static-auth-secret flag and we can pass the shared secret.
realm=coturn.meetrix.io fingerprint listening-ip=0.0.0.0 external-ip=<EXTERNAL_IP>/<INTERNAL_IP> #or just the external ip listening-port=3478 min-port=10000 max-port=20000 log-file=/var/log/turnserver.log verbose static-auth-secret=<YOUR_SECRET>
Now restart the coturn service
sudo service coturn restart
Pro TIP : Setting up Coturn with SSL
Some firewalls do not allow traffic from ports other than 80 or 443. And some rules might enforce TLS or SSL security over the transport. To support these usecases we can run turn server on port 443 with letsencrypt certificates.
For this you need a domain which is pointed to the server that you are going to install the turn srever
And your port 80 and 443 should be open to the public (both inbound and outbount).
First you have to install
Certbot certificate client from certbot.eff.org. On an
Ubuntu 18.04 box, copy and past following commands. Otherwise, follow the official guide.
sudo apt-get -y update &&\ sudo apt-get -y install software-properties-common &&\ sudo add-apt-repository -y universe &&\ sudo add-apt-repository -y ppa:certbot/certbot &&\ sudo apt-get -y update &&\ sudo apt-get -y install certbot
Then you have to request the certificates using certbot.
sudo certbot certonly --standalone
You will be prompted to provide your domain name. If everything goes well, your certificates will be installed in
directory. Once you are done with installing the certificates, you have to add following additional lines to the config.
server-name=<YOUR_COTURN_DOMAIN> cert=/etc/letsencrypt/live/<YOUR_COTURN_DOMAIN>/cert.pem pkey=/etc/letsencrypt/live/<YOUR_COTURN_DOMAIN>/privkey.pem
Then you can change the port to
443 as well.
For example, config for the long term crendetials mechanism will look like this.
server-name=coturn.meetrix.io cert=/etc/letsencrypt/live/coturn.meetrix.io/cert.pem pkey=/etc/letsencrypt/live/coturn.meetrix.io/privkey.pem realm=coturn.meetrix.io fingerprint listening-ip=0.0.0.0 external-ip=<EXTERNAL_IP>/<INTERNAL_IP> #or just the external ip listening-port=443 min-port=10000 max-port=20000 log-file=/var/log/turnserver.log verbose user=<YOUR_USERNAME>:<YOUR_PASSWORD> lt-cred-mech
For testing we can use Trickle-Ice testing tool. Go to trickle-ice page and enter following details.
STUN or TURN URI : turn:<YOUR_PUBLIC_IP_ADDRESS>:3478 TURN username: <YOUR_USERNAME> TURN password: <YOUR_PASSWORD>
If you have configured the turn server in Long-Term Credentials Mechanism, you can directly use the credentials.
But if you are using Time-Limited Credentials Mechanism, you can use following script to generate a username and a password
secret=mysecret && \ time=$(date +%s) && \ expiry=8400 && \ username=$(( $time + $expiry )) &&\ echo username:$username && \ echo password : $(echo -n $username | openssl dgst -binary -sha1 -hmac $secret | openssl base64)
output of this script would be some thing like following
username:1525325424 password : YuzkH/Th9BBaRj4ivR03PiCfr+E=
Add Server and then
Gather candidates button. If you have done everything correctly, you should see
Done as the final result. If you do not get any response or if you see any error messages, please double check if you have followed this guide as it is.
That's it !
Looking for commercial support ? Please contact us via firstname.lastname@example.org