# Setting up a TURN server for a self-hosted Nextcloud installation - **Document Author:** Ze'ev Schurmann - **Document Version:** v1.0.2 - **Document License:** CC-4.0-BY-NC-ND This document is one of a series I intend to compile for various open source projects that I use, support and believe in. For more info visit https://git.zaks.web.za/thisiszeev/documentation If you have any questions or need 1 on 1 support/training then please send me a chat request on Reddit (https://reddit.com/u/thisiszeev) Feel free to visit my Git Repo on https://git.zaks.web.za/thisiszeev If you find this document useful, please let me know via Reddit, share it with others, and if you can afford it, please consider a small donation at https://paypal.me/thisiszeev The contents of this repo is licensed under the Creative Commons 4.0 Attribution, Non-Commercial, No-Derivative-Works license. You are free to share the document in an unaltered state. If you do wish to publish this guide or any of my other guides on your website or in your print publication, then please contact me via Reddit to discuss licensing. ## Contents - Before you start (requirements, disclaimer and warnings) - What is a TURN Server - What is coTURN - Installing coTURN - Configuring coTURN - Activating coTURN - Configuring Nextcloud Community Edition (Self-Install) ## Before you start (requirements, disclaimer and warnings) **REQUIREMENTS:** A publically accessible dedicate or virtualized server running Nextcloud. This guide is written for Debian and Debian based operating systems. If you are running a different version of Linux, then please substitute the relevant steps to fit your installation. **DISCLAIMER:** I am in no way affiliate with Nextcloud GmbH or any of their associated companies or brands. This guide is created as a labor of love and in no ways is intended to represent the views and/or opinions of Nextcloud GmbH or any of the other community members. **WARNING:** You use this guide at your own risk. I assume no responsibility for any damages, loss of data, loss or revenue, or any other outcome of any nature, either implied or not. It is assumed that you have a basic understanding of the Linux command-line, that you have a working Self-Hosted Installation of Nextcloud, along with root/sudo access to the server that your installation is hosted on. ## What is a TURN Server A **TURN server** (Traversal Using Relays around NAT) is a type of server used in **real-time communication**—like video calls, voice chats, or online gaming—when **direct peer-to-peer connections** between users fail due to **strict firewalls or NATs (Network Address Translators)**. ### What it does: - It **relays traffic** between two clients who cannot establish a direct connection. - Unlike **STUN** (Session Traversal Utilities for NAT), which just helps discover public IPs and ports, **TURN actually passes the media (audio/video/data)** through the server. ### Why it's needed: - Some networks (corporate, mobile, or public WiFi) block incoming peer connections. - When direct peer-to-peer via STUN isn't possible, TURN is a fallback that ensures communication still works. ### Common in: - **WebRTC applications** (e.g., video conferencing in browsers) - **VoIP apps**, online games, remote desktop tools, etc. ### Downsides: - It’s **more resource-intensive** than STUN, since the TURN server handles all the data. - **Latency** may increase a bit because the server is relaying everything. ### Example use case: Imagine two users trying to video call using a WebRTC app: - If they’re both behind NATs/firewalls that allow STUN, they can talk directly (P2P). - If not, a TURN server relays their video and audio between them, acting as a middleman. ## What is coTURN **coTURN** is a **free, open-source TURN and STUN server** implementation. It’s one of the most popular and reliable choices for adding NAT traversal support to real-time communication apps, especially **WebRTC**. ### What coTURN does: - Provides both **TURN** and **STUN** services. - Helps devices behind NAT/firewalls communicate over the internet. - Acts as a **relay server** when direct peer-to-peer (P2P) connections can’t be established. ### Key features of coTURN: - Supports **UDP, TCP, TLS, and DTLS**. - **Authentication** (static or dynamic via REST API). - **IPv4 and IPv6** support. - Can be used in **high-load** environments. - Works great for **WebRTC**, **VoIP**, **SIP**, **video conferencing**, etc. ### Typical usage: - You install it on a VPS or server with a **public IP**. - Configure it via `turnserver.conf`. - Apps like Jitsi, Nextcloud Talk, BigBlueButton, and custom WebRTC apps use it when clients can't connect directly. ### Tip: Even if you’re just using STUN most of the time, having TURN via coTURN ensures your app **always works**, even in the strictest networks. ## Installing coTURN ### With root access First make sure that Linux is fully updated. ``` apt update && apt -y upgrade ``` If updates complete without error, you can install coTURN. ``` apt -y install coturn ``` ### With sudo access First make sure that Linux is fully updated. ``` sudo apt update && sudo apt -y upgrade ``` If updates complete without error, you can install coTURN. ``` sudo apt -y install coturn ``` ## Configuring coTURN ### With root access Open the file `/etc/turnserver.conf` ``` nano /etc/turnserver.conf ``` ### With sudo access Open the file `/etc/turnserver.conf` ``` sudo nano /etc/turnserver.conf ``` ### Editing /etc/turnserver.conf Press CTRL+W and type `#listening-port` followed by ENTER. You will be taken to a line that looks like this: ``` #listening-port=3478 ``` Remove the comment `#` so that it looks like this: ``` listening-port=3478 ``` --- Press CTRL+W and type `#tls-listening-port` followed by ENTER. You will be taken to a line that looks like this: ``` #tls-listening-port=5349 ``` Remove the comment `#` so that it looks like this: ``` tls-listening-port=5349 ``` --- Press CTRL+W and type `#alt-listening-port` followed by ENTER. You will be taken to a line that looks like this: ``` #alt-listening-port=0 ``` Remove the comment `#` so that it looks like this: ``` alt-listening-port=0 ``` --- Press CTRL+W and type `#alt-tls-listening-port` followed by ENTER. You will be taken to a line that looks like this: ``` #alt-tls-listening-port=0 ``` Remove the comment `#` so that it looks like this: ``` alt-tls-listening-port=0 ``` --- Press CTRL+W and type `#min-port` followed by ENTER. You will be taken to a line that looks like this: ``` #min-port=49152 ``` Remove the comment `#` and change the number to `60000` so that it looks like this: ``` min-port=60000 ``` --- The line below `min-port` looks like this: ``` #max-port=65535 ``` Remove the comment `#` and change the number to `61999` so that it looks like this: ``` max-port=61999 ``` --- Press CTRL+W and type `#fingerprint` followed by ENTER. You will be taken to a line that looks like this: ``` #fingerprint ``` Remove the comment `#` so that it looks like this: ``` fingerprint ``` --- Press CTRL+W and type `#use-auth-secret` followed by ENTER. You will be taken to a line that looks like this: ``` #use-auth-secret ``` Remove the comment `#` so that it looks like this: ``` use-auth-secret ``` --- Press CTRL+W and type `#static-auth-secret` followed by ENTER. You will be taken to a line that looks like this: ``` #static-auth-secret=north ``` Remove the comment `#` and change the string after the equals to a nice long string of about 32 characters so that it looks something like this but with your own secret string in place of `SuperStrongSecretGoesHere`: ``` static-auth-secret=SuperStrongSecretGoesHere ``` *Save your chosen secret as you will need it when you configure Nextcloud.* --- Press CTRL+W and type `#realm` followed by ENTER. You will be taken to a line that looks like this: ``` #realm=mycompany.org ``` Remove the comment `#` and change the domain for the domain you use to access the server that coTURN in installed on, so that it looks like this: ``` realm=nextcloud.mydomain.tld ``` *If you are installing coTURN on a seperate server then the domain will be different to the domain used for Nextcloud.* --- Press CTRL+W and type `#total-quota` followed by ENTER. You will be taken to a line that looks like this: ``` #total-quota=0 ``` Remove the comment `#` so that it looks like this: ``` total-quota=0 ``` --- Press CTRL+W and type `# bps-capacity` followed by ENTER. You will be taken to a line that looks like this: ``` # bps-capacity=0 ``` Remove the comment `#` so that it looks like this: ``` bps-capacity=0 ``` *If you want to limit the total at a time network usage for coTURN, you can substiture the `0` for a real value limit in bits per second. 1 Kbps is 1024 bps, 1 Mbps is 1024 Kbps, and so on.* --- Press CTRL+W and type `#no-multicast-peers` followed by ENTER. You will be taken to a line that looks like this: ``` #no-multicast-peers ``` Remove the comment `#` so that it looks like this: ``` no-multicast-peers ``` ## Activating coTURN coTURN should already be activate. You should only need to restart the service. ### With root access ``` systemctl restart coturn.service ``` If you got an error, you will have to start and enable it. ``` systemctl start coturn.service systemctl enable coturn.service ``` ### With sudo access ``` sudo systemctl restart coturn.service ``` If you got an error, you will have to start and enable it. ``` sudo systemctl start coturn.service sudo systemctl enable coturn.service ``` ## Configuring Nextcloud Community Edition (Self-Install) 1. Log into your Nextcloud Install as the admin user. 2. Click on the user icon in the top right. 3. Click `Administration settings`. 4. Scroll down the settings menu on the left and click on `Talk`. 5. On the right of the screen scroll down to find `TURN servers`. 6. Add a new TURN server and use the following settings: - turn: and turns: - TURN server URL - use the domain name you assigned to the setting `realm=` - TURN server secret - use the long string you assigned to `static-auth-secret=` - UDP and TCP 7. Click the wavey icon on the right. If all is done correctly, it should change to a green checkmark.