TURN Server
Freedom Messenger includes a built-in TURN server for voice calls. TURN relays audio traffic when a direct peer-to-peer WebRTC connection is not possible.
When Is TURN Needed?
WebRTC tries to establish a direct connection between callers. This works when both users have simple network setups. TURN is needed when:
- One or both users are behind a strict NAT (common in corporate networks)
- One or both users are behind a symmetric firewall
- Direct UDP traffic is blocked between the users
In practice, about 10-20% of WebRTC connections require TURN relay.
Configuration
The TURN server is configured in config.toml:
public_ip = "203.0.113.10"
turn_port = 3478public_ip
Your server's public IP address. The TURN server announces this IP to WebRTC clients so they know where to send relay traffic. If not set, the server attempts to auto-detect it.
turn_port
The UDP port for TURN. Default is 3478. Make sure this port is open in your firewall for UDP traffic.
Firewall Rules
# Allow TURN UDP traffic
sudo ufw allow 3478/udp
# Or with iptables
sudo iptables -A INPUT -p udp --dport 3478 -j ACCEPTAuthentication
TURN credentials are derived from the master secret using HKDF with a dedicated "turn" context. Credentials are temporary and rotate automatically. Users do not need to configure anything — the messenger client receives TURN credentials from the server when initiating a call.
Troubleshooting
- Calls do not connect: Check that UDP port 3478 is open. Some cloud providers block UDP by default.
- One-way audio: Verify
public_ipis correct. If your server is behind a NAT, use the public IP, not the internal IP. - All calls fail: Check server logs for TURN-related errors. Verify the server has started the TURN listener.