TURN servers
TURN stands for Traversal Using Relays around NAT. TURN is a protocol that is used in network communications to enable the transmission or relay of data between devices or clients that are located behind different NATs (Network Address Translators) or firewalls
TURN servers are very important in situations like video calling and file sharing over the internet where direct communication between devices is not possible because of NAT or firewalls
Technical Background of TURN
NAT and Communication Challenges:
Network Address Translation or NAT is a method though which multiple private IP address (that are assigned to clients in a private network) are mapped thoough a single Public IP address
NAT helps conserve IP addresses as all the devices in the private network access internet through a single Public IP address. NATs also help increase security
But NATs also create a challenge for P2P communication as devices behind NAT are not reachable from the internet
IP address depletion problem
This is done because there a limited number of IPv4 address in the world and until the advent of IPv6 IP addresses needed to be conserved. Because devices on the internet were increase at a faster rate and there was a real problem that there will not be enough IP address that could be given to every device
How TURN server works
when a client device wants to communicate with another client device on the internet, it first tries to establish a connection using STUN (Session Traversal Utilities for NAT). If this fails because of stricter NAT or firewall rules and then it falls back to TURN server.
The TURN server basically receives the data from one client server and forwards it to the other client server thus effectively bypassing NAT rules.
All the data that passes through the TURN server is encrypted and thus no one, not even the TURN server that is sending the data knows what data it is passing through
STUN server Vs TURN servers
STUN and TURN are both protocols that are used to enable network communications in situations where NAT and firewalls are present.
While there are some similarities between these two protocols their purpose and how they operate are different
STUN server
Primary Purpose: The primary purpose of STUN is to allow a device that is behind NAT to know what its public IP address is
Clients that are behind NATs do not know what is their public IP address, they only know their private IP address. (Public IP address is only known to the NAT device, usually a router)
This information is very important in enabling p2p communications, once the client device knows what is its public IP is, it can then forward this information to the other client device that is on the internet and thus establish p2p communications through the public IP
Useage STUN is in various applications like video conferencing, Audio conferencing, file sharing VoIP communications etc
Working mechanism:
When a client needs to establish a direct connection with another client on the internet. It first needs to find out what its public IP address is
The client first sends a request to the STUN server, the STUN server responds back with the public IP address and port number (usually it is port 80 and 443)
The client now know what is its public IP and then it informs the other client on the internet about its public IP and port number
This helps establish direct communication between the two client devices that are on the internet and behind different NATs and firewalls
Limitations:
STUN works in many scenarious but fails in symettric NAT, where NAT assigns a different public endpoint for each external connection
STUN also fails where there are strong firewall rules blocking connections
TURN server
TURN servers are a fallback for STUN server, when STUN server fails TURN helps relay data between clients, through symmetric NAT and deep inspection firewall rules.
Working Mechanism
In scenarious where STUN fails to establish a connection the client fallbacks to TURN servers
The TURN server relays data from one client to another
Unlike STUN which just helps in descovering the public IP address for direct communication. The TURN server handle the traffic itself, forwarding the data from one client to another
Usage
TURN servers are resource intensive including CPU and bandwidth usage. TURN servers involve data transfers through the TURN server.
Setting Up the TURN server
Considerations for TURN server deployment
When considering a TURN server there are many options
You can setup your own TURN server using open source software like COTURN
You can consider Third party TURN server providers like Metered TURN servers.
Choosing the Right TURN Server Solution
Depending on your needs and technical know how you can consider any one of the solutions
Let us consider pros and cons of both, first let us consider using a TURN server provider. Here we will consider Metered TURN servers
Metered TURN servers
Global Geo-Location targeting: Automatically directs traffic to the nearest servers, for lowest possible latency and highest quality performance. less than 50 ms latency anywhere around the world
Servers in 12 Regions of the world: Toronto, Miami, San Francisco, Amsterdam, London, Frankfurt, Bangalore, Singapore,Sydney (Coming Soon: South Korea, Japan and Oman)
Low Latency: less than 50 ms latency, anywhere across the world.
Cost-Effective: pay-as-you-go pricing with bandwidth and volume discounts available.
Easy Administration: Get usage logs, emails when accounts reach threshold limits, billing records and email and phone support.
Standards Compliant: Conforms to RFCs 5389, 5769, 5780, 5766, 6062, 6156, 5245, 5768, 6336, 6544, 5928 over UDP, TCP, TLS, and DTLS.
Multi‑Tenancy: Create multiple credentials and separate the usage by customer, or different apps. Get Usage logs, billing records and threshold alerts.
Enterprise Reliability: 99.999% Uptime with SLA.
Enterprise Scale: With no limit on concurrent traffic or total traffic. Metered TURN Servers provide Enterprise Scalability
50 GB/mo Free: Get 50 GB every month free TURN server usage with the Free Plan
Runs on port 80 and 443
Support TURNS + SSL to allow connections through deep packet inspection firewalls.
Support STUN
Supports both TCP and UDP
Setting up your own TURN server
You can also set up your own TURN server using open source software like COTURN
To do this it is a simple matter of creating an instance on any of the cloud provider like aws or google cloud. Here is the link to the tutorials on how to set up a TURN server on various cloud provider
How to setup a TURN server on AWS
Costs associated with setting up your own TURN server
Instance cost: Depending on how much TURN server bandwidth you need you will need to setup a large enough instance cause TURN servers are resource intensive and require CPU, RAM and bandwidth
Bandwidth costs: All the cloud providers also charge for bandwidth, so you need to factor in the bandwidth costs as well
Maintainenence: You also need to maintain your TURN server, for security and version updates etc. This would create downtime as TURN servers needed to restarted for updates to take place
Reliability: Cloud instances can go into a state of limbo, if this happens then the TURN servers needed to be restarted than that also creates reliability problems
Scalability: The TURN server that you created has a limited capacity for CPU, RAM and bandwidth if with time your TURN server usage increases than you will have problems with scalability of the TURN server.
Latency: If you have customers from all over the world using the TURN server then you need TURN servers in every region of the world, if you have single TURN server customers in other parts of the world might experience latency issues
How to use Metered TURN server
Once you create an account on the Metered.ca website.
select the TURN server on the Dashboard
Select the plan: a. Free Trial. or b. Free Plan
Free Trail gives you access to TURN server all over the world plus detailed access to API. So, for this Tutorial we are going to select free trail
Select the TURN server region. a. Global is the best option but if you want to select a country example: Canada or a region example: E.U. you can do that as well.
You can use the API to fetch the credentials or
You can manually select the credentials and add them to your application
Here are some of the important API calls to integrate the TURN server in your application
Add/remove credentials using REST API
Fetch per credential usage metrics via API
Enable/Disable Credential via the API
Step-by-Step Guide to Setting Up a TURN Server
This is a short guide if you wish to learn more refer to the detailed guide to setting up and configure TURN server using COTURN
You can also setup your own turn server using the COTURN open source TURN server software
Prerequisites for setting up the COTURN
A cloud server with any of the cloud providers such as AWS, Google Cloud
Public IP address
Step 1 Installing Coturn
spin up a linux ubuntu or any other distro on aws or google cloud and update the repo with these commands
sudo apt update
sudo apt upgrade
Then install the coturn
sudo apt-get install coturn
Step 2 Configuring Coturn
now let us setup some basic configuration settings
add external IP address
Add basic auth
before modifying the configuration file it is important to make a copy of the orignal configuration file in case we need it in the future
mv /etc/turnserver.conf /etc/turnserver.conf.original
this will re name the original configuration file from turnserver.conf
to turnserver.conf.original
next replace the coturn server realm and server name
# TURN server name and realm
realm=<DOMAIN>
server-name=<SERVER_NAME>
next let us setup the external ip address for our TURN server
If you want the TURN server to listen to all IP addresses then set the listning IP to 0.0.0.0
. If you want it to listen to your specific IP addresses then
# IPs the TURN server will listen to
listening-ip=0.0.0.0
#external-ip=IP_ADDRESS
Next we define the ports the turn server will listen to
# Main listening Port
listening-port=4001
# External IP-Address of your TURN server
external-ip=IP-Address
lastly we need the port our COTURN will listen to
# Main listining port
listening-port=3478
#and for TLS (secure)
tls-listening-port=5349
#Further ports open for communication
min-port=10000
max-port=20000
Running COTURN on privileged ports
some linux distributions for example ubuntu run the turn server on unprivilaged user like turnserver
for this reason the coturn cannot run on priveleged ports like 443
you can make changes to the linux configuration to listen to priveleged ports by
setcap cap_net_bind_service=+ep /usr/bin/turnserver
altenatively you can run coturn service to by executed by root like SSL but that is out of the scope of this article you can read more about it in the detailed guide on how to configure and run your own TURN server
Conclusion
In this article we learned about what a TURN server is and how TURN servers function
We also learned about TURN server providers and also how to set up your own turn server of any cloud providers