What is TURN?
TURN stands for "Traversal Using Relay NAT" and is a framework that can be used as an alternative to STUN in order to establish a connection between two servers, or endpoints, that are behind Network Address Translators (NATs) such as a NAT firewall. TURN differs from STUN in that once STUN has helped establish the connection between the two endpoints, its job is done, but a TURN server will continue to be involved in communications between the two endpoints after the connection is established.
The TURN server will continue to act as a relay, buffering all content that is passed from one of the endpoints to the other. This relay functionality implies that the minimum resource requirement for a TURN server is higher than that of a STUN server.
In short, STUN acts as a matchmaking service that allows Orchid Core VMS and web browsers to communicate with each directly. TURN, on the other hand, is more like a traditional proxy--it acts as a middle man by taking data from Orchid Core VMS and then forwarding it to the web browser (and vice versa).
Why use TURN?
STUN is almost always preferable to TURN, but in certain circumstances, such as when using a symmetric NAT firewall, only TURN will work.
In a symmetric NAT, both the public IP address and port of an incoming request are translated to a different local IP address and port. This prevents STUN from working because STUN is only capable of providing the correct IP address for the endpoints and has no knowledge of what the correct port should be. TURN, in contrast, is able to facilitate connections using the translated port information as well.
There are several open-source options available to implement a TURN server, such as coturn. Please see the "Example coturn Configuration File" section below for a sample file.
Additionally, it is typically possible and often advantageous to implement TURN on the same server on which Orchid Fusion is running (if applicable). The feasibility of this option will depend on your network configuration and the hardware resources of the server itself.
Additionally, please note that Orchid currently only supports UDP for WebRTC connections, so you should ensure that UDP is enabled in your TURN server configuration.
Please be advised that IPConfigure does not maintain and is not associated with coturn. Additionally, IPConfigure does not support the configuration or implementation of a STUN or TURN server as part of the standard Orchid Support Agreement.
The general process for integrating a TURN server is as follows:
- install coturn
- configure coturn (see section below)
- configure Orchid to use TURN (see section below)
Orchid Core Configuration
You will need to configure Orchid Core to work with the TURN server using the following entries in the properties file, then restarting Orchid after the changes have been saved:
- webrtc.turn.host - IP Address of the TURN server. (Note: If the host is set, the port, username, password, and type must also be set.)
- webrtc.turn.port - Port of the TURN server.
- webrtc.turn.username - User name of the TURN server.
- webrtc.turn.password - Password of the TURN server.
- webrtc.turn.type - Relay type of the TURN server, set this as follows: udp
You can find more information on editing the Orchid Core properties file in the Orchid Core VMS Installation Guide in the sections "How to Edit a Configuration File in..." for each supported operating system.
Below is a sample coturn configuration file. The default file location on a Linux server is /etc/turnserver.conf
You may also need to modify /etc/default/coturn to set TURNSERVER_ENABLED=1. Be sure to restart coturn after making these changes.
# Required for WebRTC connections
# This should match what you used in your Orchid Core configuration file
# Disable this if you want to enable STUN behavior when possible
# Total bytes-per-second bandwidth the TURN server is allowed to allocate
# log file location
# Additional security settings
# stale-nonce: session timeout measured in seconds
# no-loopback-peers: disallow peers on loopback addresses
# no-multicast-peers: disallow peers on well-known broadcast addresses (126.96.36.199 and above)
Please be advised that if your TURN server is open to the internet, you might consider using a firewall to limit access so that the TURN server will only be used to proxy video streams from an Orchid Core server. You can also accomplish this through the coturn configuration file instead of, or in addition to, using a firewall by blocking IP addresses using a "denied-peer-ip=" line and then whitelisting the IP addresses of the Orchid Core servers by adding a line similar to the following:
If your turn server is behind a NAT, you will need to use some additional configuration options to map the internal and external IP addresses:
# Security settings
Click here for the official coturn documentation for further guidance on additional configuration options.