Skip to main content

Turnserver (stun/turn)

When you do a one to one communication with a peer, you have 3 possibilities:

  • Direct P2P
  • P2P over a turn server
  • Jitsi VideoBridge

If you and your peer can’t connect together then a proxy is necessary. In that case, the best way to communicate is to go through a turn server. It uses few resources and is far more efficient than going through the jitsi VideoBridge service.

To advertise your system that a turn server exists, you need to call a stun server. It returns the list of all p2p possibilities, including the turn server.

When you do a peer to peer videoconference, and each peer can’t connect directly to each other, you may use a turnserver to act as a proxy between the peers.


cp /usr/share/doc/jitsi-meet-turnserver/turnserver.conf /etc/turnserver/turnserver.conf


# Do not remove any line
# Replace this line
# Change the path to fix one (we will use it below)
# Add this line at the end (it force turnserver to only listen on this ips)
# If you are behind nat, don't use the relay-ip and use listening-ip that way


You need to copy the certificates for turnserver. The process uses the user “turnserver” to run and need to be able to read the certificates.


mkdir /etc/turnserver/certs
cp /etc/prosody/certs/YOUR_DOMAIN.crt /etc/turnserver/certs/cert.pem
cp /etc/prosody/certs/YOUR_DOMAIN.key /etc/turnserver/certs/pkey.pem
chown -R turnserver: /etc/turnserver/certs



### turnserver
/usr/bin/install -d -m770 -o turnserver -g turnserver /etc/turnserver/certs
/usr/bin/install    -m640 -o turnserver -g turnserver /etc/letsencrypt/live/YOUR_DOMAIN/fullchain.pem /etc/turnserver/certs/cert.pem
/usr/bin/install    -m600 -o turnserver -g turnserver /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem /etc/turnserver/certs/pkey.pem
/bin/systemctl restart turnserver.service

The set execution flag to the file and run it once

chmod +x /etc/letsencrypt/renewal-hooks/deploy/

Jitsi meet


    p2p: {
        enabled: true,
        stunServers: [
            { urls: 'stun:YOUR_DOMAIN:3478' }
        // activate this option to force the usage of the relay
        // it will force the usage of turnserver or jvb and avoid direct connection
        // it is nice for testing, it seems to improve the stability of the connection,
        // remove it if you want to allow direct connection without your server as a relay
        iceTransportPolicy: 'relay',
        // take care to avoid extra coma, or the json will became invalid
        backToP2PDelay: 5



external_service_secret = "turnSecretPassword";
external_services = {
     { type = "stun", host = "YOUR_DOMAIN", port = 3478 },
     { type = "turn", host = "YOUR_DOMAIN", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
     { type = "turns", host = "YOUR_DOMAIN", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }

Start services

# restart prosody
systemctl restart prosody
# start turnserver
systemctl start turnserver
# check turnserver
systemctl status turnserver
# activate at boot
systemctl enable turnserver