We're running coturn in the following environment:
- EC2 on a public subnet with a public and private interface
- coturn running in Docker, via AWS ECS
Notably, we do not have a load balancer or NAT gateway in front of this instance. We have opened the security groups to allow all ports from all IPs.
When I test our instance via Trickle ICE, I get the following:
0.072 srflx 3 udp x.x.x.x 52931 100 | 32287 | 255
0.077 relay 5 udp 10.53.34.156 65525 5 | 32285 | 255
0.089 srflx 3 udp x.x.x.x 65047 100 | 32287 | 254
0.097 relay 5 udp 10.53.34.156 65501 5 | 32285 | 254
Where x.x.x.x is correctly my public IP. However, the relay endpoint is the private IP from within our Docker container. My understanding of ICE is that this should be a public interface so that clients can use it for TURN sessions.
Here are our launch configs and startup commands:
0: (1): INFO: log file opened: /var/log/turn_1_2024-04-22.log
0: (1): INFO: System cpu num is 2
0: (1): INFO: System enable num is 1
0: (1): INFO: Listener address to use: 0.0.0.0
0: (1): INFO: Relay address to use: 0.0.0.0
0: (1): INFO: Coturn Version Coturn-4.6.2 'Gorst'
0: (1): INFO: Max number of open files/sockets allowed for this process: 1048576
0: (1): INFO: Due to the open files/sockets limitation, max supported number of TURN Sessions possible is: 524000 (approximately)
0: (1): INFO:
==== Show him the instruments, Practical Frost: ====
0: (1): INFO: OpenSSL compile-time version: OpenSSL 3.1.4 24 Oct 2023 (0x30100040)
0: (1): INFO: TLS 1.3 supported
0: (1): INFO: DTLS 1.2 supported
0: (1): INFO: TURN/STUN ALPN supported
0: (1): INFO: Third-party authorization (oAuth) supported
0: (1): INFO: GCM (AEAD) supported
0: (1): INFO: SQLite supported, default database location is /var/lib/coturn/turndb
0: (1): INFO: Redis supported
0: (1): INFO: PostgreSQL supported
0: (1): INFO: MySQL supported
0: (1): INFO: MongoDB supported
0: (1): INFO: Default Net Engine version: 3 (UDP thread per CPU core)
0: (1): INFO: Domain name:
0: (1): INFO: Default realm: gearbox.com
0: (1): ERROR: CONFIG: Empty cli-password, and so telnet cli interface is disabled! Please set a non empty cli-password!
0: (1): INFO: Certificate file found: /etc/coturn/cert.pem
0: (1): INFO: Private key file found: /etc/coturn/private-key.pem
0: (1): INFO: TLS cipher suite: ALL:!COMPLEMENTOFDEFAULT:!eNULL:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
0: (1): INFO: DTLS cipher suite: ALL:!COMPLEMENTOFDEFAULT:!eNULL:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
0: (1): INFO: pid file created: /var/run/turnserver.pid
0: (1): INFO: IO method: epoll (with changelist)
0: (1): INFO: RFC5780 disabled! /NAT behavior discovery/
0: (1): INFO: Wait for relay ports initialization...
0: (1): INFO: relay 0.0.0.0 initialization...
0: (1): INFO: relay 0.0.0.0 initialization done
0: (1): INFO: Relay ports initialization done
0: (1): INFO: Total General servers: 2
0: (14): DEBUG: turn server id=1 created
0: (13): DEBUG: turn server id=0 created
0: (1): INFO: Total auth threads: 3
0: (15): INFO: SQLite DB connection success: /var/lib/turn/turndb
0: (1): INFO: prometheus collector disabled, not started
Our startup command:
sudo docker run -d -v /root/config/turnserver.conf:/etc/coturn/turnserver.conf \
-v /root/ssl/private-key.pem:/etc/coturn/private-key.pem \
-v /root/ssl/cert.pem:/etc/coturn/cert.pem \
--mount type=tmpfs,destination=/var/lib/coturn \
--network=host \
-p 3478-3479:3478-3479 -p 3478-3479:3478-3479/udp \
-p 443:443 -p 443:443/udp \
-p 65500-65535:65500-65535/udp \
-e DETECT_EXTERNAL_IP=yes \
-e DETECT_RELAY_IP=yes \
coturn-gbx \
--min-port=65500 \
--max-port=65535 \
--no-multicast-peers \
--no-tlsv1 --no-tlsv1_1 \
--realm=company.com
Question: Should our relay endpoint be public? If so, what are we doing wrong here?
