Coturn TURN Server Overview

Relevant source files

• ChangeLog
• README.md
• README.turnadmin
• README.turnserver
• README.turnutils
• STATUS.md
• docs/netarch.md
• man/man1/turnadmin.1
• man/man1/turnserver.1
• man/man1/turnutils.1
• rpm/build.settings.sh
• rpm/turnserver.spec
• src/ns_turn_defs.h

Purpose and Scope

This document provides a comprehensive introduction to the Coturn TURN server project. It covers the server's purpose, key features, protocol support, RFC compliance, and high-level architecture. For detailed information about specific subsystems, see:

• Server architecture and threading model: Server Architecture
• Configuration and deployment: Configuration and Deployment
• Authentication mechanisms: Authentication and Security
• Administration and monitoring: Administration and Monitoring
• Testing utilities: Client Tools and Testing
• Building from source: Building and Development

---

What is Coturn?

Coturn is a free, open-source implementation of a TURN (Traversal Using Relays around NAT) and STUN (Session Traversal Utilities for NAT) server. It provides NAT traversal capabilities for VoIP, WebRTC, and other real-time communication applications by relaying media traffic between peers that cannot establish direct connections due to firewall or NAT restrictions.

Current Version: 4.11.0 "Gorst" (src/ns_turn_defs.h38-39)

Software Identifier: Coturn-4.11.0 'Gorst' (src/ns_turn_defs.h43)

Sources: src/ns_turn_defs.h38-43 ChangeLog1-3 README.md9-13

---

Key Features

Core Functionality

Feature Category	Description	Key Benefits
TURN Relay	Full RFC 5766/6062/6156 TURN server with UDP and TCP relay support	Enables peer-to-peer connectivity through restrictive NATs
STUN Binding	RFC 5389/3489 STUN server for NAT behavior discovery	Helps clients determine their public IP/port mappings
Multi-Protocol	Supports UDP, TCP, TLS, DTLS, SCTP transports	Flexible deployment for various network environments
Authentication	Long-term credentials, REST API, OAuth support	Secure access control with multiple integration options
Scalability	Multi-threaded architecture with optimized I/O engine	Handles thousands of concurrent sessions per CPU
Database Support	SQLite, PostgreSQL, MySQL, MongoDB, Redis backends	Flexible user management and statistics storage

Additional Features

• Load Balancing: Built-in ALTERNATE-SERVER mechanism (300 response) and DNS-based balancing (README.turnserver234-241)
• Mobility: ICE Mobility support per RFC 8016 (README.md71)
• IPv4/IPv6: Dual-stack support with RFC 6156 compliance (rpm/turnserver.spec35)
• Monitoring: Prometheus metrics exporter and Redis-based status storage (README.md113-116)
• Administration: CLI (telnet) and Web-based HTTPS admin interfaces (README.md108-110)
• Security: TLS 1.3 support, certificate-based authentication, and constant-time HMAC comparison (ChangeLog28 README.md90)

Sources: README.turnserver1-73 rpm/turnserver.spec26-73 README.md53-136 STATUS.md1-110

---

Supported Protocols

Client-to-Server Protocols

Protocol Details

• UDP/TCP: Base transports for STUN and TURN (README.md88-89)
• TLS: Supports modern TLS 1.3 with ECDHE (README.md90)
• DTLS: Implements DTLS 1.0 and 1.2 (README.md91)
• SCTP: Experimental implementation for specific use cases (README.md92)
• Relay: Supports both UDP (RFC 5766) and TCP (RFC 6062) relaying (README.md96-97)

Sources: README.md86-98 rpm/turnserver.spec44-53 STATUS.md14-20

---

RFC Compliance

Coturn implements a wide range of IETF specifications for NAT traversal:

TURN Specifications

RFC	Title	Implementation Status
RFC 5766	Traversal Using Relays around NAT (TURN)	✓ Complete (Base)
RFC 6062	TURN Extensions for TCP Allocations	✓ Complete
RFC 6156	TURN Extension for IPv6	✓ Complete
RFC 8016	Mobility with TURN (MICE)	✓ Complete
RFC 8656	TURNbis (Dual Allocation/SSODA)	✓ Supported (Draft-based)

STUN Specifications

RFC	Title	Implementation Status
RFC 3489	STUN (Classic)	✓ Backward compatibility (ChangeLog53)
RFC 5389	Session Traversal Utilities for NAT	✓ Complete (Base)
RFC 5769	Test Vectors for STUN	✓ Complete (Verified via turnutils_rfc5769check)
RFC 5780	NAT Behavior Discovery Using STUN	✓ Complete
RFC 7443	ALPN support for STUN & TURN	✓ Complete

Security and Authentication

RFC	Title	Implementation Status
RFC 7635	OAuth 2.0 Third-Party Authorization	✓ Complete
Draft-uberti	TURN REST API	✓ Complete

Sources: README.md55-85 rpm/turnserver.spec30-48 STATUS.md1-55

---

System Architecture Overview

High-Level Component Diagram

Architecture Characteristics

• Multi-threaded: Configurable number of relay threads to utilize all CPU resources (README.md153)
• Event-driven: Built on libevent2 for high-performance asynchronous I/O (README.md152)
• Socket Optimization: Uses NEV_UDP_SOCKET_PER_THREAD for modern kernels (STATUS.md76)
• Zero-Copy: Package memory copy eliminated in traffic routing path (STATUS.md93)

Sources: README.md148-158 STATUS.md58-95 man/man1/turnserver.115-36

---

Core Components

Component Responsibility Matrix

Component	Code Entity	Responsibility
Relay Server	turnserver	The main relay daemon handling all STUN/TURN traffic (man/man1/turnserver.115)
Admin Tool	turnadmin	User account management, realm configuration, and key generation (README.turnadmin3-9)
I/O Engine	ioa_engine	Abstraction for socket I/O, timers, and buffer management (STATUS.md61)
Protocol Logic	ns_turn_msg.c	Parsing and construction of STUN/TURN messages and attributes (ChangeLog81)
Database Abstraction	turn_dbdriver_t	Unified interface for SQLite, MySQL, PostgreSQL, Redis, and MongoDB (rpm/turnserver.spec54-60)

Threading Model

Coturn uses a multi-threaded design where threads communicate via bufferevent_pair:

1. Listener Thread: Responsible for accepting new connections and initial packet demuxing.
2. Relay Threads: Handle the actual data relaying and session state. The number of threads is configurable via -m (README.turnutils172).
3. Auth Thread: Offloads database lookups and credential validation to avoid blocking the relay path.
4. Admin Thread: Manages the telnet CLI and HTTPS admin interfaces.

Sources: README.md150-155 STATUS.md58-62 README.turnutils138-149

---

Testing and Diagnostic Utilities

Coturn includes a suite of tools for verification and performance testing:

Tool	Purpose	Key Features
turnutils_uclient	Client Emulation	Simulates multiple clients; supports load-generation and DOS attack modes (man/man1/turnutils.16-13 ChangeLog5)
turnutils_peer	Echo Server	Simple UDP echo server used as a "peer" in relay testing (man/man1/turnutils.117-23)
turnutils_stunclient	STUN Test	Simple client to test STUN binding requests (man/man1/turnutils.129-32)
turnutils_natdiscovery	NAT Analysis	Discovers NAT mapping and filtering behavior per RFC 5780 (man/man1/turnutils.147-50)
turnutils_oauth	OAuth Utility	Generates and validates OAuth access tokens (RFC 7635) (man/man1/turnutils.154-59)
turnutils_rfc5769check	Compliance	Validates protocol implementation against RFC 5769 test vectors (man/man1/turnutils.134-36)

Sources: README.turnutils1-48 man/man1/turnutils.11-63

---

Administration and Management

Configuration Management

The server can be configured via command-line flags or a configuration file (default turnserver.conf). If a config file is modified, the server must be restarted (README.turnserver40 man/man1/turnserver.1102-128).

User Management

turnadmin provides commands for:

• Adding/Updating long-term users (-a)
• Managing admin users (-A, -D)
• Setting REST API shared secrets (-s)
• Managing origin-to-realm relations (-O)
• Setting realm-specific quotas and bandwidth limits (-g)

Sources: README.turnadmin48-91 man/man1/turnadmin.163-112