gotchatypescriptMajor
TURN Servers Are Required When Peers Are Behind Symmetric NAT
Viewed 0 times
turn serverstun serversymmetric NATice failedwebrtc relaycoturncarrier grade NAT
Error Messages
Problem
WebRTC calls work in the office and on the same network but fail for a subset of users behind corporate firewalls or mobile carrier-grade NAT. ICE connection reaches 'failed' state.
Solution
Deploy a TURN (Traversal Using Relays around NAT) server as a fallback relay. STUN only works for cone NATs; TURN is required for symmetric NAT. Add both STUN and TURN to iceServers.
const pc = new RTCPeerConnection({
iceServers: [
{ urls: 'stun:stun.l.google.com:19302' },
{
urls: 'turn:turn.yourserver.com:3478',
username: 'user',
credential: 'secret'
},
{
urls: 'turn:turn.yourserver.com:443?transport=tcp', // TCP fallback for UDP-blocked networks
username: 'user',
credential: 'secret'
}
],
iceTransportPolicy: 'all' // or 'relay' to force TURN
});Why
~15–20% of internet users are behind symmetric NAT. STUN discovers your public IP/port but symmetric NAT assigns a different external port per destination, so the STUN-discovered address is useless for P2P. TURN relays all traffic through a known server.
Gotchas
- TURN servers handle all media bytes for relayed connections — size them for your expected bandwidth.
- Use short-lived TURN credentials (HMAC-based) — never expose static credentials client-side.
- TCP port 443 TURN is a last resort for heavily firewalled networks that block UDP entirely.
- coturn is the most popular open-source TURN server; managed options include Twilio NTS, Xirsys.
Revisions (0)
No revisions yet.