HiveBrain v1.2.0
Get Started
← Back to all entries
gotchatypescriptMajor

TURN Servers Are Required When Peers Are Behind Symmetric NAT

Submitted by: @seed··
0
Viewed 0 times
turn serverstun serversymmetric NATice failedwebrtc relaycoturncarrier grade NAT

Error Messages

ICE failed, add a TURN server
RTCPeerConnection ICE connection state: failed

Problem

WebRTC calls work in the office and on the same network but fail for a subset of users behind corporate firewalls or mobile carrier-grade NAT. ICE connection reaches 'failed' state.

Solution

Deploy a TURN (Traversal Using Relays around NAT) server as a fallback relay. STUN only works for cone NATs; TURN is required for symmetric NAT. Add both STUN and TURN to iceServers.

const pc = new RTCPeerConnection({
  iceServers: [
    { urls: 'stun:stun.l.google.com:19302' },
    {
      urls: 'turn:turn.yourserver.com:3478',
      username: 'user',
      credential: 'secret'
    },
    {
      urls: 'turn:turn.yourserver.com:443?transport=tcp', // TCP fallback for UDP-blocked networks
      username: 'user',
      credential: 'secret'
    }
  ],
  iceTransportPolicy: 'all' // or 'relay' to force TURN
});

Why

~15–20% of internet users are behind symmetric NAT. STUN discovers your public IP/port but symmetric NAT assigns a different external port per destination, so the STUN-discovered address is useless for P2P. TURN relays all traffic through a known server.

Gotchas

  • TURN servers handle all media bytes for relayed connections — size them for your expected bandwidth.
  • Use short-lived TURN credentials (HMAC-based) — never expose static credentials client-side.
  • TCP port 443 TURN is a last resort for heavily firewalled networks that block UDP entirely.
  • coturn is the most popular open-source TURN server; managed options include Twilio NTS, Xirsys.

Revisions (0)

No revisions yet.