News Product Updates Events Webinars Success Stories Knowledge Base Press Releases Reviews Terminology

Follow us on social networks

WhatsApp Youtube Linkedin
Back to Terminology

TURN (Traversal Using Relays around NAT) Servers

TURN (Traversal Using Relays around NAT) represents a technical protocol enabling reliable cooperation whenever ordinary peer-to-peer paths become obstructed through NAT gateways or filtering mechanisms. This standard operates as the cornerstone supporting TURN infrastructure, which functions as bridging components by transmitting flows across endpoints, permitting participants to share content even under demanding connectivity limitations.

From another operational standpoint, TURN nodes maintain continuity for online platforms (for instance, audio plus video interaction over WebRTC) by directing messages using a separate relay station whenever straightforward peer linkage cannot be maintained. The TURN specification was formalized within IETF (RFC 8656) and frequently appears alongside the STUN method as part of NAT traversal solutions implemented in WebRTC.

STUN (Session Traversal Utilities for NAT) functions as a lightweight protocol assisting each endpoint to reveal its visible Internet identifier and communication port as recognized from external infrastructure (designated through NAT). The essential intention behind STUN remains to deliver sufficient parameters necessary for building straightforward peer-to-peer sessions among entities hidden behind NAT.

In contrast to TURN, one STUN element never transfers multimedia streams. Rather, it only returns toward the requesting endpoint its outward addressing information. That dataset later integrates into the ICE (Interactive Connectivity Establishment) model to construct server-reflexive alternatives and coordinate connectivity paths between communicating peers in WebRTC.

Role of TURN in WebRTC and Real-Time Communications

WebRTC (Web Real-Time Communication) relies upon the ICE framework to identify the most efficient pathway for content delivery across endpoints. ICE verifies if endpoints remain accessible to each counterpart and, whenever required, builds connections through STUN or TURN.

Typically, WebRTC initially tries to create a reliable channel (using host identifiers or public mappings revealed through STUN). Whenever STUN proves inadequate (for instance, when users operate behind symmetric NAT), TURN becomes applied.

Although TURN supports NAT traversal under such conditions, it also generates extra delay and raises processing overhead, because every packet must be forwarded rather than transmitted directly across peers. Therefore, the essential function of TURN is guaranteeing stable connectivity for sessions or meetings, even in cases where direct links through host or external addresses remain unattainable.

STUN vs. TURN: What’s the Difference?

Both STUN plus TURN function as cooperative NAT traversal mechanisms, though they resolve separate objectives:

  • STUN Protocol

    • STUN identifies the external IP address and network port of a device (its server-reflexive candidate) by sending a request to a STUN server. This allows two endpoints to establish an efficient peer-to-peer connection. After the addressing information is exchanged, media traffic flows directly between participants without the need for intermediaries.

    Limitations: STUN cannot manage every NAT category (for example, symmetric NAT). Although preferred whenever feasible because of minimal delay (no relay overhead), it remains not universally applicable.

  • TURN Protocol

    • TURN provides packet forwarding when a direct peer-to-peer connection cannot be established. Both participants connect to the same TURN server, which relays traffic between them. This approach is especially useful when STUN fails, although it introduces additional latency and increases server load, since all data must pass through the relay.

    In practice: STUN together with TURN are nearly always deployed in combination. ICE initially tests STUN-based communication and then resorts to TURN only as a fallback, ensuring the most efficient route while employing TURN solely when essential.

Typical Use Cases for TURN Servers

TURN becomes utilized in environments where conventional peer-to-peer channels are limited through network restrictions, maintaining dependable communication among users even within symmetric NAT. Owing to TURN, interactive applications including video meetings and voice exchanges continue functioning consistently.

Common scenarios:

  • WebRTC video meetings and conferences

    • When several attendees participate in a session, their systems create ICE candidates. If connectivity cannot succeed via host identifiers or STUN (because of NAT barriers), TURN forwards media streams. This guarantees session stability and reduces unexpected call interruptions.

  • Corporate environments

    • Enterprise firewalls frequently restrict unfamiliar UDP packets or limit outbound connectivity using port values. A TURN service operating over port 443 with TLS disguises itself as HTTPS flow, efficiently circumventing those controls.

  • NAT traversal for VoIP

    • TURN delivers consistent peer-to-peer communication in strongly NATed contexts, which remains essential for VoIP deployments. Unstable links or elevated latency reduce audio clarity, producing disruptions and echo artifacts.

How TURN Works (Traversal and Relaying Mechanism)

TURN functionality may be divided across multiple steps:

  • Allocation

    • When one endpoint fails to form a direct pathway, it transmits an Allocate request toward the TURN instance. The service replies by distributing a distinct external IP identifier and port (relay transport location) for subsequent forwarding.

  • Candidate Sharing

    • The endpoint communicates the assigned relay coordinate with its partner through ICE. Both participants thereby understand that if direct access collapses, traffic may traverse using TURN.

  • Data Relaying

    • Endpoints deliver streaming segments into the TURN system, which transmits them onward to the remote counterpart. For either side, the apparent packet origin corresponds to the TURN server’s address, ensuring that forwarding remains seamless.

  • Permission Enforcement

    • TURN instances exclusively process traffic involving approved endpoints, blocking unauthorized activity or potential open-relay exploitation.

This procedure remains reliable even under symmetric NAT, because clients consistently transmit outgoing data toward a recognized public server. Notably, TURN never decodes WebRTC transmissions: it merely forwards encrypted information, preserving both privacy and integrity.

TURN Server Configuration and Protocol Details

Prior to activating TURN, multiple deployment factors must be reviewed:

  • Server Infrastructure

    • A TURN instance may operate either on a standalone hardware system or within a hosted virtual platform, provided it maintains a public IP endpoint available for all users. When the instance resides behind NAT, the outside IP must be explicitly configured so that users obtain accurate relay endpoints.

  • Ports and Transports
    • UDP (3478): the standard delivery option for media offering very low delay.
    • TCP (3478): applied as an alternative whenever UDP becomes restricted.
    • TLS across TCP (5349): guarantees encryption and firewall traversal though it introduces extra delay.
    • DTLS upon UDP: supplies TLS-level protection while sustaining UDP efficiency.
  • Authentication

    • To reduce unauthorized relaying, TURN enforces verification. Typically, either persistent login details or temporary tokens (distributed via REST interface) are implemented.

  • Configuration Options

    • Essential values consist of active port ranges, TLS certificate files, authentication secret material, and pools of relay transport identifiers.