HN Reader

Archil (YC F24) Is Hiring a Distributed Systems Engineer (In-Person, SF)

1 points by huntaub 4h ago 0 comments

Modern Realty (YC S24) Is Hiring (workatastartup.com)

1 points by greenfish6 1d ago 0 comments

Hestus, Inc. (YC S24) Is Hiring an ML Engineer to Revolutionize CAD (ycombinator.com)

1 points by sohrabhaghighat 1d ago 0 comments

Activeloop (YC S18) is hiring a VP of Engineering in Mountain View (on-site) (careers.activeloop.ai)

1 points by davidbuniat 2d ago 0 comments

Optery (YC W22) – Engineering Team Lead and Engineers with Node.js (U.S., Latam) (jobs.ashbyhq.com)

1 points by beyondd 2d ago 0 comments

Extend (YC W23) is hiring engineers to build LLM document processing (jobs.ashbyhq.com)

1 points by kbyatnal 3d ago 0 comments

Parity (YC S24) is hiring founding engineers to build an AI SRE (in-person, SF) (ycombinator.com)

1 points by wilson090 3d ago 0 comments

Freshpaint (YC S19) is hiring back end and front end engineers (Remote, US only)

1 points by malisper 4d ago 0 comments

MobileBoost (YC S21) Is Hiring a Founding Back End/Platform Engineer (Remote) (ycombinator.com)

1 points by chrtng 4d ago 0 comments

Gym Class (YC W22) Is Hiring Character Animation Engineering Lead (ycombinator.com)

1 points by hackerews 5d ago 0 comments

Foundry (YC F24) is hiring – Come build a world model for the web

1 points by lakabimanil 5d ago 0 comments

Bild AI (YC W25) is hiring a founding engineer in SF (ycombinator.com)

1 points by rooppal 6d ago 0 comments

Tenjin (YC S14) Is Hiring a Senior Ad Attribution Engineer (Ruby, Go) (ycombinator.com)

1 points by amirmanji 6d ago 0 comments

Onyx (YC W24) Is Hiring for ML Engineer (ycombinator.com)

1 points by yuhongsun 8d ago 0 comments

Recover (YC W21) Is Hiring (ycombinator.com)

1 points by nickgulino1 8d ago 0 comments

GiveCampus (YC S15) Is Hiring Sr engineers passionate about education (givecampus.breezy.hr)

1 points by mkong1 8d ago 0 comments

Cekura (Formerly Vocera) (YC F24) Is Hiring (ycombinator.com)

1 points by atarus 9d ago 0 comments

Spark AI (YC W24) is hiring a full-stack engineer in San Francisco (ycombinator.com)

1 points by tk90 9d ago 0 comments

FurtherAI (YC W24) Is Hiring Software and AI Engineers (ycombinator.com)

1 points by sgondala_ycapp 10d ago 0 comments

Weave (YC W25) is hiring a founding engineer (ycombinator.com)

1 points by adchurch 10d ago 0 comments

Infisical (YC W23) Is Hiring Design Engineer in San Francisco (ycombinator.com)

1 points by dangtony98 11d ago 0 comments

Dot (YC S21) is hiring a sales engineer to automate analytics (fully remote) (ycombinator.com)

1 points by zurfer 12d ago 0 comments

Mux (YC W16) is hiring engineering managers for video at scale (mux.com)

1 points by Heff 13d ago 0 comments

EasyPost (YC S13) Is Hiring (easypost.com)

1 points by jstreebin 13d ago 0 comments

Tesorio (YC S15) Is Hiring a Senior Back End Engineer in Latam (100% Remote) (tesorio.com)

1 points by FabioFleitas 13d ago 0 comments

Formance (YC S21) Is Hiring Engineers to Build OSS Financial Infrastructure (ycombinator.com)

1 points by superzamp 13d ago 0 comments

OneSignal (YC S11) Is Hiring Engineers (onesignal.com)

1 points by gdeglin 14d ago 0 comments

Hive.co (YC S14) Is Hiring a Head of Engineering (jobs.ashbyhq.com)

1 points by patman_h 14d ago 0 comments

Streak (YC W22) is hiring Staff Engineers for local first, high perf front ends (streak.com)

1 points by alooPotato 14d ago 0 comments

Flexport (YC W14) is hiring software engineers (flexport.com)

1 points by thedogeye 14d ago 0 comments

Typewise (YC S22) Is Hiring an ML Engineer (Zurich, Switzerland) (ycombinator.com)

1 points by janisberneker 15d ago 0 comments

Show HN: An Almost Free, Open Source TURN Server

122 cookie_monsta 52 3/28/2025, 10:46:43 PM github.com ↗
Hi HN,

I have been messing around with WebRTC for a few years now but when it comes to the TURN server I never quite got to my gold standard of free, self-hosted and open source. I decided to give it a go using Oracle Cloud Infrastructure's free tier, meaning that my total spend got down to domain name hosting. I know plenty of people have been burnt by Oracle in the past, but I have had servers running on the free tier for 5 years now without so much as a hiccup. Regardless, the concepts will be the same using any cloud based server.

This is the first time I've written up an end-to-end technical how-to like this and the audience I am writing for is really myself - I know just enough about networks and web dev and Linux, etc to get all this running and there are plenty of snippets out there on the web that tell you how to do one thing or another, but nowhere that puts it all together in one place so if I'm explaining what is obvious to you, my apologies - like I say, I'm writing to myself here.

I don't know that this even is a Show HN - @dang, if it isn't, please feel free to recategorise/edit the title.

@Everybody else, I am happy to answer questions if I can but please bear in mind that I am not claiming to be an expert on any of the tech gathered together to make this work.

Comments (52)

markisus · 32d ago
This has got me reading about TURN and it just seems like a huge ugly hack. Two computers want to send UDP to each other. They are electrically connected by sets of physical cables. They could even be down the street from each other. But they don’t know how to get their routers to set the right bits in their translation tables. Instead it’s just easier to send all their traffic through a third computer in another city thousands of miles away or maybe into outer space and back. Have I got it right?
cookie_monsta · 32d ago
From what I understand the real ugly hack is NAT tables thanks to the shortsightedness of IPv4.Everything else flows from there.

Mostly, though, what you are describing is the internet

Sean-Der · 32d ago
For me something only qualifies as a 'huge ugly hack' if a better way exists. I think TURN does the best it can in the constraints that exist!

* TURN handles protocol bridging (TCP <-> UDP)

* TURN is useful for privacy preservation.

* TURN handles NAT Traversal (unfortunate when it comes to this)

* TURN is used for security in some cases. It sits at the edge and clients create allocations

markisus · 32d ago
Oh I thought TURN was mainly about the NAT traversal. Can you elaborate on the other points? Especially security and privacy?
mtud · 32d ago
Without TURN, two clients that want to do streaming communication connect directly to each other, letting both ends know things like IP addresses, supported protocols, and other fingerprintable features. This was the norm for a long time - “I got your IP, I know where you live”
markisus · 32d ago
I’m not sure what you mean by fingerprinting and supported protocols. None of that would be present inherently in a UDP stream unless the application included it. As for hiding IP address, that is a valid use case for a TURN server but I’m guessing 99% of TURN server usage occurs only because the NAT hole punch failed.
VWWHFSfQ · 32d ago
> by fingerprinting and supported protocols. None of that would be present inherently in a UDP stream unless the application included it.

Much like TLS, both clients offer all the protocols, versions, and media encodings that they support so that they can find a common set that they can use together.

This is standard negotiation when establishing connections in WebRTC and it's obviously fingerprintable information.

markisus · 31d ago
You’re talking about WebRTC which may or may not make use of a TURN server. And I assume there are other uses of TURN which are completely unrelated to WebRTC.

Use of a TURN server does not imply hiding of negotiation details. The TURN RFC [1] does not mention anything related to media encodings or WebRTC negotiations at all.

[1] https://datatracker.ietf.org/doc/html/rfc5766

dartos · 32d ago
Even if it is mainly about NAT, how else would you do NAT traversal?
zamalek · 32d ago
Hole punching: https://en.wikipedia.org/wiki/Hole_punching_(networking)
dartos · 32d ago
Oh I guess that’s STUN that does the hole punching.

I’m so used to seeing both STUN and TURN together.

zamalek · 32d ago
STUN is merely a well-thought out signaling protocol. The simplest, and most common, route is for each party to reach out to the rendezvous (STUN server), which then responds with the port and IP in the other peer. Each party then uses the same address and port it received, because remember that a typical NAT merely maps a port to a port on one of its managed/internal endpoints. The mapping that was created for the STUN server is just as good for use by the other peer.

You could do all of that with your own protocol, but...

Some NATs will include the remote IP in the "key" of the mapping, or even more restrictive approaches, meaning that STUN will have to fall back to other strategies and eventually give up and use TURN.

These days you'll also find that mDNS and other local broadcasts play a role, so that the internet can be avoided entirely for LAN peers.

dartos · 32d ago
Right, so hole punching alone doesn’t solve the problem of NAT traversal, which is why TURN and things like it are needed.

when I wrote my other comment in my head TURN and STUN were practically synonymous, since I’ve never seen one without the other.

markisus · 32d ago
You aren’t completely wrong apparently.

> TURN is considered an extension to the STUN. So, a typical TURN server would include a STUN server implementation by default.

https://www.100ms.live/blog/webrtc-turn-server

koolala · 32d ago
Isn't STUN hole punching? TURN is what you do when STUN fails.
1oooqooq · 32d ago
by not having nat?

...only if ipv6 wasn't written by the very people profiting from NAT.

spease · 32d ago
Basically. I guess part of the issue is that NAT is also used as a security measure, so there are competing interests in making the ports chosen by outgoing UDP packets deterministic to make STUN easy, versus randomizing and restricting return traffic to the original recipient to make attacking harder and STUN impossible.
thebruce87m · 32d ago
> They are electrically connected by sets of physical cables.

Pedantic: Fibre and wireless do not fit this criteria, but I still agree with the spirit.

mystified5016 · 32d ago
Extra pedantic: Ethernet cables are galvanically isolated at both ends. There is no electrical connection at all.
0xFF0123 · 32d ago
I guess we can say both instances are electromagnetically attached. But then, basically everything is.
SahAssar · 32d ago
That isolation is within the devices, so the devices are still electrically connected, right?
XorNot · 32d ago
Yep. But this is what IPv6 was supposed to solve.
alwayslikethis · 32d ago
NAT may go away, but stateful firewalls won't. There will still be many environments where you can't easily get a point to point connection even though the IP is addressable and there is a route.
markisus · 32d ago
Won’t the firewall know to let return traffic through if my computer explicitly sends a request first?
markisus · 32d ago
I don’t know much about IPv6 but it seems like even if we are stuck with IPv4 we could still make some sort of protocol where my computer could manipulate the NAT table entries allocated to it. Maybe something like DHCP but it deals with ports.
mindcrime · 32d ago
Isn't something like that what UPnP / zeroconf is supposed to do[1][2]?

[1]: https://en.wikipedia.org/wiki/Universal_Plug_and_Play

[2]: https://en.wikipedia.org/wiki/Zero-configuration_networking

markisus · 32d ago
Very interesting. I even found some protocols that exactly implement the functionality I was thinking of!

https://en.wikipedia.org/wiki/Internet_Gateway_Device_Protoc...

https://en.wikipedia.org/wiki/Port_Control_Protocol

ggm · 32d ago
99% of this does not depend on Oracle, you can do this on any vm hosting platform you can get. The only point of using Oracle is the price point which will vanish as soon as they can cease using it to build market share. Good to show btw. Nice instructions. They're mostly platform neutral. It might be a different interface to manage on another host of course but the outcome would be much the same.
cookie_monsta · 32d ago
Thanks, and you're exactly right - the Oracle bit is probably the most basic, interchangeable part of the whole stack. The tricky bit there for me was all the ports/firewall configuration which like you say will be the same/very similar anywhere.

For hobby projects like this I have had no complaints with OCI but yeah, you would have to be crazy to use it in production.

Uptrenda · 32d ago
Respect++ for what you said about Peerjs. I used those servers myself for testing when I wrote my own TURN client and always felt a little bad about it. But it saved me tons of time before setting up my own. Now I have my own server (though not as well setup as yours -- your guide is good.)

This is a valuable contribution. IMO, the Internet needs more STUN, TURN, and MQTT servers. It's even more valuable if they support as many protocols as possible and have IPv4 / IPv6. For STUN -- running it with two IPs means it can support bind requests which is necessary for testing NAT types.

cookie_monsta · 32d ago
Oh, thanks that's very kind of you to say. PeerJS is great - it takes a lot of the complexity out of WebRTC and replaces it with a nice, clean API. I think it was an OK decision for them to use Google for their TURN server - really, the best use case for their cloud server is exactly as you described - get your PoC working, and then if you're serious, implement your own
keepamovin · 32d ago
This how to is extremely comprehensive and well written. You have a knack for writing technical tutorials and documentation that are accessible, clear and simple. Well done!

Good prose, clearly not written by AI - respect!

cookie_monsta · 32d ago
Cheers :) I trained and worked as a writer in my previous career, so it's nice to know that at least some of those chops remain. Like every other writer on the planet, I've tried AI for generating some base text that I could then tweak, but I find myself spending so much time rewriting that it's quicker just to do it from scratch...
miki123211 · 32d ago
> Additionally, some people have privacy concerns about running their data through anything associated with the big G.

It's important to point out that Web RTC is E2E encrypted, so Google never actually sees your data.

As long as the server you use for signaling is secure, your TURN server may as well be run by the NSA. Since initial signaling is extremely low-bandwidth compared to the actual call, it's usually fine to handle it in your application directly.

THe actual problem with WebRTC is that, in its default setup, every call participant leaks their IP address to everybody else, and you need to upload your data n-1 times for n call participants, making it almost unusable on slow connections. You can mitigate both of these problems with an SFU, essentially a central server that takes in streams from all clients and distributes them further, but then you lose the E2E.

Sean-Der · 32d ago
Great write up! It isn’t free, but the price/what it offers is really great with Hetzner. I switched from digital ocean.

Did you evaluate any other TURN servers? I’m curious about your thoughts of the Elixir and Go ones. Maybe even more exist, I haven’t looked recently

cookie_monsta · 32d ago
oh, no - I am far too lazy to "shop around" for TURN servers and coturn just works and ticks all the open source boxes for me - lots of contributors, recent commits, lots of stars and forks (although these last two aren't as important as the first)
import · 32d ago
How to doc recommends using Oracle Free Tier but they recently had a breach and leaked login server data https://www.bleepingcomputer.com/news/security/oracle-custom...
telesilla · 32d ago
Look at Stunner as a Kubernetes friendly alternative to coturn.

https://github.com/l7mp/stunner

For those of you needing turn services without wanting to host, I can highly recommended Xirsys. Excellent service and while pricing is more than Cloudflare you get better network quality.

If you prefer Cloudflare, unless you are using GBs a day you'll most likely have a $0 monthly bill which makes it an excellent choice for small projects and testing.

nubinetwork · 32d ago
I'm not paying oracle for cloud services, I learned my lesson the hard way, they're still emailing me about random cloud stuff despite me telling them to stop contacting me.
j45 · 30d ago
This codebase seems to be a little old - does anyone have it running as is, or close to as is?
nurettin · 32d ago
If I was tasked to get this up and running, I would probably start with porting the entire thing to postgres.
BiteCode_dev · 32d ago
Can't we have TURN over something like bittorrent or ifps so that it's decentralized ?
deeth_starr_v · 32d ago
Doesn't bittorrent have the tracker that is acting as the glue to connect to peers?
ranger_danger · 32d ago
The problem I see with TURN is there's basically no way to prevent people from abusing it publicly for relaying any traffic they want, without any of your own web sites or WebRTC apps involved.
cookie_monsta · 32d ago
Basic authentication is covered in Section 11[0]

There are more thoughts on tightening up authentication in the last section "Tightening and tidying"

Apologies if I have misunderstood your comment

[0]https://github.com/lvidgen/WebRTC/blob/master/FOSS_TURN_Serv...

ranger_danger · 32d ago
Authentication still requires the client to have access to the password, where you can just take it and use it for any other purpose.

Unless you're asking every user to manually input a TURN password and they promise not to give it out, you're basically forced to reveal it to every visitor of your site.

cookie_monsta · 32d ago
yes, but you can block cross origin requests to both the credentials server and the PeerJS server which I understand prevents this: "relaying any traffic they want, without any of your own web sites or WebRTC apps involved"

Again, not an expert. This problem only really exists for "ad-hoc" connections where you don't want people to have to set up accounts. coturn has the ability to do standard authentication by checking credentials stored in databases

mtud · 32d ago
You can generate short-lived and single-use credentials for users.
ranger_danger · 32d ago
Yes, but, if this is a public website that anyone can use, then an abuser using your TURN server for other purposes can also grab a single-use credential from the site, making it a bit pointless.
Sean-Der · 32d ago
I see a couple ways to combat that.

* Your TURN server should provide APIs that allow you to verify that allocations/permissions are only created for your users.

* Use an auth mechanism that has an expiry time. Like [0]

[0] https://github.com/pion/turn/tree/master/examples/lt-cred-ge...

cookie_monsta · 32d ago
> * Your TURN server should provide APIs that allow you to verify that allocations/permissions are only created for your users.

coturn provides these APIs, they're not covered in the writeup, though

> * Use an auth mechanism that has an expiry time. Like [0]

This is how the credentials server in the write up works

fenesiistvan · 32d ago
Yes, usually some more intelligent auth is needed, depending on your app logic. For example the MRTC SIP-WebRTC gateway will do the usual SIP digest auth first, then will send a temporary TURN password to the WebRTC client + it will allow only the current source IP to use the TURN service (with an extra auth message exchane if the IP changes during the call).