HN Reader

Reversible computing with mechanical links and pivots (tennysontbardwell.com)

64 points by tennysont 2h ago 18 comments

NotebookLM Audio Overviews are now available in over 50 languages (blog.google)

156 points by saikatsg 3h ago 41 comments

Xiaomi MiMo Reasoning Model (github.com)

363 points by thm 11h ago 141 comments

DeepSeek-Prover-V2 (github.com)

223 points by meetpateltech 4h ago 46 comments

Someone at YouTube needs glasses (jayd.ml)

751 points by jaydenmilne 5h ago 441 comments

Show HN: Create your own finetuned AI model using Google Sheets (promptrepo.com)

47 points by QueensGambit 4h ago 22 comments

Google Play sees 47% decline in apps since start of last year (techcrunch.com)

59 points by GeekyBear 1h ago 24 comments

I created Perfect Wiki and reached $250k in annual revenue without investors (habr.com)

489 points by sochix 12h ago 281 comments

Show HN: ART – a new open-source RL framework for training agents (github.com)

43 points by kcorbitt 4h ago 6 comments

Linux Kernel Exploitation: CVE-2025-21756 (hoefler.dev)

4 points by todsacerdoti 1h ago 0 comments

Sycophancy in GPT-4o (openai.com)

444 points by dsr12 17h ago 352 comments

OCaml's Wings for Machine Learning (github.com)

92 points by musha68k 8h ago 43 comments

Archil (YC F24) Is Hiring a Distributed Systems Engineer (In-Person, SF)

1 points by huntaub 3h ago 0 comments

Joining Sun Microsystems – 40 years ago (2022) (akapugs.blog)

139 points by TMWNN 5h ago 97 comments

Jepsen: Amazon RDS for PostgreSQL 17.4 (jepsen.io)

552 points by aphyr 1d ago 131 comments

You Wouldn't Download a Hacker News (jasonthorsness.com)

330 points by jasonthorsness 19h ago 177 comments

The Leaderboard Illusion (arxiv.org)

129 points by pongogogo 12h ago 41 comments

Show HN: Kexa.io – Open-Source IT Security and Compliance Verification

50 points by patrick4urcloud 7h ago 12 comments

Retailers will soon have only about 7 weeks of full inventories left (fortune.com)

325 points by andrewfromx 8h ago 488 comments

Port of Los Angeles says shipping volume will plummet 35% next week (cnbc.com)

553 points by perihelions 7h ago 495 comments

The True Size Of (thetruesize.com)

184 points by thunderbong 4d ago 78 comments

New atomic fountain clock joins group that keeps the world on time (nist.gov)

78 points by austinallegro 1d ago 30 comments

What Is "Induced Atmospheric Vibration"? (physics.stackexchange.com)

114 points by belter 1d ago 65 comments

NYC home prices rise 10% in early 2025 (qns.com)

9 points by geox 47m ago 1 comments

The Mira Pro Color is Boox's first color E Ink monitor (theverge.com)

42 points by tortilla 2h ago 23 comments

"AI-first" is the new Return To Office (anildash.com)

251 points by LorenDB 6h ago 149 comments

What It Takes to Defend a Cybersecurity Company from Today's Adversaries (sentinelone.com)

149 points by gnabgib 17h ago 70 comments

Researchers are studying how to minimize human impact on public lands (undark.org)

58 points by droptext 1d ago 7 comments

Linux in Excel (github.com)

161 points by radeeyate 17h ago 60 comments

The missteps that led to a fatal plane crash at Reagan National Airport (nytimes.com)

118 points by keepamovin 2d ago 128 comments

Why can't Ivies cope with losing a few hundred million? (economist.com)

66 points by sneakerblack 5h ago 205 comments

My sourdough starter has twins (brainbaking.com)

188 points by Tomte 1d ago 74 comments

Finland Bans Smartphones in Schools (yle.fi)

691 points by freetonik 11h ago 423 comments

Elon Musk Just Doesn't Understand the Sci-Fi Visions of Iain M. Banks (lithub.com)

21 points by mitchbob 2h ago 3 comments

Show HN: Beatsync – perfect audio sync across multiple devices (github.com)

388 points by freemanjiang 1d ago 113 comments

Doom GPU Flame Graphs (brendangregg.com)

7 points by LorenDB 5h ago 0 comments

Bamba: An open-source LLM that crosses a transformer with an SSM (research.ibm.com)

192 points by shallow-mind 1d ago 65 comments

An illustrated guide to automatic sparse differentiation (iclr-blogposts.github.io)

124 points by mariuz 1d ago 22 comments

WorldGen: Open-source 3D scene generator for Game/VR/XR (worldgen.github.io)

122 points by ziyangxie 2d ago 19 comments

Lessons from the Lebanese Space Program – Kasurian (kasurian.com)

28 points by rbanffy 8h ago 14 comments

It's School time: Adventures in hacking an old Kindle (samkhawase.com)

157 points by FlyingSnake 2d ago 46 comments

Everything we announced at our first LlamaCon (ai.meta.com)

202 points by meetpateltech 1d ago 107 comments

How the Internet Left 4chan Behind (newyorker.com)

20 points by FinnLobsien 9h ago 15 comments

I use zip bombs to protect my server (idiallo.com)

933 points by foxfired 1d ago 414 comments

Mission Impossible: Managing AI Agents in the Real World (medium.com)

54 points by dtagames 1d ago 3 comments

Chain of Recursive Thoughts: Make AI think harder by making it argue with itself (github.com)

521 points by miles 1d ago 232 comments

We need more optimistic science fiction (craig-russell.co.uk)

113 points by craig552uk 3d ago 172 comments

Show HN: An MCP server for understanding AWS costs

105 points by StratusBen 5d ago 22 comments

Janet Jackson's cursed bassline was the scourge of notebook makers for years (pcgamer.com)

9 points by stalfosknight 2h ago 2 comments

Shoes on at home or shoes off? If you care about your health, it's a no-brainer (theguardian.com)

4 points by n1b0m 1h ago 1 comments

Show HN: An Almost Free, Open Source TURN Server

122 cookie_monsta 52 3/28/2025, 10:46:43 PM github.com ↗
Hi HN,

I have been messing around with WebRTC for a few years now but when it comes to the TURN server I never quite got to my gold standard of free, self-hosted and open source. I decided to give it a go using Oracle Cloud Infrastructure's free tier, meaning that my total spend got down to domain name hosting. I know plenty of people have been burnt by Oracle in the past, but I have had servers running on the free tier for 5 years now without so much as a hiccup. Regardless, the concepts will be the same using any cloud based server.

This is the first time I've written up an end-to-end technical how-to like this and the audience I am writing for is really myself - I know just enough about networks and web dev and Linux, etc to get all this running and there are plenty of snippets out there on the web that tell you how to do one thing or another, but nowhere that puts it all together in one place so if I'm explaining what is obvious to you, my apologies - like I say, I'm writing to myself here.

I don't know that this even is a Show HN - @dang, if it isn't, please feel free to recategorise/edit the title.

@Everybody else, I am happy to answer questions if I can but please bear in mind that I am not claiming to be an expert on any of the tech gathered together to make this work.

Comments (52)

markisus · 32d ago
This has got me reading about TURN and it just seems like a huge ugly hack. Two computers want to send UDP to each other. They are electrically connected by sets of physical cables. They could even be down the street from each other. But they don’t know how to get their routers to set the right bits in their translation tables. Instead it’s just easier to send all their traffic through a third computer in another city thousands of miles away or maybe into outer space and back. Have I got it right?
cookie_monsta · 32d ago
From what I understand the real ugly hack is NAT tables thanks to the shortsightedness of IPv4.Everything else flows from there.

Mostly, though, what you are describing is the internet

Sean-Der · 32d ago
For me something only qualifies as a 'huge ugly hack' if a better way exists. I think TURN does the best it can in the constraints that exist!

* TURN handles protocol bridging (TCP <-> UDP)

* TURN is useful for privacy preservation.

* TURN handles NAT Traversal (unfortunate when it comes to this)

* TURN is used for security in some cases. It sits at the edge and clients create allocations

markisus · 32d ago
Oh I thought TURN was mainly about the NAT traversal. Can you elaborate on the other points? Especially security and privacy?
mtud · 32d ago
Without TURN, two clients that want to do streaming communication connect directly to each other, letting both ends know things like IP addresses, supported protocols, and other fingerprintable features. This was the norm for a long time - “I got your IP, I know where you live”
markisus · 32d ago
I’m not sure what you mean by fingerprinting and supported protocols. None of that would be present inherently in a UDP stream unless the application included it. As for hiding IP address, that is a valid use case for a TURN server but I’m guessing 99% of TURN server usage occurs only because the NAT hole punch failed.
VWWHFSfQ · 32d ago
> by fingerprinting and supported protocols. None of that would be present inherently in a UDP stream unless the application included it.

Much like TLS, both clients offer all the protocols, versions, and media encodings that they support so that they can find a common set that they can use together.

This is standard negotiation when establishing connections in WebRTC and it's obviously fingerprintable information.

markisus · 31d ago
You’re talking about WebRTC which may or may not make use of a TURN server. And I assume there are other uses of TURN which are completely unrelated to WebRTC.

Use of a TURN server does not imply hiding of negotiation details. The TURN RFC [1] does not mention anything related to media encodings or WebRTC negotiations at all.

[1] https://datatracker.ietf.org/doc/html/rfc5766

dartos · 32d ago
Even if it is mainly about NAT, how else would you do NAT traversal?
zamalek · 32d ago
Hole punching: https://en.wikipedia.org/wiki/Hole_punching_(networking)
dartos · 32d ago
Oh I guess that’s STUN that does the hole punching.

I’m so used to seeing both STUN and TURN together.

zamalek · 32d ago
STUN is merely a well-thought out signaling protocol. The simplest, and most common, route is for each party to reach out to the rendezvous (STUN server), which then responds with the port and IP in the other peer. Each party then uses the same address and port it received, because remember that a typical NAT merely maps a port to a port on one of its managed/internal endpoints. The mapping that was created for the STUN server is just as good for use by the other peer.

You could do all of that with your own protocol, but...

Some NATs will include the remote IP in the "key" of the mapping, or even more restrictive approaches, meaning that STUN will have to fall back to other strategies and eventually give up and use TURN.

These days you'll also find that mDNS and other local broadcasts play a role, so that the internet can be avoided entirely for LAN peers.

dartos · 32d ago
Right, so hole punching alone doesn’t solve the problem of NAT traversal, which is why TURN and things like it are needed.

when I wrote my other comment in my head TURN and STUN were practically synonymous, since I’ve never seen one without the other.

markisus · 32d ago
You aren’t completely wrong apparently.

> TURN is considered an extension to the STUN. So, a typical TURN server would include a STUN server implementation by default.

https://www.100ms.live/blog/webrtc-turn-server

koolala · 32d ago
Isn't STUN hole punching? TURN is what you do when STUN fails.
1oooqooq · 32d ago
by not having nat?

...only if ipv6 wasn't written by the very people profiting from NAT.

spease · 32d ago
Basically. I guess part of the issue is that NAT is also used as a security measure, so there are competing interests in making the ports chosen by outgoing UDP packets deterministic to make STUN easy, versus randomizing and restricting return traffic to the original recipient to make attacking harder and STUN impossible.
thebruce87m · 32d ago
> They are electrically connected by sets of physical cables.

Pedantic: Fibre and wireless do not fit this criteria, but I still agree with the spirit.

mystified5016 · 32d ago
Extra pedantic: Ethernet cables are galvanically isolated at both ends. There is no electrical connection at all.
0xFF0123 · 32d ago
I guess we can say both instances are electromagnetically attached. But then, basically everything is.
SahAssar · 32d ago
That isolation is within the devices, so the devices are still electrically connected, right?
XorNot · 32d ago
Yep. But this is what IPv6 was supposed to solve.
alwayslikethis · 32d ago
NAT may go away, but stateful firewalls won't. There will still be many environments where you can't easily get a point to point connection even though the IP is addressable and there is a route.
markisus · 32d ago
Won’t the firewall know to let return traffic through if my computer explicitly sends a request first?
markisus · 32d ago
I don’t know much about IPv6 but it seems like even if we are stuck with IPv4 we could still make some sort of protocol where my computer could manipulate the NAT table entries allocated to it. Maybe something like DHCP but it deals with ports.
mindcrime · 32d ago
Isn't something like that what UPnP / zeroconf is supposed to do[1][2]?

[1]: https://en.wikipedia.org/wiki/Universal_Plug_and_Play

[2]: https://en.wikipedia.org/wiki/Zero-configuration_networking

markisus · 32d ago
Very interesting. I even found some protocols that exactly implement the functionality I was thinking of!

https://en.wikipedia.org/wiki/Internet_Gateway_Device_Protoc...

https://en.wikipedia.org/wiki/Port_Control_Protocol

ggm · 32d ago
99% of this does not depend on Oracle, you can do this on any vm hosting platform you can get. The only point of using Oracle is the price point which will vanish as soon as they can cease using it to build market share. Good to show btw. Nice instructions. They're mostly platform neutral. It might be a different interface to manage on another host of course but the outcome would be much the same.
cookie_monsta · 32d ago
Thanks, and you're exactly right - the Oracle bit is probably the most basic, interchangeable part of the whole stack. The tricky bit there for me was all the ports/firewall configuration which like you say will be the same/very similar anywhere.

For hobby projects like this I have had no complaints with OCI but yeah, you would have to be crazy to use it in production.

Uptrenda · 32d ago
Respect++ for what you said about Peerjs. I used those servers myself for testing when I wrote my own TURN client and always felt a little bad about it. But it saved me tons of time before setting up my own. Now I have my own server (though not as well setup as yours -- your guide is good.)

This is a valuable contribution. IMO, the Internet needs more STUN, TURN, and MQTT servers. It's even more valuable if they support as many protocols as possible and have IPv4 / IPv6. For STUN -- running it with two IPs means it can support bind requests which is necessary for testing NAT types.

cookie_monsta · 32d ago
Oh, thanks that's very kind of you to say. PeerJS is great - it takes a lot of the complexity out of WebRTC and replaces it with a nice, clean API. I think it was an OK decision for them to use Google for their TURN server - really, the best use case for their cloud server is exactly as you described - get your PoC working, and then if you're serious, implement your own
keepamovin · 32d ago
This how to is extremely comprehensive and well written. You have a knack for writing technical tutorials and documentation that are accessible, clear and simple. Well done!

Good prose, clearly not written by AI - respect!

cookie_monsta · 32d ago
Cheers :) I trained and worked as a writer in my previous career, so it's nice to know that at least some of those chops remain. Like every other writer on the planet, I've tried AI for generating some base text that I could then tweak, but I find myself spending so much time rewriting that it's quicker just to do it from scratch...
miki123211 · 32d ago
> Additionally, some people have privacy concerns about running their data through anything associated with the big G.

It's important to point out that Web RTC is E2E encrypted, so Google never actually sees your data.

As long as the server you use for signaling is secure, your TURN server may as well be run by the NSA. Since initial signaling is extremely low-bandwidth compared to the actual call, it's usually fine to handle it in your application directly.

THe actual problem with WebRTC is that, in its default setup, every call participant leaks their IP address to everybody else, and you need to upload your data n-1 times for n call participants, making it almost unusable on slow connections. You can mitigate both of these problems with an SFU, essentially a central server that takes in streams from all clients and distributes them further, but then you lose the E2E.

Sean-Der · 32d ago
Great write up! It isn’t free, but the price/what it offers is really great with Hetzner. I switched from digital ocean.

Did you evaluate any other TURN servers? I’m curious about your thoughts of the Elixir and Go ones. Maybe even more exist, I haven’t looked recently

cookie_monsta · 32d ago
oh, no - I am far too lazy to "shop around" for TURN servers and coturn just works and ticks all the open source boxes for me - lots of contributors, recent commits, lots of stars and forks (although these last two aren't as important as the first)
import · 32d ago
How to doc recommends using Oracle Free Tier but they recently had a breach and leaked login server data https://www.bleepingcomputer.com/news/security/oracle-custom...
telesilla · 32d ago
Look at Stunner as a Kubernetes friendly alternative to coturn.

https://github.com/l7mp/stunner

For those of you needing turn services without wanting to host, I can highly recommended Xirsys. Excellent service and while pricing is more than Cloudflare you get better network quality.

If you prefer Cloudflare, unless you are using GBs a day you'll most likely have a $0 monthly bill which makes it an excellent choice for small projects and testing.

nubinetwork · 32d ago
I'm not paying oracle for cloud services, I learned my lesson the hard way, they're still emailing me about random cloud stuff despite me telling them to stop contacting me.
j45 · 30d ago
This codebase seems to be a little old - does anyone have it running as is, or close to as is?
nurettin · 32d ago
If I was tasked to get this up and running, I would probably start with porting the entire thing to postgres.
BiteCode_dev · 32d ago
Can't we have TURN over something like bittorrent or ifps so that it's decentralized ?
deeth_starr_v · 32d ago
Doesn't bittorrent have the tracker that is acting as the glue to connect to peers?
ranger_danger · 32d ago
The problem I see with TURN is there's basically no way to prevent people from abusing it publicly for relaying any traffic they want, without any of your own web sites or WebRTC apps involved.
cookie_monsta · 32d ago
Basic authentication is covered in Section 11[0]

There are more thoughts on tightening up authentication in the last section "Tightening and tidying"

Apologies if I have misunderstood your comment

[0]https://github.com/lvidgen/WebRTC/blob/master/FOSS_TURN_Serv...

ranger_danger · 32d ago
Authentication still requires the client to have access to the password, where you can just take it and use it for any other purpose.

Unless you're asking every user to manually input a TURN password and they promise not to give it out, you're basically forced to reveal it to every visitor of your site.

cookie_monsta · 32d ago
yes, but you can block cross origin requests to both the credentials server and the PeerJS server which I understand prevents this: "relaying any traffic they want, without any of your own web sites or WebRTC apps involved"

Again, not an expert. This problem only really exists for "ad-hoc" connections where you don't want people to have to set up accounts. coturn has the ability to do standard authentication by checking credentials stored in databases

mtud · 32d ago
You can generate short-lived and single-use credentials for users.
ranger_danger · 32d ago
Yes, but, if this is a public website that anyone can use, then an abuser using your TURN server for other purposes can also grab a single-use credential from the site, making it a bit pointless.
Sean-Der · 32d ago
I see a couple ways to combat that.

* Your TURN server should provide APIs that allow you to verify that allocations/permissions are only created for your users.

* Use an auth mechanism that has an expiry time. Like [0]

[0] https://github.com/pion/turn/tree/master/examples/lt-cred-ge...

cookie_monsta · 32d ago
> * Your TURN server should provide APIs that allow you to verify that allocations/permissions are only created for your users.

coturn provides these APIs, they're not covered in the writeup, though

> * Use an auth mechanism that has an expiry time. Like [0]

This is how the credentials server in the write up works

fenesiistvan · 32d ago
Yes, usually some more intelligent auth is needed, depending on your app logic. For example the MRTC SIP-WebRTC gateway will do the usual SIP digest auth first, then will send a temporary TURN password to the WebRTC client + it will allow only the current source IP to use the TURN service (with an extra auth message exchane if the IP changes during the call).