It’s really nice when something I thought would take a few hours to fix takes just 5 minutes. It recently happend when I was ‘forced’ to look for an alternative for my STUN/TURN server I run at Hetzner. If you just care for the tech details, jump down a bit to the next headline.
Yes, I was sort of ‘forced’ to install a new STUN/TURN server by several ‘external factors’. One was an automated eMail I got from Hetzner that a port scanning attack was originating from my server and that they would block the server if it wouldn’t stop. After having had a look it turned out to be a false alarm. The ‘port scanning attack’ were answer packets to incoming STUN requests on consecutive ports from the same IP address. I have no idea if the source IP address was spoofed or not, but I’m pretty sure it was some sort of attack against me or against Hetzner. But the email sounded serious and as I couldn’t do anything about these incoming requests nor about the answers, I needed an urgent plan B and C in case Hetzner would really block access to the server. This is because my STUN/TURN server is a central element of my cloud services, as all my XMPP voice and video calls run over it. If the server got blocked, this essential service would instantly fail.
The second reason I needed to install a new server was that my current STUN/TURN solution that is based on Coturn was still running on Ubuntu 20.04, and LTE support ended at the end of May 2025. I tried to update the server to Ubuntu 22.04 some time ago, but that broke Coturn. As there was still some support time left, I decided not to bother for the moment. Well, time has run out. Sure, I could activate extended support from Canonical, but I think that is called ‘massive technical debt’. Not acceptable for a central service. So let’s fix this from the bottom up I thought, even if I have to spend a couple of hours on this.
Eturnal – As Easy As it Gets
Already some time ago, I had a look at alternatives to Coturn, and as it wouldn’t install without spending some quality time on it, I decided to see if Eturnal would be easier to handle. And indeed it is. The only things that are required are:
- Spwan an Ubuntu 24.04 VM connected to a public IP address
- Install Eturnal from an apt repository
- Un-comment the ‘secret’ password configuration line
- Enter a good password in the ‘secret’ parameter
- Reload the configuration on the shell: ‘eturnalctl reload‘
Done!
No SSL certificates, no other fancy and strange configuration options, it just works out of the box. If you point the old domain name at the new server and re-use the same secret as on the old STUN/TURN server, one doesn’t even have to modify the XMPP server configuration.
Why No TLS Certificate?
On my old STUN/TLS server I did have a TLS certificate installed that is automatically renewed by Letsencrypt. Why? Because the installation instructions at the time said it is required. But I wondered why this would be the case, as my XMPP server, Conversations and WebRTC combination is end to end encrypted anyway. So why would I need a TLS certificate on a STUN/TURN server that is only used as a relay? The answer: I don’t, it’s not applicable for my purposes, it’s only required for unencrypted services that use TCP for relaying. I quote from here:
‘UDP vs TCP vs TLS – STUN and TURN can operate over three different protocols. UDP, TCP and TCP/TLS. The latter is indicated by the stund and turns URI scheme. Using TLS does not increase security as calls are always end-to-end encrypted with DTLS-SRTP. On the down side using TCP or TLS instead of UDP might negatively impact latency and performance. The only benefit of using TURN over TLS on port 443 is that you have a higher chance of passing through restrictive firewalls. However this should only be a fallback and not the default connection mechanism.
Perfect, one Letsencrypt certificate less to automatically update!
Summary
After running my voice and video calls over my new STUN/TURN relay for some time, I’m confident it can do the job and my old setup that is no longer maintainable is no longer required. Excellent.