continuwuity/coturn.conf

# ============================================================
#  coturn.conf — Coturn TURN/STUN Server Configuration
#  Mount this at /etc/coturn/turnserver.conf in the container.
#
#  Generate a secret with:  pwgen -s 64 1
#  The secret here MUST match turn_secret in continuwuity.toml.
# ============================================================

# Use time-limited shared-secret auth (more secure than static credentials)
use-auth-secret
static-auth-secret=YOUR_COTURN_SECRET   # EDIT THIS — must match continuwuity.toml

# realm should match your Matrix domain
realm=matrix.example.com   # EDIT THIS

# ------------------------------------------------------------
#  Port ranges
#  Default coturn range is 49152-65535.
#  We start at 50201 so it doesn't overlap with LiveKit (50100-50200).
# ------------------------------------------------------------
min-port=50201
max-port=65535

# ------------------------------------------------------------
#  Optional: TLS support (recommended for production)
#  You'll need to provide certificates. One approach is to copy
#  them from your Let's Encrypt store (requires a cron/hook).
#  Comment these out if you're not setting up TLS on coturn.
# ------------------------------------------------------------
# tls-listening-port=5349
# cert=/etc/coturn/certs/fullchain.pem
# pkey=/etc/coturn/certs/privkey.pem

# ------------------------------------------------------------
#  Security hardening
#  Prevents coturn from being used as an open relay/proxy.
# ------------------------------------------------------------
# Deny connections to private/loopback IP ranges (prevents SSRF)
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=127.0.0.0-127.255.255.255

# Only allow relay to public IPs
no-multicast-peers

# Disable the web admin interface (not needed, reduces attack surface)
no-cli

# Log to stdout so Docker captures it
log-file=stdout
Examples for how to set up continuwuity in docker. 2026-03-18 14:54:02 +01:00			`# ============================================================`
			`# coturn.conf — Coturn TURN/STUN Server Configuration`
			`# Mount this at /etc/coturn/turnserver.conf in the container.`
			`#`
			`# Generate a secret with: pwgen -s 64 1`
			`# The secret here MUST match turn_secret in continuwuity.toml.`
			`# ============================================================`

			`# Use time-limited shared-secret auth (more secure than static credentials)`
			`use-auth-secret`
			`static-auth-secret=YOUR_COTURN_SECRET # EDIT THIS — must match continuwuity.toml`

			`# realm should match your Matrix domain`
			`realm=matrix.example.com # EDIT THIS`

			`# ------------------------------------------------------------`
			`# Port ranges`
			`# Default coturn range is 49152-65535.`
			`# We start at 50201 so it doesn't overlap with LiveKit (50100-50200).`
			`# ------------------------------------------------------------`
			`min-port=50201`
			`max-port=65535`

			`# ------------------------------------------------------------`
			`# Optional: TLS support (recommended for production)`
			`# You'll need to provide certificates. One approach is to copy`
			`# them from your Let's Encrypt store (requires a cron/hook).`
			`# Comment these out if you're not setting up TLS on coturn.`
			`# ------------------------------------------------------------`
			`# tls-listening-port=5349`
			`# cert=/etc/coturn/certs/fullchain.pem`
			`# pkey=/etc/coturn/certs/privkey.pem`

			`# ------------------------------------------------------------`
			`# Security hardening`
			`# Prevents coturn from being used as an open relay/proxy.`
			`# ------------------------------------------------------------`
			`# Deny connections to private/loopback IP ranges (prevents SSRF)`
			`denied-peer-ip=10.0.0.0-10.255.255.255`
			`denied-peer-ip=192.168.0.0-192.168.255.255`
			`denied-peer-ip=172.16.0.0-172.31.255.255`
			`denied-peer-ip=127.0.0.0-127.255.255.255`

			`# Only allow relay to public IPs`
			`no-multicast-peers`

			`# Disable the web admin interface (not needed, reduces attack surface)`
			`no-cli`

			`# Log to stdout so Docker captures it`
			`log-file=stdout`