To generate a self-signed TLS certificate for Coturn using openssl, you can follow this step-by-step process.
🛠️ 1. Generate the cert & key using OpenSSL
Run the following command:
openssl req -x509 -nodes -newkey rsa:2048 \
-keyout /usr/local/etc/turn_server_pkey.pem \
-out /usr/local/etc/turn_server_cert.pem \
-days 365
🔍 What this does:
-x509: Creates a self-signed certificate.-nodes: Skips password protection (Coturn can’t prompt for passwords).-newkey rsa:2048: Generates a new 2048-bit RSA key.-keyout: Where to save the private key.-out: Where to save the cert.-days 365: Valid for 1 year.
📝 During the process, you’ll be asked for:
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
...
Common Name (e.g. server FQDN or YOUR name) []: xxx.duckdns.org
👉 Use your domain (like mzh1203.duckdns.org) as the Common Name (CN).
📦 2. Check file permissions
Make sure only root or the turnserver user can read the key:
sudo chown turnserver:turnserver /usr/local/etc/turn_server_*.pem
sudo chmod 600 /usr/local/etc/turn_server_pkey.pem
sudo chmod 644 /usr/local/etc/turn_server_cert.pem
🧾 3. Update your turnserver.conf
Ensure these lines are set (uncommented):
cert=/usr/local/etc/turn_server_cert.pem
pkey=/usr/local/etc/turn_server_pkey.pem
tls-listening-port=5349
🔁 4. Restart the service
sudo systemctl restart turnserver
Then confirm it’s listening on port 5349:
sudo netstat -tulnp | grep 5349
To run turnserver as a system service on Linux (like CentOS, Ubuntu, or Kylin), you’ll want to create a systemd service unit for it. Here’s how to do it properly:
🛠️ 1. Create a systemd service file
Run this as root (or use sudo) to create the file:
sudo useradd --system --no-create-home --shell /usr/sbin/nologin turnserver
sudo vim /etc/systemd/system/turnserver.service
Paste the following content inside:
[Unit]
Description=Coturn TURN Server
After=network.target
[Service]
Type=simple
ExecStart=/usr/local/bin/turnserver -c /usr/local/etc/turnserver.conf
User=turnserver
Group=turnserver
Restart=on-failure
LimitNOFILE=4096
[Install]
WantedBy=multi-user.target
📦 2. Reload systemd and enable the service
sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl enable turnserver
▶️ 3. Start and check the status
sudo systemctl start turnserver
sudo systemctl status turnserver
🔢 What’s UDP port 5349 for?
That’s for TURN over TLS — also called TURN over DTLS (UDP + TLS):
- 3478/UDP = Standard TURN traffic (unencrypted)
- 5349/UDP or TCP = TURN traffic over TLS encryption
- Similar to how HTTPS is HTTP over TLS (port 443), 5349 is TURN-over-TLS.
- WebRTC or other clients may use this for secure NAT traversal.
If you want to support secure TURN connections (which is highly recommended in production), open 5349 as well:
sudo /sbin/ip6tables -L INPUT -v --line-numbers
sudo /sbin/ip6tables -L OUTPUT -v --line-numbers
sudo /sbin/ip6tables -I INPUT 7 -p udp --dport 5349 -j ACCEPT
sudo /sbin/ip6tables -I OUTPUT 5 -p udp --sport 5349 -j ACCEPT
sudo netfilter-persistent save
And make sure your /usr/local/etc/turnserver.conf has the corresponding config:
tls-listening-port=5349
cert=/usr/local/etc/turn_server_cert.pem
pkey=/usr/local/etc/turn_server_pkey.pem