For this guide, we'll be using the most featureful and battle-tested STUN/TURN server implementation – [`coturn`](https://github.com/coturn/coturn) and [`Ubuntu 20.04 LTS`](https://ubuntu.com/download/server) Linux distribution.
0. Obtain `stun.$YOUR_DOMAIN` and `turn.$YOUR_DOMAIN` certificates.
We're using [Let's Encrypt](https://letsencrypt.org/getting-started/).
1. Install `coturn` package from the main repository.
```sh
apt update && apt install coturn`
```
2. Uncomment `TURNSERVER_ENABLED=1` from `/etc/default/coturn`:
```sh
sed -i '/TURN/s/^#//g' /etc/default/coturn
```
3. Configure `coturn` in `/etc/turnserver.conf`:
Also, please see comments for each individual option.
```sh
# Also listen to 443 port for tls
alt-tls-listening-port=443
# Use fingerprints in the TURN messages
fingerprint
# Use long-term credentials mechanism
lt-cred-mech
# Your credentials
user=$YOUR_LOGIN:$YOUR_PASSWORD
# Your server domain
server-name=$YOUR_DOMAIN
# The default realm to be used for the users when no explicit origin/realm relationship was found
realm=$YOUR_DOMAIN
# Path to your certificates. Make sure they're readable by cotun process user/group
cert=/var/lib/turn/cert.pem
pkey=/var/lib/turn/key.pem
# Use 2066 bits predefined DH TLS key
dh2066
# Log to journalctl
syslog
# User/group which will be running coturn service
proc-user=turnserver
proc-group=turnserver
# Disable weak encryption
no-tlsv1
no-tlsv1_1
no-tlsv1_2
```
4. Start and enable `coturn` service:
```sh
systemctl enable coturn && systemctl start coturn
```
5. Optionally, if using `ufw` firewall, open relevant ports:
- **3478** – "plain" TURN/STUN;
- **5349** – TURN/STUN over TLS;
- **443** – TURN/STUN over TLS, which can bypass firewalls;
- **49152:65535** – port range that Coturn will use by default for TURN relay.
This is it - you now can make audio and video calls via your own server, without sharing any data with our servers (other than the key exchange with your contact in E2E encrypted messages).
