STUN / TURN
The STUN / TURN checker probes STUN and TURN servers end-to-end. STUN and TURN are the NAT-traversal servers that real-time applications (WebRTC, voice and video) rely on to establish peer-to-peer media: STUN lets a host discover its public reflexive address, while TURN relays media when a direct path cannot be opened.
This is a service-level checker. It runs SRV discovery (or uses an explicit URI), checks TCP/UDP reachability and the TLS/DTLS handshake, issues a STUN binding request, verifies that the TURN server requires authentication, performs an authenticated TURN Allocate, and finally exercises the relay path with a CreatePermission + Send round-trip.
What it checks
| Rule | What it verifies | Severity |
|---|---|---|
stun_turn.discovery |
At least one STUN/TURN endpoint could be discovered (explicit URI or SRV lookup). | Critical |
stun_turn.srv_stun |
At least one STUN endpoint is available via SRV (_stun / _stuns) or explicit URI. |
Warning |
stun_turn.srv_turn |
At least one TURN endpoint is available via SRV (_turn / _turns) or explicit URI. |
Critical |
stun_turn.dial |
Every discovered endpoint accepts a connection (TCP/TLS handshake or UDP socket). | Critical |
stun_turn.tls_transport |
At least one TLS/DTLS transport (stuns / turns) succeeds when present. |
Critical |
stun_turn.ipv6_coverage |
At least one STUN/TURN hostname resolves to an IPv6 address. | Warning |
stun_turn.stun_binding |
The STUN Binding request receives a XOR-MAPPED-ADDRESS reply. | Critical |
stun_turn.reflexive_public |
Flags endpoints returning a private/loopback reflexive address (server unaware of its public IP). | Critical |
stun_turn.stun_latency |
Compares the STUN Binding RTT against the warning/critical thresholds. | Critical |
stun_turn.turn_open_relay |
The TURN server requires authentication (challenges an unauthenticated Allocate with 401). |
Critical |
stun_turn.turn_auth |
The supplied TURN credentials (or REST shared secret) yield a successful Allocate. |
Critical |
stun_turn.relay_public |
Flags TURN servers whose allocated relay address is private/loopback (missing public relay IP). | Critical |
stun_turn.relay_echo |
The TURN relay path can carry traffic to the configured probe peer (CreatePermission + Send). |
Warning |
Options
| Option | Meaning | Default |
|---|---|---|
| Zone | Zone used for SRV-based discovery (_stun._udp / _turn._udp / _turns._tcp) when no explicit URI is given. Filled in automatically. |
(auto-filled) |
| Server URI | Explicit STUN/TURN URI (RFC 7064/7065). Overrides SRV-based discovery. | — |
| Mode | auto probes both STUN and TURN; stun skips TURN allocation tests; turn requires TURN allocation. |
auto |
| TURN username | Username for long-term TURN credentials. | — |
| TURN password | Password for long-term TURN credentials (secret). | — |
| REST API shared secret | Shared secret to derive ephemeral credentials (draft-uberti-rtcweb-turn-rest); takes precedence over username/password (secret). | — |
| Realm | Optional explicit TURN realm. | — |
| Transports | Comma-separated transports to test among udp, tcp, tls, dtls. |
udp,tcp,tls |
| Relay echo target | host:port used to validate the relay path; a CreatePermission + Send is issued, no payload data is exchanged. |
1.1.1.1:53 |
| Also test ChannelBind | Additionally exercise ChannelBind through the relay connection. | false |
| RTT warning threshold (ms) | STUN Binding round-trip time above which a warning is raised. | 200 |
| RTT critical threshold (ms) | STUN Binding round-trip time above which a critical alert is raised. | 1000 |
| Per-probe timeout (s) | Time budget for each individual probe. | 5 |
Credentials are needed for the TURN tests
The authentication, relay-public and relay-echo rules only run when valid TURN credentials are provided — either a username/password pair or a REST API shared secret. Without them, the checker still validates discovery, reachability, TLS and STUN binding, but cannot exercise the TURN relay path.
In happyDomain
Enable this checker from the Checks tab of the relevant service; see /en/pages/checks/ for how to configure and schedule checks. The zone is filled in automatically; supply a server URI and TURN credentials as needed for your deployment.