Deploying a STUN Server with Coturn on UDP Port 443 with DTLS Encryption

Introduction

A STUN (Session Traversal Utilities for NAT) server helps establish direct communication between peers in situations where they are behind NAT (Network Address Translation) devices.

Coturn is an open-source STUN/TURN server that supports DTLS (Datagram Transport Layer Security) encryption. In this tutorial, we will guide you through deploying a STUN server using Coturn on UDP port 443 with DTLS encryption.

Note: This tutorial assumes you have a Linux server available and basic knowledge of working with the Linux command line.

Prerequisites:

• A Linux server (Ubuntu 20.04 is used in this tutorial).
• Root or superuser access to the server.
• A domain name with a DNS record pointing to your server's IP address (e.g., stun.example.com).

Step 1: Update the System and Install Coturn

Ensure your server is up to date by running the following commands:

sudo apt update
sudo apt upgrade -y

Install Coturn using the package manager:

sudo apt install coturn

Enable Coturn to start on boot:

sudo systemctl enable coturn

Step 2: Configure Coturn for DTLS on Port 443

Open the Coturn configuration file for editing:

sudo nano /etc/turnserver.conf

Add or modify the following settings to enable DTLS on port 443 and specify your domain name:

# Listen on UDP port 443 with DTLS
tls-listening-port=443

# Specify your domain name (replace stun.example.com)
listening-ip=your_server_ip_address
external-ip=your_server_ip_address
relay-ip=your_server_ip_address

# Enable DTLS
use-dtls
dtls-listening-port=443
no-tlsv1

Make sure to replace your_server_ip_address with your server's actual IP address.

Save the configuration file and exit the text editor.

Step 3: Generate Let's Encrypt Certificates

First of all, Update your DNS records to point to your server's IP address.
Create an A or CNAME record for your STUN server (e.g., stun.example.com).

To use Let's Encrypt certificates with Coturn, you'll need to install Certbot, which is a tool for obtaining and renewing Let's Encrypt SSL/TLS certificates.
Install Certbot using the following commands:

sudo apt install certbot

Next, request a Let's Encrypt certificate for your domain:

sudo certbot certonly --standalone -d stun.example.com

Replace stun.example.com with your STUN server's domain name. Certbot will automatically obtain and configure the SSL/TLS certificate for you.

Open the Coturn configuration file again:

sudo nano /etc/turnserver.conf

Add or modify the following settings to specify the paths to your Let's Encrypt certificates:

# Specify the paths to your SSL/TLS certificates
cert=/etc/letsencrypt/live/stun.example.com/fullchain.pem
pkey=/etc/letsencrypt/live/stun.example.com/privkey.pem

Replace stun.example.com with your STUN server's domain name. Save the configuration file and exit the text editor.

Now, let's make sure that cotrun user have enough permissions on Let's Encrypt directory.

sudo chown -R coturn:cotrun /etc/letsencrypt/live/stun.example.com/

Now that you've configured Coturn for DTLS on port 443, restart the service to apply the changes:

sudo systemctl restart coturn

Step 4: Test the STUN Server

You can test your STUN server's DTLS functionality using a STUN client or tool. There are many STUN test tools available online.

One popular option is "stunclient," which you can install and run as follows:

sudo apt install stun-client
stunclient --protocol udp --verbosity 2 stun.example.com 443

Replace stun.example.com with your STUN server's domain name.

If the test is successful, you should see information about the server and its DTLS support.

You should see something like this : (x.x.x.x = public IP of stun , y.y.y.y = public IP of client, while 172.20.10.3 is the private IP of the stun server)

{23-09-08 17:55}192:~/Desktop soufiane% stunclient --protocol udp --verbosity 2 stun.soufianebouchaara.com 443
Resolved stun.soufianebouchaara.com to x.x.x.x:0
config.fBehaviorTest = false
config.fFilteringTest = false
config.timeoutSeconds = 0
config.uMaxAttempts = 0
config.addrServer = x.x.x.x:443
socketconfig.addrLocal = 0.0.0.0:0
Sending message to x.x.x.x:443
Got response (84 bytes) from x.x.x.x:443 on interface 172.20.10.3:52895
Binding test: success
Local address: 172.20.10.3:52895
Mapped address: y.y.y.y:59128

Conclusion

Congratulations! You've successfully deployed a STUN server with Coturn on UDP port 443 with DTLS encryption.

This server can now be used to facilitate direct peer-to-peer communication for VoIP or other real-time communication applications behind NAT devices.