Is it feasible to run a TURN server behind NAT?
from hackysphere@lemmy.ca to selfhosted@lemmy.world on 15 Feb 06:37
https://lemmy.ca/post/60460741
from hackysphere@lemmy.ca to selfhosted@lemmy.world on 15 Feb 06:37
https://lemmy.ca/post/60460741
I am running a defederated local Matrix server, and I need to set up calls. From what I can tell, the “legacy” calls require a STUN and TURN server, and the new MatrixRTC standard seems to require them as well for Livekit to work. However, I do not want to expose anything out to the public internet, as I want everything to be behind NAT for local access only (all of the clients for the server will also be behind the NATted network). I also have Tailscale running on my servers, and it would be useful if I would be able to connect to the TURN server even when not in the network. Is there a way to get STUN/TURN to work in this situation? It seems that all the servers expect to have public network access.
#selfhosted
threaded - newest
The turn server must be able to access other nodes on the Internet and vice versa unless operating exclusively within your local matrix server.
Oops, autocorrect seems to have messed up some of my words. All of the clients that connect to the servers are behind the same NATted network, and some are behind an additional level of NAT.
This looks like a really good explanation of how all the pieces work: What Are STUN, TURN, and ICE? | LiveSwitch Server Documentation share.google/PV7BKE7Q56vOE9lHl
Based on what you wrote, it looks like you’ll need ICE hosts, but no STUN / TURN.
Ipv6, get an ipv6. There is not nat in ipv6
Have I got news for you. ☹️
Edit: I’ll just add an ‘/s’ for good measure, as apparently I was too subtle. Be sensible, don’t do NAT66.
What a lot of nonsense. Of course the technology exists and of course it can be done. But in reality is not done because it simply doesn’t bring any benefit.
And in addition a address translation is not nat ™ because the server can be hit from the outside.
Today in ipv4 we have likely 2 Nats, 1 after your router and the other by the carrier (cgnat) and ipv6 those are non existent
It was meant tongue-in-cheek, you seem to be taking it much more seriously than I intended it to be. 🙂
Fully agree that there is absolutely no benefit to NAT66, it only causes enormous headaches. I sincerely hope nobody uses it these days, this poor bastard however did manage to find a VPS provider that used NAT66 back in 2018: blog.apnic.net/2018/02/02/nat66-good-bad-ugly/ 🤢
Fuck, there is a law in internet (which name I cannot recall) about the impossibility of distinguish an ironic message.
I felt in that trap completely!!
Haha, don’t worry, no harm done. Maybe I was a bit too subtle in hindsight.
That’s Poe’s Law by the way.
Don’t NAT ipv6. It is bad in so many ways.
Unfortunately my ISP doesn’t support IPv6 yet, both for the public internet and for my local network.
Seems like a very reasonable reason to switch to another isp well established in the 21st century
I live in a rural area, so my only options are dealing with a mobile hotspot for everything or getting satellite internet for more than double the price.
It’s also not worth it for me to switch internet providers just to have calls on my Matrix server work
Have you asked? It might be worth sending a email at least.
They only seem to support it for business customers for now, not for consumer usage.
If you want a non-federating LAN-only Matrix server, then STUN/TURN can be behind the NAT. Since you have Tailscale, STUN/TURN can also expose itself on the Tailscale VPN too. Just configure proper DNS records per-interface and you should be fine.
Since calls are p2p, the purpose of STUN is to determine a client’s (usually public) IP address, and TURN is to relay the connection if they can’t connect directly (i.e. behind NAT). If your clients are on the same LAN/VPN with unrestrictive firewalls then you might not even need any STUN/TURN altogether.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
5 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.
[Thread #96 for this comm, first seen 15th Feb 2026, 16:10] [FAQ] [Full list] [Contact] [Source code]
I’m not qualified enough to answer that, but…
I tried setting up calls and while STUN/TURN works in WAN, but not LAN, Element are supposed to be making a replacement that makes voice and video calls entirely E2EE, aka Livekit, which I’ve completely failed to get working. So far I’ve given up on improving my instance’s features and stick to Element Classic. I hope you get it running well!
I’m in the same situation, I can do “legacy” calls almost without issues, but Livekit has constant issues connecting to TURN.
What do you need STUN for? If anything you might want TURN but that is probably not needed everything is on the same network.
It’s apparently needed for “legacy” and the new MatrixRTC calls on Matrix