How to secure a TURN server for WebRTC?

Question

I've just installed rfc5766-turn-server (https://code.google.com/p/rfc5766-turn-server/) on an Amazon server in order to relay my WebRTC calls.

Since authentication username and password will be distributed to every client in WebRTC iceServers, how can I ensure that only my clients use my TURN to relay their call?

Answer 1

You can use this instead https://code.google.com/p/coturn/. It's evolved from rfc5766-turn-server project.

Supported TURN authentication mechanisms:

• 'classic' long-term credentials mechanism;
• TURN REST API (a modification of the long-term mechanism, for time-limited secret-based authentication, for WebRTC applications: https://datatracker.ietf.org/doc/html/draft-uberti-behave-turn-rest-00)
• experimental third-party oAuth-based client authorization option