The configuration of Nextcloud Talk mainly depends on your desired usage:
As long as it shall be used only within one local network, besides the app, nothing else should be required. Just verify that all browsers support the underlying WebRTC protocol - all famous ones do on current versions - and you should be good to go. Browser support can be tested e.g. here: https://test.webrtc.org/
Talk tries to establish a direct peer-to-peer (P2P) connection, thus on connections beyond the local network (behind a NAT or router), clients do not only need to know each others public IP, but the participants local IPs as well. Processing this, is the job of a STUN server. As there is one preconfigured for Nextcloud Talk, still nothing else needs to be done.
But in many cases, e.g. in combination with firewalls or symmetric NAT, a STUN server will not work as well, and then a so called TURN server is required. Now no direct P2P connection is established, but all traffic is relayed through the TURN server, thus additional (at least internal) traffic and resources are used.
Nextcloud Talk will try direct P2P in the first place, use STUN if needed and TURN as last resort fallback. Thus to be most flexible and guarantee functionality of your Nextcloud Talk instance in all possible connection cases, you most properly want to setup a TURN server.
Install and setup coTURN as TURN server#
1. Download and install#
- On Debian and Ubuntu there are official repository packages available:
sudo apt install coturn
- For many other Linux derivatives and UNIX-likes packages can be found on https://pkgs.org/download/coturn
- For all other cases check out the Downloads in the wiki of coTURN
2. Make coturn run as daemon on startup#
On Debian and Ubuntu you just need to enable the deployed sysvinit service by adjusting the related environment variable:
sudo sed -i '/TURNSERVER_ENABLED/c\TURNSERVER_ENABLED=1' /etc/default/coturn
Since Debian Buster and Ubuntu disco the package ships a systemd unit, which does not use
/etc/default/coturnbut is enabled automatically on install. To check whether a systemd unit is available:
ls -l /lib/systemd/system/coturn.service
If you installed coTURN manually, you may want to create an sysvinit service or systemd unit, or use another method to run the following during boot:
/path/to/turnserver -c /path/to/turnserver.conf -o
-ostarts the server in daemon mode,
-cdefines the path to the config file.
- There is also an official example available at https://github.com/coturn/coturn/blob/master/examples/etc/coturn.service
turnserver.conf for usage with Nextcloud Talk#
- Next you need to adjust the coTURN configuration file to work with Nextcloud Talk.
Choose the listening port (default is 3478) and an authentication secret, where a random hex is recommended
openssl rand -hex 32
Then uncomment/edit the following settings accordingly:
listening-port=<yourChosenPortNumber> fingerprint lt-cred-mech # Only on coTURN below v22.214.171.124! use-auth-secret static-auth-secret=<yourChosen/GeneratedSecret> realm=your.domain.org total-quota=100 bps-capacity=0 stale-nonce no-loopback-peers # Only on coTURN below v126.96.36.199! no-multicast-peers
(D)TLS is currently not supported by Nextcloud Talk and does not have any real security benefit anyway. See the following discussions why (D)TLS for TURN has no real security benefit and why Nextcloud Talk is not supporting it:
If your TURN server is running not behind a NAT, but with direct www connection and static public IP, than you can limit the IPs it listens at and answers with, by setting those as
relay-ip. On larger deployments it is recommended to run your TURN server on a dedicated machine that is directly accessible from the internet.
The following settings can be used to adjust the logging behaviour. On SBCs with SDcards you may want to adjust this, as by default coTURN logs very verbose. The config file explains everything very well:
no-stdout-log log-file=... syslog simple-log
sudo systemctl restart coturnor corresponding restart method
4. Configure Nextcloud Talk to use your TURN server#
Go to Nextcloud admin panel > Talk settings. Btw. if you already have your own TURN server, you can and may want to use it as STUN server as well:
- STUN servers: your.domain.org:
- TURN server: your.domain.org:
- TURN secret:
- Protocol: UDP and TCP
- STUN servers: your.domain.org:
Do not add
turn(s)://protocol prefix here, just enter the bare
domain:port. Nextcloud Talk adds the required
turn://protocol internally to the request.
5. Port opening/forwarding#
- The TURN server on
<yourChosenPortNumber>needs to be accessible for all Talk participants, so you need to open it to the web and if your TURN server is running behind a NAT, forward it to the related machine.
Nextcloud Talk´s WebRTC handling is still mostly based on the one from the Spreed.ME WebRTC solution. For this reason, all guides about how to configure coTURN for it, applies to Nextcloud Talk too.
If you need to use Talk with more than 5-10 users, you will need the Spreed High Performance Back-end from Nextcloud GmbH. Check the website for details.