Install coturn on your server and open UDP/TCP port 3478 (STUN/TURN), port 5349 (TLS), and the relay port range 49152-65535 in your firewall.
Edit /etc/turnserver.conf: set listening-ip to your server's private IP, external-ip to its public IP, set min-port and max-port to your relay range, and configure realm and the TURN credential (set the shared secret or static username/credential from your dashboard).
Enable TLS by pointing tls-cert and tls-pkey at your certificate and key files, then restart the coturn service.
In your WebRTC client, supply the ICE server list with both a stun: URL and a turn: URL referencing your server; generate per-user short-lived TURN credentials using HMAC-SHA1 over the username and your shared secret rather than storing static credentials.
Test connectivity with a WebRTC ICE candidate trickle test or the Trickle ICE tool at https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/ and confirm relay candidates appear.
Monitor relay usage via coturn's built-in STUN/TURN statistics REST endpoint (enable it in config) and set bandwidth quotas per-user to prevent abuse.
Known gotchas
If external-ip is not set to the correct public IP, relay candidates will be unreachable from the internet even if STUN candidates succeed.
The relay port range (default 49152-65535) must be fully open in both the OS firewall and any cloud security group; partially open ranges cause intermittent connection failures.
Short-lived TURN credentials derived from HMAC-SHA1 expire after the TTL you set; clients must re-fetch credentials before expiry or calls will drop on reconnect.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp