ICE vs STUN vs TURN — Complete WebRTC Networking Guide for Developers

Quick links (MYLINEHUB series format)

• Why WebRTC calls fail behind NAT (TURN fix)
• Janus WebRTC gateway install (production)
• Website voice button → Janus → Asterisk → AI bot (architecture)

This article is foundational. It explains “why” first, then gives practical setups and debugging.

ICE is the plan

ICE is like saying: “Let’s try every possible way to exchange notes: through the front door, through the back door, through the mail room, and if all fails we will meet at a café.”

ICE tries multiple candidate routes and picks the first one that works reliably.

STUN is the “public door address” lookup

STUN is like asking a receptionist outside your building: “When people from outside send mail to me, what address do they actually use?”

Many buildings rewrite internal room numbers into a public mailbox number. STUN reveals that.

TURN is the fallback meeting place

If the buildings are too strict and won’t allow direct note passing, TURN says: “Okay, both of you send your notes to the same café (relay), and the café staff will forward them.”

TURN costs money because every note goes through the café (server bandwidth).

Why do we need all this?

Because the internet is not one simple open road. Most users are behind NAT, carrier NAT, or corporate firewalls that block inbound traffic by default.

WebRTC must succeed across real-world networks—ICE/STUN/TURN are how it does that.

ICE step A: Gather candidates

• Host candidates: local IPs (e.g., 192.168.x.x, 10.x.x.x)
• Server-reflexive candidates: public mapped address learned via STUN (srflx)
• Relay candidates: addresses allocated on TURN (relay)

Candidates are simply “possible addresses where I might receive media”.

ICE step B: Exchange candidates

Browsers exchange candidates through signaling (your app’s WebSocket/HTTP flow). ICE does not define signaling; your product does.

Signaling is just “how the two peers share their candidate lists”.

ICE step C: Connectivity checks

ICE then tests candidate pairs: “If I send to your candidate, do you receive it and respond?” This is why ICE can automatically pick the working path.

Think of it like trying multiple phone numbers until someone answers.

ICE chooses the best working path

• Direct path is preferred (lower latency, no relay cost)
• If direct fails, TURN relay is used
• The chosen path can be observed in WebRTC stats (srflx/relay)

Many teams discover TURN is needed only after checking how many calls end up using relay in real traffic.

STUN in plain steps

1. Your browser sends a STUN request to a STUN server on the internet.
2. The STUN server sees the public source IP:port it came from.
3. The STUN server replies: “I saw you as 203.0.113.9:52344”.
4. Your browser uses that as a server-reflexive (srflx) candidate.

“Reflexive” here means: “I learned it by looking in a mirror (the STUN server).”

When STUN is enough

• Home routers with “friendly NAT” behavior
• Networks that allow UDP for WebRTC
• No strict inbound policies blocking the mapped ports

Many casual WebRTC demos succeed with STUN-only because they’re tested on friendly networks.

TURN in plain steps

1. Your browser asks the TURN server: “Please allocate me a relay address.”
2. TURN replies with a relay IP:port that is reachable from the internet.
3. Your browser sends media to that relay address.
4. The TURN server forwards media to the other side (and vice versa).

TURN is like a mail forwarding office.

Why TURN costs money

• All media passes through TURN (bandwidth usage)
• More concurrent calls = more relay traffic
• TURN must be close to users/edge servers to reduce latency

If your “Talk to Bot” button is important, TURN is not optional—it’s the cost of reliability.

TURN is often required when

• Users are on corporate networks with strict firewall policies
• Users are on mobile networks with carrier-grade NAT
• UDP is blocked or shaped badly
• Symmetric NAT prevents stable mappings
• Hotel Wi-Fi or public Wi-Fi blocks peer connectivity

Common myths (and the reality)

• Myth: “STUN is enough for everyone.”
  Reality: STUN improves success, doesn’t guarantee it.
• Myth: “TURN is only for video calls.”
  Reality: audio calls can also need TURN.
• Myth: “If ICE connects, audio always works.”
  Reality: ICE can connect but codec/media routing issues can still cause no-audio.

Using public STUN: when it’s okay

• Prototyping and development
• Low traffic applications
• You accept that the service is not “yours” (no business SLA)

STUN traffic is small. It’s mostly “discovery”, not media relay.

Why public STUN is not your reliability plan

• It does not provide relaying (TURN does)
• Policies, rate limits, availability can change
• You have limited observability when users fail

For production reliability, run TURN (and optionally your own STUN as part of TURN).

Browser ICE config (what you actually pass to WebRTC)

The browser needs a list of ICE servers. That list includes STUN and TURN. ICE will decide which candidates win.

// Browser-side (example)
const iceServers = [
  // STUN helps discover srflx candidates
  { urls: ["stun:stun.l.google.com:19302"] },

  // TURN provides relay candidates (reliability)
  {
    urls: [
      "turn:turn.example.com:3478?transport=udp",
      "turn:turn.example.com:3478?transport=tcp",
      "turns:turn.example.com:5349?transport=tcp"
    ],
    username: "<short-lived-username>",
    credential: "<short-lived-password>"
  }
];

const pc = new RTCPeerConnection({
  iceServers,
  // optional:
  // iceTransportPolicy: "all",   // try direct + relay
  // iceTransportPolicy: "relay"  // force TURN only (useful for strict environments)
});

TURN deployment pattern (simple architecture)

• Run coturn (TURN server) on a public IP in the same region as your WebRTC edge (e.g., Janus).
• Expose 3478 UDP/TCP and 5349 TCP (if using TLS).
• Expose a defined relay port range (so firewall rules are clear).
• Generate ephemeral credentials from your backend per call session.

If the call never connects

• Check browser console for iceConnectionState = failed
• Verify TURN credentials are valid and not expired
• Verify TURN ports are open (3478/5349 + relay range)
• Try forcing TURN only (iceTransportPolicy: "relay")

If TURN-only fails, it’s almost always firewall/ports/DNS/TLS issues on TURN.

If it connects but audio/video is missing

• Check selected candidate type (relay vs srflx) in stats
• Check if media is muted / track not added
• Check codecs negotiation (Opus vs something else)
• Check server-side gateway bridging (Janus ↔ SIP ↔ PBX) if using SIP

ICE “connected” only means a path exists. Media can still fail due to codec or routing mistakes.

Protocol references (authoritative)

• TURN (Traversal Using Relays around NAT) — RFC 5766: https://www.rfc-editor.org/info/rfc5766
• ICE (Interactive Connectivity Establishment) — RFC 5245 (historical baseline): https://www.rfc-editor.org/info/rfc5245

The RFCs are technical, but they’re the source of truth when debugging edge cases.

MYLINEHUB related articles (same URL format)

• https://mylinehub.com/articles/why-webrtc-calls-fail-behind-nat-turn-fix
• https://mylinehub.com/articles/janus-webrtc-gateway-installation-ubuntu-production
• https://mylinehub.com/articles/webrtc-website-voice-button-ai-bot-architecture