Hi Jan,
Thanks for taking the time to write this guide. You’re right: we need better documentation for this. I’ve created a new ticket for this to be added.
If you (or anyone else) is interested in helping to create that: it is easily added to Openfire’s source code. Specifically, a new HTML page should be created (and linked to) in this folder: Openfire/documentation at main · igniterealtime/Openfire · GitHub
Actually the “* Set the local IP on which the server should listen (optional)” is wrong.
without setting the correct external IP your TURN server will not work.
your calls are all probably connecting via STUN(always work even with the wrong password)/Or Via IPV6(P2P) with no server in the middle whatsoever.
Also TCP is not needed.
Also you dont need separate entries for TURN and STUN(in Eturnal 100% sure). you just set as “TURN” and if the connection is possible via STUN the server will automatically only use STUN.
Thanks for pointing out the ambiguity.
As mentioned in my text I have two NICs in my server, one of them exposed / in my DMZ → I configured Eturnal to listen to this exposed interface only. That’s what I intended to communicate here.
The external server IP is another configuration point. You can let Eturnal detect it automatically (default setting) or manually add your public IP (which I did).
Thanks also for the info concernig the configuration of the “External Service Discovery” only requiring the UDP / TURN setting. I’ll give that a try.
Yes, i didnt mean to rain in your parade. it is just that if we are leaving documentation for other people to follow, it is better to be as accurate as possible 
.
Also the next ones are not wrong by your part. just a couple of improvements based on my experience running TURN servers.
First: If i were you i would not use the “3478”, this port is like a light in the deep dark ocean. And as i said before people will always be able to use your STUN with or without password. meaning best to pick something else randomly(probably higher) so you dont suffer too much automated attacks.
Second: you dont have to actually DMZ the whole machine. as long as you portfoward 3478(or substitute)/UDP and the range Eturnal default: 49152:65535/UDP it will work normally.
Hmm, I would have liked to update my original post to keep all the info in one place but alas it seems I can no longer update that.
Thanks zoidberg I can confirm that the whole thing still works with only a single entry in the “External Service Discovery Plugin”
I also followed zoidbergs advice and set a non-standard port for the STUN server. I set 50000 instead of the default 3478. The 50000 port I set in the Eturnal config file (eturnal.yml), I also changed my firewall settings accordingly and also adapted the “External Service Discovery” plugin.
So the only entry in my “External Service Discovery” plugin is now:
1.) Host IP; 50000; Description; UDP; TURN; Shared secret (as configured in eturnal.yml)
Calls are still connecting fine.
Since you used 50000, i recommend you to adjust your min port range too, since the eturnal default is 49152:65535 your 50000 might you know conflict with the range. or you know just set it to lower than 49152
Yes of course, I did adjust the relay port range - So I set the STUN port to 50000 and the relay ports to 50001- 51000.
That actually leads me to a question I have: How many relay ports are actually necessary for a small “family size” installation?
It depends. first we need to take into consideration that not all calls require TURN, most calls will do fine with STUN only(only 1 port used in this case). but if lets say TURN is really needed for certain calls, TURN uses several ports per call. it will depend on how big of a family you have, how many of them will be using the calls at the same time and which ones will really need TURN. if not too many i think you will be fine with your range.
Does anone know, if its poosible to install coturn on the same server as openfire? Or should it a dedicated server?
As long as your machine is not under heavy load this is not a problem.
Note that the positioning of a TURN server in your network is quite important. For the best performance, all intended users have direct access to it (meaning: without having to go through things like NAT). This may make it impractical to install the server on the same host as the one that is running Openfire.