From e01998815e64660ea41535cb57b9dbab3c44f83b Mon Sep 17 00:00:00 2001
From: Misha Bragin <bangvalo@gmail.com>
Date: Tue, 20 Jan 2026 19:01:34 +0100
Subject: [PATCH] [infra] add embedded STUN to getting started (#5141)

---
 infrastructure_files/getting-started.sh | 139 ++++++------------------
 1 file changed, 34 insertions(+), 105 deletions(-)

diff --git a/infrastructure_files/getting-started.sh b/infrastructure_files/getting-started.sh
index 8676840a6..25599997c 100755
--- a/infrastructure_files/getting-started.sh
+++ b/infrastructure_files/getting-started.sh
@@ -82,16 +82,6 @@ read_nb_domain() {
   return 0
 }
 
-get_turn_external_ip() {
-  TURN_EXTERNAL_IP_CONFIG="#external-ip="
-  IP=$(curl -s -4 https://jsonip.com | jq -r '.ip')
-  if [[ "x-$IP" != "x-" ]]; then
-    TURN_EXTERNAL_IP_CONFIG="external-ip=$IP"
-  fi
-  echo "$TURN_EXTERNAL_IP_CONFIG"
-  return 0
-}
-
 read_reverse_proxy_type() {
   echo "" > /dev/stderr
   echo "Which reverse proxy will you use?" > /dev/stderr
@@ -249,14 +239,17 @@ initialize_default_values() {
   NETBIRD_PORT=80
   NETBIRD_HTTP_PROTOCOL="http"
   NETBIRD_RELAY_PROTO="rel"
-  TURN_USER="self"
-  TURN_PASSWORD=$(openssl rand -base64 32 | sed "$SED_STRIP_PADDING")
   NETBIRD_RELAY_AUTH_SECRET=$(openssl rand -base64 32 | sed "$SED_STRIP_PADDING")
   # Note: DataStoreEncryptionKey must keep base64 padding (=) for Go's base64.StdEncoding
   DATASTORE_ENCRYPTION_KEY=$(openssl rand -base64 32)
-  TURN_MIN_PORT=49152
-  TURN_MAX_PORT=65535
-  TURN_EXTERNAL_IP_CONFIG=$(get_turn_external_ip)
+  NETBIRD_STUN_PORT=3478
+
+  # Docker images
+  CADDY_IMAGE="caddy"
+  DASHBOARD_IMAGE="netbirdio/dashboard:latest"
+  SIGNAL_IMAGE="netbirdio/signal:latest"
+  RELAY_IMAGE="netbirdio/relay:latest"
+  MANAGEMENT_IMAGE="netbirdio/management:latest"
 
   # Reverse proxy configuration
   REVERSE_PROXY_TYPE="0"
@@ -320,7 +313,7 @@ check_existing_installation() {
     echo "Generated files already exist, if you want to reinitialize the environment, please remove them first."
     echo "You can use the following commands:"
     echo "  $DOCKER_COMPOSE_COMMAND down --volumes # to remove all containers and volumes"
-    echo "  rm -f docker-compose.yml Caddyfile dashboard.env turnserver.conf management.json relay.env nginx-netbird.conf caddyfile-netbird.txt npm-advanced-config.txt"
+    echo "  rm -f docker-compose.yml Caddyfile dashboard.env management.json relay.env nginx-netbird.conf caddyfile-netbird.txt npm-advanced-config.txt"
     echo "Be aware that this will remove all data from the database, and you will have to reconfigure the dashboard."
     exit 1
   fi
@@ -363,7 +356,6 @@ generate_configuration_files() {
   # Common files for all configurations
   render_dashboard_env > dashboard.env
   render_management_json > management.json
-  render_turn_server_conf > turnserver.conf
   render_relay_env > relay.env
   return 0
 }
@@ -487,34 +479,13 @@ EOF
   return 0
 }
 
-render_turn_server_conf() {
-  cat <<EOF
-listening-port=3478
-$TURN_EXTERNAL_IP_CONFIG
-tls-listening-port=5349
-min-port=$TURN_MIN_PORT
-max-port=$TURN_MAX_PORT
-fingerprint
-lt-cred-mech
-user=$TURN_USER:$TURN_PASSWORD
-realm=wiretrustee.com
-cert=/etc/coturn/certs/cert.pem
-pkey=/etc/coturn/private/privkey.pem
-log-file=stdout
-no-software-attribute
-pidfile="/var/tmp/turnserver.pid"
-no-cli
-EOF
-  return 0
-}
-
 render_management_json() {
   cat <<EOF
 {
     "Stuns": [
         {
             "Proto": "udp",
-            "URI": "stun:$NETBIRD_DOMAIN:3478"
+            "URI": "stun:$NETBIRD_DOMAIN:$NETBIRD_STUN_PORT"
         }
     ],
     "Relay": {
@@ -569,6 +540,9 @@ NB_LOG_LEVEL=info
 NB_LISTEN_ADDRESS=:80
 NB_EXPOSED_ADDRESS=$NETBIRD_RELAY_PROTO://$NETBIRD_DOMAIN:$NETBIRD_PORT
 NB_AUTH_SECRET=$NETBIRD_RELAY_AUTH_SECRET
+NB_ENABLE_STUN=true
+NB_STUN_LOG_LEVEL=info
+NB_STUN_PORTS=$NETBIRD_STUN_PORT
 EOF
   return 0
 }
@@ -578,7 +552,7 @@ render_docker_compose() {
 services:
   # Caddy reverse proxy
   caddy:
-    image: caddy
+    image: $CADDY_IMAGE
     container_name: netbird-caddy
     restart: unless-stopped
     networks: [netbird]
@@ -597,7 +571,7 @@ services:
 
   # UI dashboard
   dashboard:
-    image: netbirdio/dashboard:latest
+    image: $DASHBOARD_IMAGE
     container_name: netbird-dashboard
     restart: unless-stopped
     networks: [netbird]
@@ -611,7 +585,7 @@ services:
 
   # Signal
   signal:
-    image: netbirdio/signal:latest
+    image: $SIGNAL_IMAGE
     container_name: netbird-signal
     restart: unless-stopped
     networks: [netbird]
@@ -621,12 +595,14 @@ services:
         max-size: "500m"
         max-file: "2"
 
-  # Relay
+  # Relay (includes embedded STUN server)
   relay:
-    image: netbirdio/relay:latest
+    image: $RELAY_IMAGE
     container_name: netbird-relay
     restart: unless-stopped
     networks: [netbird]
+    ports:
+      - '$NETBIRD_STUN_PORT:$NETBIRD_STUN_PORT/udp'
     env_file:
       - ./relay.env
     logging:
@@ -637,7 +613,7 @@ services:
 
   # Management (includes embedded IdP)
   management:
-    image: netbirdio/management:latest
+    image: $MANAGEMENT_IMAGE
     container_name: netbird-management
     restart: unless-stopped
     networks: [netbird]
@@ -659,22 +635,6 @@ services:
         max-size: "500m"
         max-file: "2"
 
-  # Coturn, AKA TURN server
-  coturn:
-    image: coturn/coturn
-    container_name: netbird-coturn
-    restart: unless-stopped
-    volumes:
-      - ./turnserver.conf:/etc/turnserver.conf:ro
-    network_mode: host
-    command:
-      - -c /etc/turnserver.conf
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "500m"
-        max-file: "2"
-
 volumes:
   netbird_caddy_data:
   netbird_management:
@@ -702,7 +662,7 @@ render_docker_compose_traefik() {
 services:
   # UI dashboard
   dashboard:
-    image: netbirdio/dashboard:latest
+    image: $DASHBOARD_IMAGE
     container_name: netbird-dashboard
     restart: unless-stopped
     networks: [$network_name]
@@ -724,7 +684,7 @@ $(if [[ -n "$tls_labels" ]]; then echo "      - traefik.http.routers.netbird-das
 
   # Signal
   signal:
-    image: netbirdio/signal:latest
+    image: $SIGNAL_IMAGE
     container_name: netbird-signal
     restart: unless-stopped
     networks: [$network_name]
@@ -751,12 +711,14 @@ $(if [[ -n "$tls_labels" ]]; then echo "      - traefik.http.routers.netbird-sig
         max-size: "500m"
         max-file: "2"
 
-  # Relay
+  # Relay (includes embedded STUN server)
   relay:
-    image: netbirdio/relay:latest
+    image: $RELAY_IMAGE
     container_name: netbird-relay
     restart: unless-stopped
     networks: [$network_name]
+    ports:
+      - '$NETBIRD_STUN_PORT:$NETBIRD_STUN_PORT/udp'
     env_file:
       - ./relay.env
     labels:
@@ -774,7 +736,7 @@ $(if [[ -n "$tls_labels" ]]; then echo "      - traefik.http.routers.netbird-rel
 
   # Management (includes embedded IdP)
   management:
-    image: netbirdio/management:latest
+    image: $MANAGEMENT_IMAGE
     container_name: netbird-management
     restart: unless-stopped
     networks: [$network_name]
@@ -827,24 +789,6 @@ $(if [[ -n "$tls_labels" ]]; then echo "      - traefik.http.routers.netbird-oau
         max-size: "500m"
         max-file: "2"
 
-  # Coturn, AKA TURN server
-  coturn:
-    image: coturn/coturn
-    container_name: netbird-coturn
-    restart: unless-stopped
-    volumes:
-      - ./turnserver.conf:/etc/turnserver.conf:ro
-    network_mode: host
-    labels:
-      - traefik.enable=false
-    command:
-      - -c /etc/turnserver.conf
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "500m"
-        max-file: "2"
-
 volumes:
   netbird_management:
 
@@ -874,7 +818,7 @@ render_docker_compose_exposed_ports() {
 services:
   # UI dashboard
   dashboard:
-    image: netbirdio/dashboard:latest
+    image: $DASHBOARD_IMAGE
     container_name: netbird-dashboard
     restart: unless-stopped
     networks: ${networks}
@@ -890,7 +834,7 @@ services:
 
   # Signal
   signal:
-    image: netbirdio/signal:latest
+    image: $SIGNAL_IMAGE
     container_name: netbird-signal
     restart: unless-stopped
     networks: ${networks}
@@ -903,14 +847,15 @@ services:
         max-size: "500m"
         max-file: "2"
 
-  # Relay
+  # Relay (includes embedded STUN server)
   relay:
-    image: netbirdio/relay:latest
+    image: $RELAY_IMAGE
     container_name: netbird-relay
     restart: unless-stopped
     networks: ${networks}
     ports:
       - '${bind_addr}:${RELAY_HOST_PORT}:80'
+      - '$NETBIRD_STUN_PORT:$NETBIRD_STUN_PORT/udp'
     env_file:
       - ./relay.env
     logging:
@@ -921,7 +866,7 @@ services:
 
   # Management (includes embedded IdP)
   management:
-    image: netbirdio/management:latest
+    image: $MANAGEMENT_IMAGE
     container_name: netbird-management
     restart: unless-stopped
     networks: ${networks}
@@ -945,22 +890,6 @@ services:
         max-size: "500m"
         max-file: "2"
 
-  # Coturn, AKA TURN server
-  coturn:
-    image: coturn/coturn
-    container_name: netbird-coturn
-    restart: unless-stopped
-    volumes:
-      - ./turnserver.conf:/etc/turnserver.conf:ro
-    network_mode: host
-    command:
-      - -c /etc/turnserver.conf
-    logging:
-      driver: "json-file"
-      options:
-        max-size: "500m"
-        max-file: "2"
-
 volumes:
   netbird_management: