Server Configuration
Tests run 100% client-side. Addresses and credentials are sent only to the servers you test — never to us. See the privacy policy.
Test Results
History
No History
How to Use This Tool
-
Add a server. Pick the type (STUN, TURN, or TURNS) and enter the address as
host:port— for examplestun.l.google.com:19302orturn.example.com:3478. TURN and TURNS servers also need the username and credential your application would use. -
Add more servers if you like. Batch testing is useful for comparing a primary and a
backup, or checking every entry in your production
iceServersarray at once. - Click "Start Batch Test". Each server is tested in parallel with a 10-second timeout. Results show the candidate obtained and the time it took.
How to Read Your Results
The tester inspects the ICE candidates your browser gathers. What counts as success depends on the server type:
| Candidate type | What it means | Which server produces it |
|---|---|---|
host |
Your device's local address (often hidden behind an mDNS .local name) |
Always present — no server needed |
srflx |
Your public IP/port as seen from outside your NAT — proof the STUN server answered | STUN (success criterion) |
relay |
An address allocated on the relay server — proof authentication and allocation worked | TURN / TURNS (success criterion) |
Response time: under ~100 ms is typical for a same-region server; 100–300 ms suggests cross-region distance; consistently above 500 ms (or timeouts) is worth investigating. For TURN servers, distance matters double — every media packet will take that detour. See our TURN cost & placement guide for regional deployment strategy.
Why a Test Might Fail
| Result | Most likely causes | First thing to try |
|---|---|---|
| STUN: "No srflx candidate found" | Outbound UDP blocked, VPN tunneling traffic, server down, wrong port | Test stun.l.google.com:19302 — if that fails too, it's your network |
| TURN: "No relay candidate found" | Wrong/expired credentials, turn: vs turns: mismatch, relay ports blocked |
Re-check credentials; if they're time-limited, generate fresh ones |
| Timeout (10000ms) | Host unreachable, firewall silently dropping packets, DNS failure | Verify the hostname resolves and the port is correct |
| Works here, fails in your app | Different network, stale credentials in app config, SDP/negotiation issues | Follow our debugging walkthrough |
For a deeper error-by-error reference, see Common WebRTC Errors and How to Fix Them.
Public STUN Servers for Quick Checks
These publicly operated STUN servers are handy as a baseline: if they pass but your own server fails, the problem is on your server's side, not your network.
stun.l.google.com:19302— Google (also stun1 through stun4.l.google.com)stun.cloudflare.com:3478— Cloudflare
Public servers come with no uptime guarantee and shouldn't be your production dependency — for production, run your own or use a managed service. More on choosing STUN servers. There are no public no-auth TURN servers — TURN always requires credentials because relaying costs the operator real bandwidth. To run your own, see our coturn setup guide.
Frequently Asked Questions
What does this tool actually check?
For each server you add, your browser creates a real RTCPeerConnection and gathers ICE
candidates. A STUN server passes if it returns a server-reflexive (srflx) candidate containing your
public IP. A TURN or TURNS server passes if it allocates a relay candidate, which proves your credentials
were accepted and the server will relay traffic.
Is it safe to enter my TURN username and credential?
The test runs entirely in your browser. Credentials are sent only to the TURN server you are testing — exactly as your own WebRTC application would send them — and are never transmitted to icetester.org. They are optionally cached in your browser's local storage so the form is pre-filled next visit; use Clear History or your browser's site-data settings to remove them.
Why does my STUN test pass but my TURN test fail?
STUN and TURN are different protocols with different failure modes. The most common TURN-specific causes
are wrong or expired credentials (especially time-limited REST credentials), using turn:
when the server only listens for turns: (or the reverse), the relay port range (often UDP
49152–65535) blocked by a firewall, or the TURN server's quota limits. A passing STUN test only proves
basic UDP reachability.
What is the difference between turn: and turns:?
turn: uses plain UDP or TCP transport (default port 3478), while turns: wraps
the TURN control connection in TLS (default port 5349). turns: is useful on networks that
only allow outbound TLS traffic, but adds handshake latency and server CPU cost. Note that media relayed
through the server is already encrypted by WebRTC (SRTP/DTLS) in both cases.
What response time should I expect?
Under roughly 100 ms is typical for a server in your region. 100–300 ms usually indicates a cross-region or intercontinental server, which still works but adds call setup latency. Consistently above 500 ms, or timeouts, deserve investigation: distance, packet loss, or an overloaded server.
Why do I only see host candidates or .local addresses?
Modern browsers hide host candidate IPs behind mDNS .local names for privacy — that part is
normal. But if a STUN test produces no srflx candidate at all, your network is likely blocking outbound
UDP to port 3478/19302, a VPN is forcing traffic through a tunnel, or the STUN server is down. Try a
known-good public server like stun.l.google.com:19302 to tell the two apart.
Can I run tests from behind a corporate firewall or VPN?
Yes — and you should. Because the test uses your real browser and network path, the results show exactly
what your users on that network would experience: which servers are reachable, whether UDP is blocked,
and whether only TLS relay (turns:) gets through.
If STUN works, do I still need a TURN server?
For production applications, almost always yes. STUN is sufficient when both peers are behind well-behaved NATs, but symmetric NATs, strict corporate firewalls, and carrier-grade NAT on mobile networks defeat it. Typically a minority of connections — often cited around 10–20%, varying by audience — cannot connect without a TURN relay. Background: NAT traversal challenges in WebRTC.
Learn More About WebRTC Infrastructure
New to ICE? The blog walks through the whole stack, from first principles to production operations:
- What is WebRTC and How Does It Work? — the architecture behind browser-to-browser communication
- ICE Framework Explained — how candidates, connectivity checks, and pair selection actually work
- Complete Guide to TURN Servers — relay transports, authentication, and bandwidth planning
- Debugging WebRTC Connections — a practical triage workflow when calls won't connect
- SFU vs MCU vs Mesh — choosing an architecture before you scale
- Browse all 16 articles →