By Sagar Shankaran, Founder of CallSphere
About 8–10% of users will need TURN. Get it wrong and a healthy chunk of your AI calls fail with a black hole and no error. Here is the production checklist.
Key takeaways
"It works on my Wi-Fi" is the most expensive sentence in WebRTC. Symmetric NATs, corporate firewalls, and IPv6-only mobile carriers will silently break voice agents unless you ship a real TURN strategy.
flowchart TD
Client[Browser] --> Sig[Signaling /ws]
Sig --> Peer[RTCPeerConnection]
Peer --> SRTP[(SRTP audio)]
SRTP --> Edge[Edge node]
Edge --> LLM[Voice LLM]
LLM --> Edge
Edge --> SRTPICE (Interactive Connectivity Establishment) is the algorithm that finds a working path between two WebRTC peers. STUN tells you your public IP. TURN relays your packets when STUN fails. In 2026 most production voice-agent failures we have seen on customer accounts trace back to a missing or broken TURN configuration — not the AI, not the SFU.
Two production realities that bite:
Industry data in 2026: roughly 8–10% of consumer connections need a TURN relay; 60–70% of corporate enterprise users do.
Inside a peer connection, ICE walks through:
Hear it before you finish reading
Talk to a live CallSphere AI voice agent in your browser — 60 seconds, no signup.
ICE pairs candidates and probes; the first pair to succeed wins. If only relay pairs work, every audio packet flows through your TURN server, doubling your egress bill.
We run coturn on three regions (us-east, us-west, eu-central) with public IPs and TLS on 443. Every CallSphere voice client receives both the public Google STUN servers and our coturn cluster. About 11% of our minutes traverse TURN; the rest stay peer-to-peer or peer-to-SFU on UDP.
Across 37 agents we keep TURN bandwidth under control by terminating WebRTC at our Pion-based Go gateway 1.23 in regions close to the user — short relay legs, low cost. The 6-container pod (CRM writer, calendar, MLS lookup, SMS, audit, transcript) lives next to each gateway region so post-call writes never cross oceans.
```ts const pc = new RTCPeerConnection({ iceServers: [ { urls: "stun:stun.l.google.com:19302" }, { urls: "stun:stun.cloudflare.com:3478" }, { urls: ["turn:turn.callsphere.ai:3478?transport=udp", "turns:turn.callsphere.ai:443?transport=tcp"], username: tempUser, credential: tempPass, }, ], iceTransportPolicy: "all", bundlePolicy: "max-bundle", rtcpMuxPolicy: "require", }); pc.oniceconnectionstatechange = () => console.log("ice", pc.iceConnectionState); pc.onicecandidateerror = (e) => console.warn("ice error", e.errorCode, e.errorText); ```
Is Google's free STUN okay in production? Yes — billions of calls use it; just include a backup. Why TURN on 443? It punches through corporate firewalls that block everything else. How much does TURN bandwidth cost? A 16 kbps Opus call relayed both ways = ~4 GB/month at 1k concurrent. Budget egress at $0.05–0.09/GB. Can I dynamically pick a TURN region? Yes — geo-DNS or LiveKit/Cloudflare Calls handle it automatically. Why do I see `failed` ICE state randomly? Usually a TURN credential expired mid-call; rotate and re-negotiate.
Connect from anywhere on /demo. Pricing tiers and TURN-included bundles on /pricing.
WebRTC ICE and TURN at Scale: The 2026 Gotchas Nobody Mentions in the Docs is also a cost-per-conversation problem hiding in plain sight. Once you instrument tokens-in, tokens-out, tool calls, ASR seconds, and TTS seconds against booked-revenue per call, the right tradeoff between Realtime API and an async ASR + LLM + TTS pipeline becomes obvious — and it's almost never the same answer for healthcare as it is for salons.
Still reading? Stop comparing — try CallSphere live.
CallSphere ships complete AI voice agents per industry — 14 tools for healthcare, 10 agents for real estate, 4 specialists for salons. See how it actually handles a call before you book a demo.
The big fork is managed (OpenAI Realtime, ElevenLabs Conversational AI) versus self-hosted on GPUs you operate. Managed wins on cold-start, model freshness, and zero-ops; self-hosted wins on unit economics past a certain conversation volume and on data residency for regulated verticals. CallSphere runs hybrid: Realtime for live calls, self-hosted Whisper + a hosted LLM for async, both routed through a Go gateway that enforces per-tenant rate limits.
Latency budgets are non-negotiable on voice. End-to-end target is sub-800ms ASR-to-first-token and sub-1.4s first-audio-out; anything beyond that and turn-taking feels stilted. GPU residency in the same region as your TURN servers matters more than choosing a slightly bigger model.
Observability is the unglamorous backbone — every conversation produces logs, traces, sentiment scoring, and cost attribution piped to a per-tenant dashboard. HIPAA + SOC 2 aligned isolation keeps healthcare traffic separated from salon traffic at the storage layer, not just the API.
What's the right way to scope the proof-of-concept? Setup runs 3–5 business days, the trial is 14 days with no credit card, and pricing tiers are $149, $499, and $1,499 — so a vertical-specific pilot is a same-week decision, not a quarterly project. For a topic like "WebRTC ICE and TURN at Scale: The 2026 Gotchas Nobody Mentions in the Docs", that means you're not starting from scratch — you're configuring an agent template that's already been hardened across thousands of conversations.
How do you handle compliance and data isolation? Day one is integration mapping (scheduler, CRM, messaging) and prompt tuning against your top 20 real call transcripts. Day two through five is shadow-mode running, where the agent transcribes and recommends but a human still answers, so you can compare side-by-side. Go-live is the moment your eval pass-rate clears your internal bar.
When does it make sense to switch from a managed model to a self-hosted one? The honest answer: it scales until your tool catalog gets stale. The agent is only as good as the integrations it can actually call, so the operational discipline is keeping schemas, webhooks, and fallback paths green. The platform handles the rest — observability, retries, multi-region routing — without your team owning the GPU layer.
Want to see how this maps to your stack? Book a live walkthrough at calendly.com/sagar-callsphere/new-meeting, or try the vertical-specific demo at escalation.callsphere.tech. 14-day trial, no credit card, pilot live in 3–5 business days.
Written by
Sagar Shankaran· Founder, CallSphere
Sagar Shankaran is the founder of CallSphere, where he builds production AI voice and chat agents deployed across healthcare, hospitality, real estate, and home services. He writes about agentic AI, LLM engineering, and shipping voice agents that handle real calls in production.
See how AI voice agents work for your industry. Live demo available -- no signup required.
A founder's guide to texto a voz (text-to-speech in Spanish): LATAM vs Castilian voices, free options, and how CallSphere ships Spanish agents.
A founder's guide to the female voice generator landscape: AI female voices, Japanese voices, robot voices, and how CallSphere ships 57+ voices live.
A founder's guide to the Siri voice generator landscape: how AI voice cloning works, what is legal, and how CallSphere uses 57+ voices in production.
A founder's guide to AI voice assistants for ecommerce: customer service, order lookup, and how CallSphere fits in versus virtual receptionists.
Robot text to speech in 2026: how I pick TTS APIs, when robotic voices help, and how CallSphere ships 57+ language voice agents. Hands-on guide.
The customer support specialist role in 2026 is half human, half AI. Here is what the job looks like, the AI tools that pair with it, and how we ship it.
© 2026 CallSphere LLC. All rights reserved.
Watch how CallSphere handles real customer calls, schedules appointments, and processes payments — live.