WebRTC TURN Server Scaling: Coturn vs Cloudflare TURN in 2026

The TURN question for AI voice is not which is better — it is where the break-even point sits in 2026. Below ~5M minutes per month, managed TURN wins. Above that, Coturn on dedicated boxes wins on cost. The shape changes by region and codec.

Why TURN is the most operationally expensive WebRTC layer

A TURN server relays both directions of media for a session. For a single Opus voice agent call that is roughly 60–100 kbps each way, or ~45 MB of egress per 10-minute relayed call. Multiply by your relay rate (15–25% — see the NAT post) and TURN egress is usually the largest single bandwidth line item in a voice deployment.

Three credible options in 2026:

• Coturn — open-source C implementation, RFC 5766/5389. Mature, fast, requires you to run boxes.
• Cloudflare Realtime TURN — anycast across 250+ cities, free when used with Cloudflare's SFU, $0.05/GB outbound otherwise.
• LiveKit Cloud TURN — bundled with LiveKit's managed SFU; not sold standalone.

A fourth pattern is an emerging one: dual-track, where you run Coturn for predictable cost and use a managed service as overflow for the long tail. Several large operators run this in 2026 to hedge both directions.

Architecture: managed vs self-hosted

```mermaid flowchart LR User -->|relay| Anycast[Cloudflare anycast TURN] User2 -->|relay| Coturn[Coturn fleet - 3 regions] Anycast --> Agent Coturn --> Agent ```

The crux is the long-tail user: a Tokyo user relayed via a US-east Coturn pays the trans-Pacific RTT twice. Anycast TURN puts the relay 13 ms from the user, every time.

Cost math (2026 pricing)

Assume 1M minutes/month of relayed Opus voice, 60 kbps each way = 90 GB/mo egress.

• Cloudflare TURN: 90 GB × $0.05 = $4.50/mo. Effectively free at this scale.
• Coturn on AWS: 3 m6i.large in 3 regions = ~$210/mo VM + $0.09/GB egress = $8.10. Total ~$218/mo. Plus engineer time.
• Coturn on bare metal: 3 dedicated boxes (Hetzner/OVH) = ~$180/mo. Egress is included in most plans. Total ~$180/mo.

Below ~5M minutes Cloudflare wins outright. Between 5–50M minutes the answer depends on whether your team has the expertise to operate Coturn at three regions reliably. Above 50M minutes Coturn on bare metal wins. Above 500M minutes you should be talking to multiple bare-metal providers and probably running TURN on the same boxes as your SFU to amortize.

CallSphere implementation

CallSphere runs Cloudflare Realtime TURN as the primary across the six verticals (real estate, healthcare, behavioral health, legal, salon, insurance). Reasons:

• 13 ms median first-hop RTT from the anycast network beats anything we could self-host without 30+ regions.
• Zero ops overhead — credentials are minted by our Next.js API route and rotate every 5 minutes.
• For Real Estate (OneRoof, /industries/real-estate), the Pion Go gateway 1.23 still terminates the server side; Cloudflare TURN sits between the user and the gateway.

We keep a Coturn fallback in two regions for the cases where customers require dedicated TURN under their own BAA. Across 37 agents, 90+ tools, 115+ database tables this dual-track setup keeps SOC 2 + HIPAA reviewers happy. Pricing tiers (Starter $149, Pro $499, Enterprise $1499, 14-day trial) bundle the right TURN for each segment. Affiliates earn 22% — see /affiliate.

Code snippet (TURN credential mint)

```ts // Next.js API route, server-only import crypto from "crypto";

export async function GET() { const ttl = 300; // 5 min const username = `${Math.floor(Date.now() / 1000) + ttl}:cs`; const credential = crypto .createHmac("sha1", process.env.TURN_SECRET!) .update(username) .digest("base64");

return Response.json({ iceServers: [ { urls: "stun:stun.cloudflare.com:3478" }, { urls: ["turn:turn.cloudflare.com:3478", "turns:turn.cloudflare.com:5349"], username, credential, }, ], }); } ```

Build steps

1. Pick anycast for global; Coturn 3-region for cost-controlled scale.
2. Use TURN-over-TLS on 443 for corporate firewalls — non-negotiable.
3. Mint short-lived credentials (5–10 min); never embed long-lived secrets.
4. Track `relay` candidate selection in `getStats` to size egress.
5. Budget 90–110 GB per million minutes of relayed Opus.
6. Test fall-back paths regularly; a healthy primary masks a sick secondary.
7. Audit credentials monthly; long-lived TURN credentials are a P0 finding under SOC 2.

Common pitfalls

• Long-lived TURN secrets — guarantee an audit finding. Always mint per-session.
• One TURN region — punishes users on the wrong continent.
• No TLS fallback — corporate networks block UDP and TCP/3478. Default to 443.
• Misreading the bill — Cloudflare's first GB is free with their SFU but charged with third-party SFUs. Read the fine print.
• Forgetting metrics — without `relay` candidate tracking you cannot tell why your TURN bill spiked.

FAQ

Does Cloudflare see my media? Yes — TURN by definition relays plaintext SRTP packets. Use SFrame for E2EE.

Is Coturn still viable? Yes for high-volume operators willing to run boxes.

What about Twilio TURN? Functional but priced for the Twilio bundle; rarely competitive standalone.

Does WebRTC over QUIC remove TURN? Not yet — MoQ is still draft, see the MoQ post.

Can I run TURN on the SFU host? Yes — co-locating Coturn and an SFU on the same box saves egress for relayed flows. Common at scale.

What is the bandwidth cost on cellular? A 10-minute relayed Opus call costs ~45 MB; multiply by the relay rate to size your fleet.

Can I bring my own anycast? Possible but extremely operationally heavy. Few teams do it below 100M minutes/mo.

Does TURN cost vary by region? Yes — egress out of Asia-Pacific cloud regions can be 4x US-east. Plan accordingly.

Production playbook for AI voice teams in 2026

Three rules for TURN sizing in production:

1. Mint short, rotate often. 5-minute credentials with HMAC over a server-only secret. Long-lived TURN credentials are the single most-cited audit finding we have heard from peers.
2. Saturate test the path quarterly. Generate 90 GB of synthetic Opus through your TURN; verify no packet-drop cliff. Cloudflare scales transparently; self-hosted Coturn does not.
3. Multi-vendor or single? Below 5M minutes/mo, single vendor is fine. Above, dual-vendor with active health checks is worth the complexity.

We also keep a 30-day TURN-relay-rate report broken down by ISP and country. The flat lines are boring; the spikes are the early-warning system for carrier issues.

Watch list 2026

• Cloudflare Realtime SFU keeps narrowing the gap with LiveKit; bundling SFU + free TURN may move the cost equation again.
• Hetzner egress policies are evolving; bare-metal Coturn economics depend on them.
• TURN over QUIC (RFC 9744 drafts) may eventually replace TCP/TLS-over-TURN with a single wire format.
• Anycast TURN from Twilio and Vonage is rumored for 2026; track the announcements.

Sources

• https://developers.cloudflare.com/realtime/turn/
• https://blog.cloudflare.com/webrtc-turn-using-anycast/
• https://github.com/coturn/coturn
• https://bloggeek.me/managed-webrtc-turn-speed/
• https://v100.ai/blog/fastest-webrtc-server-2026.html
• https://developers.cloudflare.com/realtime/turn/faq/

See it live on /demo, pricing in /pricing, or start a /trial.