From 3a42f74371ef50a9c9a364e8370bd85ad46557d6 Mon Sep 17 00:00:00 2001
From: Bas van den Aakster <bvdaakster@gmail.com>
Date: Sat, 6 Dec 2025 15:58:15 +0100
Subject: [PATCH] Add TURNS (secure) endpoints for upgraded TURN server
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Updated ICE configuration to use TURNS (TLS/DTLS) on port 5349
as the preferred relay method, with plain TURN on port 3478 as
fallback. WebRTC will try secure endpoints first for better
security and reliability.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 CLAUDE.md   | 29 +++++++++++++++++++++++++++--
 src/App.jsx | 13 +++++++------
 2 files changed, 34 insertions(+), 8 deletions(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index 43de69c..5e9661e 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -6,12 +6,37 @@
 
 When configuring TURN servers:
 
-- ✅ **DO** include the port number in TURN URLs: `turn:server.com:3478`
+- ✅ **DO** use TURNS (secure) on port 5349 when available: `turns:server.com:5349`
+- ✅ **DO** include TURN fallback on port 3478: `turn:server.com:3478`
+- ✅ **DO** include the port number in TURN URLs (even if default)
 - ✅ **DO** test TURN connectivity before deploying: `turnutils_uclient -u user -w pass server.com 3478 -y`
 - ✅ **DO** provide both TCP and UDP transports for maximum compatibility
-- ❌ **DON'T** omit the port number (even if it's the default 3478)
+- ❌ **DON'T** omit the port number
 - ❌ **DON'T** assume TURN works without testing
 
+**Current Configuration:**
+```javascript
+const RTC_CONFIG = {
+  iceServers: [
+    { urls: ["stun:stun.share.fish:3478"] },
+    {
+      urls: [
+        // TURNS (secure) - TLS/DTLS on port 5349 (preferred)
+        "turns:turn.share.fish:5349?transport=tcp",
+        "turns:turn.share.fish:5349?transport=udp",
+        // TURN (fallback) - plain on port 3478
+        "turn:turn.share.fish:3478?transport=tcp",
+        "turn:turn.share.fish:3478?transport=udp",
+      ],
+      username: "webrtcuser",
+      credential: "supersecretpassword"
+    }
+  ]
+};
+```
+
+WebRTC will try TURNS (secure) endpoints first, falling back to plain TURN if needed.
+
 ### ICE Configuration
 
 **Force Relay Mode for Testing:**
diff --git a/src/App.jsx b/src/App.jsx
index fc6fb6c..876bf17 100644
--- a/src/App.jsx
+++ b/src/App.jsx
@@ -6,19 +6,20 @@ const API_URL = 'https://api.ronde.vu';
 
 const RTC_CONFIG = {
   iceServers: [
-    { urls: ["stun:stun.ronde.vu:3478"] },
+    { urls: ["stun:stun.share.fish:3478"] },
     {
       urls: [
-        "turn:turn.ronde.vu:3478?transport=tcp",
-        "turn:turn.ronde.vu:3478?transport=udp",
+        // TURNS (secure) - TLS/DTLS on port 5349
+        "turns:turn.share.fish:5349?transport=tcp",
+        "turns:turn.share.fish:5349?transport=udp",
+        // TURN (fallback) - plain on port 3478
+        "turn:turn.share.fish:3478?transport=tcp",
+        "turn:turn.share.fish:3478?transport=udp",
       ],
       username: "webrtcuser",
       credential: "supersecretpassword"
     }
   ],
-  // Force TURN relay to bypass NAT hairpinning (when testing on same network)
-  // Comment out for production to allow direct connections when possible
-  iceTransportPolicy: 'relay'
 };
 
 export default function App() {