VK TURN Proxy sits between your WireGuard client and the TURN relay. The client side needs two changes; the server side stays untouched.
Client-side changes
Change the endpoint
In your WireGuard client config, set the Endpoint of the server peer to 127.0.0.1:9000. The proxy client listens on that address and forwards traffic through the TURN relay to your VPS.[Peer]
PublicKey = <server-public-key>
Endpoint = 127.0.0.1:9000
AllowedIPs = 0.0.0.0/0
Set MTU to 1280
Add MTU = 1280 to the [Interface] section. TURN encapsulation and DTLS 1.2 overhead reduce the effective MTU — without this setting you will see packet fragmentation and degraded performance.[Interface]
PrivateKey = <client-private-key>
Address = 10.0.0.2/24
MTU = 1280
Server-side configuration
No changes are required on the server. The WireGuard server on your VPS continues to listen on its normal UDP port (commonly 51820). The proxy server process connects to it directly using the -connect flag:
./server -listen 0.0.0.0:56000 -connect 127.0.0.1:<wg-port>
Startup order
On Linux and Windows, do not enable the WireGuard VPN tunnel before the proxy client has established its connection. Unlike Android, there is no per-app exclusion mechanism — DNS lookups and the initial TURN connection request go out over the real network interface. If the VPN is already active when you start the proxy client, that traffic will be routed through the tunnel, creating a loop.
Start the proxy client
Run the proxy client and pipe its output to the routing script. Wait until you see the Established DTLS connection! log message before proceeding../client-linux -peer <vps-ip>:56000 -vk-link <vk-link> -listen 127.0.0.1:9000 | sudo routes.sh
Enable the WireGuard tunnel
Only after the DTLS connection is established, activate the WireGuard tunnel in your WireGuard client. At this point the TURN server’s IP already has a direct host route via the physical gateway, so there is no routing loop.
On Android, you add the proxy app or Termux to the WireGuard tunnel’s exclusion list. Because excluded apps bypass the VPN entirely and always use the real network interface, you can enable the VPN at any time — before or after starting the proxy.Open the tunnel settings
In the WireGuard Android app, tap the tunnel you want to configure, then tap the edit (pencil) icon.
Add the exclusion
Scroll to the Apps section. Tap Excluded applications and add either the native proxy app (vk-turn-proxy-android) or Termux, depending on which you use to run the proxy client.
Save
Tap Save. The excluded app will now always use the physical network interface regardless of whether the VPN is active.
If you see DNS errors in Termux after enabling the VPN, the exclusion was not saved or the wrong app was excluded. Verify that Termux appears in the excluded applications list.