Skip to main content
The Linux client connects to the TURN server (VK Calls or Yandex Telemost), wraps the WireGuard traffic in DTLS 1.2, and tunnels it to your VPS. A helper script reads the TURN server IP from the client’s stdout and adds a host route via your default gateway so that TURN traffic bypasses the VPN.

Prerequisites

  • A VK Calls invite link (https://vk.com/call/join/...) or a Yandex Telemost link (https://telemost.yandex.ru/j/...)
  • The client-linux binary from the releases page
  • routes.sh from the repository, placed in the same directory and made executable (chmod +x routes.sh)

Setup

1

Edit your WireGuard client config

In your WireGuard client configuration, change the server Endpoint to point at the local proxy listener and lower the MTU:
[Peer]
Endpoint = 127.0.0.1:9000
# ... other peer settings ...

[Interface]
MTU = 1280
# ... other interface settings ...
Save the config but do not activate the VPN yet.
2

Obtain a call link

Get a VK Calls invite link by creating a call at vk.com (requires a VK account). The link is valid indefinitely unless you press “end call for everyone”. Alternatively, use a Yandex Telemost link (https://telemost.yandex.ru/j/...).
3

Run the client and pipe routes

Open a terminal and run the client. The routes.sh script reads each TURN server IP printed to stdout and installs a host route via your default gateway.Using a VK link (TCP, default):
./client-linux -peer <vps-ip>:56000 -vk-link <VK link> -listen 127.0.0.1:9000 | sudo bash routes.sh
Using a VK link with UDP transport:
./client-linux -udp -peer <vps-ip>:56000 -vk-link <VK link> -listen 127.0.0.1:9000 | sudo bash routes.sh
Using a Yandex Telemost link (specify a working TURN IP explicitly):
./client-linux -udp -turn 5.255.211.241 -peer <vps-ip>:56000 -yandex-link <Ya link> -listen 127.0.0.1:9000 | sudo bash routes.sh
Wait until you see Established DTLS connection! in the output before enabling the VPN.
4

Enable WireGuard

Once the client reports a successful DTLS connection, activate your WireGuard tunnel normally (e.g. sudo wg-quick up wg0 or through the GUI).
Do not enable the VPN before the client establishes a connection. Unlike Android, the Linux client makes some requests (DNS lookups and the initial TURN connection handshake) outside the VPN. Starting the VPN too early causes those requests to be routed through the tunnel, which prevents the proxy from connecting.

How routes.sh works

The script finds your current default gateway and then reads IP addresses line by line from stdin. For each address, it adds a host route via the gateway so the TURN server stays reachable even after the VPN is up: 
#!/bin/bash
gateway="$(ip -o -4 route show to default | awk '/via/ {print $3}' | head -1)"
while read -r remote; do
  sudo ip r add $remote via $gateway
done

macOS variant

On macOS, use routes-macos.sh instead of routes.sh. The macOS script is more sophisticated: it handles both plain host IPs and CIDR prefixes, extracts IPs from relayed-address= log lines, and exits with an error if WireGuard is already the default route (indicating the VPN is already active): 
./client-macos -peer <vps-ip>:56000 -vk-link <VK link> -listen 127.0.0.1:9000 | sudo zsh routes-macos.sh

Additional flags

FlagDescription
-turn <ip>Override the TURN server IP. Use this when automatic discovery fails.
-udpConnect to the TURN server over UDP instead of TCP. Try this if TCP does not work.
-n <count>Number of parallel TURN connections (default 16 for VK, 1 for Yandex). Use -n 1 for more stable throughput (capped at ~5 Mbit/s on VK).
-port <port>Override the TURN server port.

Build docs developers (and LLMs) love

Get started for freeTalk to us