The server binary listens for incoming DTLS 1.2-encrypted connections from clients, decrypts the packets, and forwards the plain UDP traffic to WireGuard running on the same machine. You need a VPS with WireGuard already installed and configured before proceeding.
Flags
| Flag | Default | Description |
|---|
-listen | 0.0.0.0:56000 | Address and port the server binds to |
-connect | (required) | WireGuard UDP address to forward traffic to (e.g. 127.0.0.1:51820) |
The -connect flag is required. The server panics immediately on startup if it is omitted.
Deploy the server
Download the server binary
Download the latest server binary from the releases page and upload it to your VPS.Make the binary executable: Open the firewall port
The server listens on UDP port 56000 by default. Allow inbound traffic on that port:# ufw
sudo ufw allow 56000/udp
# iptables
sudo iptables -A INPUT -p udp --dport 56000 -j ACCEPT
If you choose a different port with -listen, open that port instead.
Run the server
Start the server and point it at your WireGuard instance. Replace 51820 with your actual WireGuard port if it differs:./server -listen 0.0.0.0:56000 -connect 127.0.0.1:51820
Connection from <client-ip>:<port>
Start handshake
Handshake done
Keep the server running
Run the server under a process supervisor so it restarts automatically. Here is a minimal systemd unit:
[Unit]
Description=VK TURN Proxy server
After=network.target
[Service]
ExecStart=/opt/vk-turn-proxy/server -listen 0.0.0.0:56000 -connect 127.0.0.1:51820
Restart=on-failure
[Install]
WantedBy=multi-user.target
/etc/systemd/system/vk-turn-proxy.service, then enable and start it:
sudo systemctl daemon-reload
sudo systemctl enable --now vk-turn-proxy