TURN is the fallback when STUN-only hole punching cannot get two peers talking. The TURN server sits on the public internet with a known IP, both peers open conventional client-initiated UDP (or TCP, or TLS) connections to it, and then each peer sends its media to the TURN server, which forwards to the other peer. To each peer the TURN server looks like a regular server, so any NAT and most firewalls let the traffic through.
TURN costs bandwidth — every media byte goes through the relay twice — and that means TURN bandwidth is the dominant cost line of a self-hosted WebRTC service. Roughly 10–25 % of WebRTC sessions in real-world deployments fail to establish a direct peer connection and fall back to TURN, depending on the network mix (corporate networks raise the percentage, residential broadband lowers it). Operators usually deploy TURN servers in multiple regions and route each session to the nearest one to minimise RTT.
TURN supports UDP, TCP, and TLS over TCP/443. TLS-over-443 is the workaround for the most restrictive corporate firewalls — disguised as HTTPS, it gets through almost everything. Open-source TURN implementations include coturn (the industry default) and Pion's TURN. Commercial managed TURN — Twilio, Xirsys, Cloudflare TURN — is the typical choice for teams that don't want to operate the infrastructure themselves.
