diff --git a/configuration.nix b/configuration.nix
index c7350cb..fd649f8 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -39,6 +39,7 @@
     ./services/bitwarden.nix
 
     ./services/matrix.nix
+    ./services/coturn.nix
 
     ./services/monero.nix
     ./services/xmrig.nix
diff --git a/flake.nix b/flake.nix
index c23ab0c..3dff900 100644
--- a/flake.nix
+++ b/flake.nix
@@ -120,6 +120,8 @@
           minecraft = 25565;
           matrix = 6167;
           matrix_federation = 8448;
+          coturn = 3478;
+          coturn_tls = 5349;
         };
 
         https = {
diff --git a/secrets/coturn_static_auth_secret b/secrets/coturn_static_auth_secret
new file mode 100644
index 0000000..3685e68
Binary files /dev/null and b/secrets/coturn_static_auth_secret differ
diff --git a/services/coturn.nix b/services/coturn.nix
new file mode 100644
index 0000000..78cc40d
--- /dev/null
+++ b/services/coturn.nix
@@ -0,0 +1,59 @@
+{
+  config,
+  lib,
+  service_configs,
+  ...
+}:
+{
+  services.coturn = {
+    enable = true;
+    realm = service_configs.https.domain;
+    use-auth-secret = true;
+    static-auth-secret = lib.strings.trim (builtins.readFile ../secrets/coturn_static_auth_secret);
+    listening-port = service_configs.ports.coturn;
+    tls-listening-port = service_configs.ports.coturn_tls;
+    no-cli = true;
+
+    # recommended security settings from Synapse's coturn docs
+    extraConfig = ''
+      denied-peer-ip=10.0.0.0-10.255.255.255
+      denied-peer-ip=192.168.0.0-192.168.255.255
+      denied-peer-ip=172.16.0.0-172.31.255.255
+      denied-peer-ip=0.0.0.0-0.255.255.255
+      denied-peer-ip=100.64.0.0-100.127.255.255
+      denied-peer-ip=169.254.0.0-169.254.255.255
+      denied-peer-ip=192.0.0.0-192.0.0.255
+      denied-peer-ip=198.18.0.0-198.19.255.255
+      denied-peer-ip=198.51.100.0-198.51.100.255
+      denied-peer-ip=203.0.113.0-203.0.113.255
+      denied-peer-ip=240.0.0.0-255.255.255.255
+      denied-peer-ip=::1
+      denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
+      denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
+      denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
+      denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+      denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+    '';
+  };
+
+  # coturn needs these ports open
+  networking.firewall = {
+    allowedTCPPorts = [
+      service_configs.ports.coturn
+      service_configs.ports.coturn_tls
+    ];
+    allowedUDPPorts = [
+      service_configs.ports.coturn
+      service_configs.ports.coturn_tls
+    ];
+    # relay port range
+    allowedUDPPortRanges = [
+      {
+        from = config.services.coturn.min-port;
+        to = config.services.coturn.max-port;
+      }
+    ];
+  };
+}
diff --git a/services/matrix.nix b/services/matrix.nix
index aa15048..b2f114e 100644
--- a/services/matrix.nix
+++ b/services/matrix.nix
@@ -32,6 +32,14 @@
       address = [
         "0.0.0.0"
       ];
+
+      # TURN server config (coturn)
+      turn_secret = config.services.coturn.static-auth-secret;
+      turn_uris = [
+        "turn:${service_configs.https.domain}?transport=udp"
+        "turn:${service_configs.https.domain}?transport=tcp"
+      ];
+      turn_ttl = 86400;
     };
   };