turncat: Swiss-army-knife testing tool for STUNner

turncat is a STUN/TURN client to open a connection through a TURN server to an arbitrary remote address/port. The main use is to open a local tunnel endpoint to any service running inside a Kubernetes cluster via STUNner. This is very similar in functionality to kubectl port-forward, but it uses STUN/TURN to enter the cluster. This is much faster than the TCP connection used by kubectl.


On Linux and macOS, use this script to download the latest version of the turncat binary:

curl -sL https://raw.githubusercontent.com/l7mp/stunner/main/cmd/getstunner/getstunner.sh | sh -
export PATH=$HOME/.l7mp/bin:$PATH


The script installs stunnerctl too.

Install the turncat binary using the standard Go toolchain and add it to $PATH.

go install github.com/l7mp/stunner/cmd/turncat@latest

You can also enforce a specific OS, CPU architecture, and STUNner version like below:

GOOS=windows GOARCH=amd64 go install github.com/l7mp/stunner/cmd/turncat@v0.17.5

Building from source is as easy as it usually gets with Go:

cd stunner
go build -o turncat cmd/turncat/main.go


Listen to client connections on the UDP listener and tunnel the received packets through the TURN server located at to the UDP listener located at Use the static STUN/TURN credential mechanism to authenticate with the TURN server and set the user/passwd to test/test:

./turncat --log=all:INFO,turncat:DEBUG udp:// turn://test:test@ \

TLS/DTLS should also work. Below --insecure allows turncat to accept self-signed TLS certificates and --verbose is equivalent to setting all loggers to DEBUG mode (-l all:DEBUG).

./turncat --verbose --insecure udp:// \
    turn://test:test@ udp://

Alternatively, you can specify the special TURN server meta-URI k8s://stunner/udp-gateway:udp-listener to let turncat parse the running STUNner configuration from the active Kubernetes cluster. The URI directs turncat to read the config of the STUNner Gateway called udp-gateway in the stunner namespace and connect to the TURN listener named udp-listener. The CLI flag - instructs turncat to listen on the standard input: anything you type in the terminal will be sent via STUNner to the peer udp:// (after you press Enter). The CLI flag -v will enable verbose logging.

./turncat -v - k8s://stunner/udp-gateway:udp-listener udp://

Note that the standard kubectl command line flags are available. For instance, the below will use the context prod-europe from the kubeconfig file kube-prod.conf:

./turncat --kubeconfig=kube-prod.conf --context prod-europe -v - k8s://... udp://...


Copyright 2021-2023 by its authors. Some rights reserved. See AUTHORS.

MIT License - see LICENSE for full text.


Initial code adopted from pion/stun and pion/turn.