diff --git a/.envrc.sample b/.envrc.sample
index 05162de..73feb2d 100644
--- a/.envrc.sample
+++ b/.envrc.sample
@@ -4,3 +4,5 @@ export STACK_NAME=matrix
 export LETS_ENCRYPT_ENV=production
 
 export ENTRYPOINT_CONF_VERSION=v1
+export TURNSERVER_CONF_VERSION=v1
+export COTURN_SHARED_SECRET_VERSION=v1
diff --git a/README.md b/README.md
index d24f149..4a9489c 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,7 @@ image][synapse-docker].
 3. Edit `.envrc` - be sure to change `$DOMAIN` to something that resolves to
    your Docker swarm box
 4. `direnv allow` (or `. .envrc`)
+4. `abra secret_generate coturn_shared_secret`
 5. `abra deploy`
 6. `abra service_run synapse` to open a shell
 7. `register_new_matrix_user -c /data/homeserver.yaml http://localhost:8008`
diff --git a/compose.yml b/compose.yml
index 36a7bcc..b03bbed 100644
--- a/compose.yml
+++ b/compose.yml
@@ -12,6 +12,8 @@ services:
       - LETSENCRYPT_HOST=${DOMAIN}
       - SYNAPSE_SERVER_NAME=${DOMAIN}
       - SYNAPSE_REPORT_STATS=no
+      - TURN_SERVER=${DOMAIN}
+      - TURN_PORT=3478
     networks: 
       - proxy
     deploy:
@@ -31,11 +33,18 @@ services:
       - source: entrypoint_conf
         target: /docker-entrypoint.sh
         mode: 0555
+    secrets:
+      - coturn_shared_secret
 
   coturn:
     image: instrumentisto/coturn:latest
     networks:
      - swarm_host
+    secrets:
+      - coturn_shared_secret
+    configs:
+      - source: turnserver_conf
+        target: /etc/coturn/turnserver.conf
 
 volumes:
   synapse:
@@ -57,3 +66,12 @@ configs:
     name: ${STACK_NAME}_entrypoint_${ENTRYPOINT_CONF_VERSION}
     file: entrypoint.sh.tmpl
     template_driver: golang
+  turnserver_conf:
+    name: ${STACK_NAME}_turnserver_conf_${TURNSERVER_CONF_VERSION}
+    file: turnserver.conf.tmpl
+    template_driver: golang
+
+secrets:
+  coturn_shared_secret:    
+    external: true 
+    name: ${STACK_NAME}_coturn_shared_secret_${COTURN_SHARED_SECRET_VERSION}
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index 757c122..4efac00 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -2,6 +2,17 @@
 
 if [[ ! -f /data/homeserver.yaml ]]; then
 	/start.py generate
+
+	apt update && apt install -y wget
+	wget https://github.com/mikefarah/yq/releases/download/3.3.2/yq_linux_amd64 && \
+		chmod +x yq_linux_amd64 && \
+		mv yq_linux_amd64 /bin/yq
+
+	# turn (https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.md#synapse-setup)
+	yq w -i /data/homeserver.yaml turn_uris "[]"
+	yq w -i /data/homeserver.yaml turn_uris\[0\] "turn:${TURN_SERVER}:${TURN_PORT}?transport=udp"
+	yq w -i /data/homeserver.yaml turn_uris\[1\] "turn:${TURN_SERVER}:${TURN_PORT}?transport=tcp"
+	yq w -i /data/homeserver.yaml coturn_shared_secret "$(tr -d \"\n\" < /run/secrets/coturn_shared_secret)"
 fi
 
 /start.py
diff --git a/turnserver.conf.tmpl b/turnserver.conf.tmpl
new file mode 100644
index 0000000..04cb7ee
--- /dev/null
+++ b/turnserver.conf.tmpl
@@ -0,0 +1,15 @@
+use-auth-secret
+static-auth-secret={{ secret "coturn_shared_secret" }}
+realm=turn.{{ env "DOMAIN" }}
+
+log-file=stdout
+pidfile=/var/tmp/turnserver.pid
+userdb=/var/tmp/turnserver.db
+
+no-cli
+
+no-tls
+no-dtls
+
+prod
+no-tcp-relay