I found this thread and comments from @ibc very helpful regarding STUN/TURN:
In many of the historical posts from @ibc he pointed out that MediaSoup uses ICE-LITE, “meaning that it does not require ICE candidates from clients but, instead, will wait for RTP in its open ports to know the client’s remote IP, port and transport protocol (UDP or TCP).”
Another thing I have read that may be useful here: configuration using port 443 is a way to get around restrictive corporate firewalls, if necessary. From @ibc in this post:
For worst network cases you should have your TURN server listening into TLS port 443 with a proper TLS certificate. Since some networks (WiFi in hotels and so on) block traffic other than 80 and 443, you’d rather have TURN listening in TLS 443 of public IP_A and your HTTP/WS signaling server in TLS 443 of public IP_B.
One thing I am also investigating, rather than eliminate stun/turn entirely, is if there is any benefit to installing Coturn alongside MediaSoup, even on the same server, and using it for normalizing client connections and managing them and then MediaSoup for the SFU functions. This and port 443 is mentioned in a post at medium (google: WebRTC pro-tips @ Medium – I am limited in links in my post as a new member)
If you’re using an SFU or MCU, consider running TURN along-side your software, and forcing everyone to relay through TURN. It’s sixes this way and can actually simplify a few things.