TURN fallback
When a direct connection fails, Floe automatically routes through a TURN server (turn.floe.one). A TURN server acts as a secure bridge. Your data travels through it on the way to the recipient, like a courier carrying a locked box it cannot open.
Encryption
Even through a relay, your files are protected by DTLS encryption built into WebRTC. The relay server sees only encrypted data packets. It cannot read, inspect, or store your files.What relay connections mean for you
- Transfer works even on networks that block direct connections.
- Files remain encrypted end-to-end in transit.
- Speeds may be slower depending on relay server load and network conditions.
- Relay transfers are capped at 2 GB per session. See The 2 GB Relay Limit.
Disabling relay fallback
If you need to ensure files never pass through a relay, you can disable it. In the browser, toggle off Network Relay Fallback before creating the link. In the CLI, pass--no-relay:
Technical details
Technical details
TURN (Traversal Using Relays around NAT): When ICE negotiation produces only
relay candidates, both peers connect to the TURN server and the server forwards packets between them. The data is still DTLS-encrypted end-to-end before it reaches the TURN server.Credentials: The signaling server issues time-limited HMAC-SHA1 credentials for coturn (username: {expiry}:floeuser, password: base64(HMAC-SHA1(secret, username))). Credentials are valid for 24 hours.Endpoints: turn:turn.floe.one:3478 (STUN/TURN over UDP and TCP) and turns:turn.floe.one:5349 (TURN over TLS).Relay detection: The browser polls RTCStatsReport every 5 seconds and examines the nominated candidate pair. If either candidate is of type relay, the connection indicator shows amber.