--- a/util/prosodyctl/check.lua	Sat Mar 05 20:34:24 2022 +0000
+++ b/util/prosodyctl/check.lua	Sat Mar 05 20:34:58 2022 +0000
@@ -63,6 +63,7 @@
 
 local function check_turn_service(turn_service, ping_service)
 	local stun = require "net.stun";
+	local ip = require "util.ip";
 
 	-- Create UDP socket for communication with the server
 	local sock = assert(require "socket".udp());
@@ -103,6 +104,9 @@
 		result.error = "STUN server did not return an address";
 		return result;
 	end
+	if ip.new_ip(result.external_ip.address).private then
+		table.insert(result.warnings, "STUN returned a private IP! Is the TURN server behind a NAT and misconfigured?");
+	end
 
 	-- Send a TURN "allocate" request. Expected to fail due to auth, but
 	-- necessary to obtain a valid realm/nonce from the server.