Yep, I decided to install coturn on the separate debian vm that also has piHole installed. Worked like a charm
I activated the following options in turnserver.conf:
listening-ip
fingerprint
use-auth-secret
static-auth-secret=
realm=stun.ourdomain.tld
total-quota=100
stale-nonce
syslog
no-multicast-peers
secure-stun
no-tls
no-dtls
and opened and forwarded port tcp/udp 3478 on my OPNsense router. Works like a charm.
listening-ip was needed as without the coturn service does not start upon boot, but can be activated later manually. See here