diff --git a/src/api/client/voip.rs b/src/api/client/voip.rs
index c5ea96f9..9608dc88 100644
--- a/src/api/client/voip.rs
+++ b/src/api/client/voip.rs
@@ -1,12 +1,15 @@
 use std::time::{Duration, SystemTime};
 
 use base64::{engine::general_purpose, Engine as _};
+use conduit::utils;
 use hmac::{Hmac, Mac};
-use ruma::{api::client::voip::get_turn_server_info, SecondsSinceUnixEpoch};
+use ruma::{api::client::voip::get_turn_server_info, SecondsSinceUnixEpoch, UserId};
 use sha1::Sha1;
 
 use crate::{services, Result, Ruma};
 
+const RANDOM_USER_ID_LENGTH: usize = 10;
+
 type HmacSha1 = Hmac<Sha1>;
 
 /// # `GET /_matrix/client/r0/voip/turnServer`
@@ -15,8 +18,6 @@ type HmacSha1 = Hmac<Sha1>;
 pub(crate) async fn turn_server_route(
 	body: Ruma<get_turn_server_info::v3::Request>,
 ) -> Result<get_turn_server_info::v3::Response> {
-	let sender_user = body.sender_user.as_ref().expect("user is authenticated");
-
 	let turn_secret = services().globals.turn_secret().clone();
 
 	let (username, password) = if !turn_secret.is_empty() {
@@ -27,7 +28,15 @@ pub(crate) async fn turn_server_route(
 		)
 		.expect("time is valid");
 
-		let username: String = format!("{}:{}", expiry.get(), sender_user);
+		let user = body.sender_user.unwrap_or_else(|| {
+			UserId::parse_with_server_name(
+				utils::random_string(RANDOM_USER_ID_LENGTH).to_lowercase(),
+				&services().globals.config.server_name,
+			)
+			.unwrap()
+		});
+
+		let username: String = format!("{}:{}", expiry.get(), user);
 
 		let mut mac = HmacSha1::new_from_slice(turn_secret.as_bytes()).expect("HMAC can take key of any size");
 		mac.update(username.as_bytes());
diff --git a/src/api/ruma_wrapper/auth.rs b/src/api/ruma_wrapper/auth.rs
index 35fd443d..f6dcc01f 100644
--- a/src/api/ruma_wrapper/auth.rs
+++ b/src/api/ruma_wrapper/auth.rs
@@ -91,8 +91,21 @@ pub(super) async fn auth(
 				appservice_info: Some(*info),
 			})
 		},
-		(AuthScheme::AccessToken, Token::None) => {
-			Err(Error::BadRequest(ErrorKind::MissingToken, "Missing access token."))
+		(AuthScheme::AccessToken, Token::None) => match request.parts.uri.path() {
+			// TODO: can we check this better?
+			"/_matrix/client/v3/voip/turnServer" | "/_matrix/client/r0/voip/turnServer" => {
+				if services().globals.config.turn_allow_guests {
+					Ok(Auth {
+						origin: None,
+						sender_user: None,
+						sender_device: None,
+						appservice_info: None,
+					})
+				} else {
+					Err(Error::BadRequest(ErrorKind::MissingToken, "Missing access token."))
+				}
+			},
+			_ => Err(Error::BadRequest(ErrorKind::MissingToken, "Missing access token.")),
 		},
 		(
 			AuthScheme::AccessToken | AuthScheme::AccessTokenOptional | AuthScheme::None,
diff --git a/src/core/config/mod.rs b/src/core/config/mod.rs
index 6c2c9655..ae9902e1 100644
--- a/src/core/config/mod.rs
+++ b/src/core/config/mod.rs
@@ -165,6 +165,8 @@ pub struct Config {
 	#[serde(default)]
 	pub allow_public_room_directory_without_auth: bool,
 	#[serde(default)]
+	pub turn_allow_guests: bool,
+	#[serde(default)]
 	pub lockdown_public_room_directory: bool,
 	#[serde(default)]
 	pub allow_device_name_federation: bool,