diff --git a/infra/k3s/10-config.yaml b/infra/k3s/10-config.yaml
index 4514e5d..db32877 100644
--- a/infra/k3s/10-config.yaml
+++ b/infra/k3s/10-config.yaml
@@ -48,10 +48,13 @@ data:
   # learn the TURN endpoints from Prosody via mod_external_services and
   # fall back to relay when direct UDP doesn't reach JVB:10001 (typical
   # for mobile-carrier NATs). ===
-  JVB_STUN_SERVERS: "meet.it.financeflow.de:3478"
+  # 3478 is taken on this host by OpenDesk's bundled Nextcloud-Talk
+  # TURN; we shift to 3479 (same trick as JVB on 10001 vs OpenDesk on
+  # 10000). TLS port 5349 was free.
+  JVB_STUN_SERVERS: "meet.it.financeflow.de:3479"
   TURN_HOST: "meet.it.financeflow.de"
   TURNS_HOST: "meet.it.financeflow.de"
-  TURN_PORT: "3478"
+  TURN_PORT: "3479"
   TURNS_PORT: "5349"
   TURN_TRANSPORT: "udp,tcp"
 
diff --git a/infra/k3s/80-coturn.yaml b/infra/k3s/80-coturn.yaml
index bb29331..4d90ab5 100644
--- a/infra/k3s/80-coturn.yaml
+++ b/infra/k3s/80-coturn.yaml
@@ -13,8 +13,10 @@
 # Secret entry so they stay in lockstep.
 #
 # Port plan (mirrors required FritzBox forwards):
-#   UDP 3478          STUN + TURN (cleartext)
-#   TCP 3478          TURN over TCP — first cleartext fallback
+#   UDP 3479          STUN + TURN (cleartext) — 3478 is taken by an
+#                     OpenDesk-bundled Nextcloud-Talk TURN on this host,
+#                     same shift trick we used on JVB (10000 → 10001).
+#   TCP 3479          TURN over TCP — first cleartext fallback
 #   UDP 5349          TURN over DTLS
 #   TCP 5349          TURN over TLS  — works through most firewalls
 #   UDP 50000-50100   relay range — actual media flows on these
@@ -45,7 +47,7 @@ spec:
             - |
               set -eu
               cat > /tmp/turnserver.conf <<EOF
-              listening-port=3478
+              listening-port=3479
               tls-listening-port=5349
               listening-ip=0.0.0.0
               external-ip=${PUBLIC_IP}
@@ -83,8 +85,8 @@ spec:
                   name: jitsi-secrets
                   key: TURN_CREDENTIALS_SECRET
           ports:
-            - { name: stun-udp, containerPort: 3478, hostPort: 3478, protocol: UDP }
-            - { name: stun-tcp, containerPort: 3478, hostPort: 3478, protocol: TCP }
+            - { name: stun-udp, containerPort: 3479, hostPort: 3479, protocol: UDP }
+            - { name: stun-tcp, containerPort: 3479, hostPort: 3479, protocol: TCP }
             - { name: turns-udp, containerPort: 5349, hostPort: 5349, protocol: UDP }
             - { name: turns-tcp, containerPort: 5349, hostPort: 5349, protocol: TCP }
           volumeMounts: