-
What is NAT Hole Punching?
- NAT hole punching is a technique used to establish direct connections between devices behind Network Address Translation (NAT) routers or firewalls.
- The goal is to allow communication between two devices (let’s call them Node A and Node B) that are both behind different NATs.
-
The Problem with NATs:
- NATs map private IP addresses to a single public IP address.
- When Node A wants to communicate with Node B, their private IP addresses are not directly reachable from the public internet.
- NATs typically block unsolicited incoming traffic (for security reasons), making direct communication impossible.
-
The Hole Punching Process:
- Here’s how NAT hole punching works step by step:
- Rendezvous Server (S):
- A publicly reachable server (often called a rendezvous server) acts as an intermediary.
- Both Node A and Node B connect to this server.
- Exchange Addresses:
- Node A sends a connection request to the server, indicating its desire to communicate with Node B.
- The server responds by sharing Node B’s public IP address and port with Node A, and vice versa.
- Initial Garbage Messages:
- Node A sends a “garbage” message to Node B (e.g., an empty packet).
- Node B does the same, sending a garbage message to Node A.
- These initial messages are intentionally discarded by their respective NATs.
- NAT State Tracking:
- However, the NATs on both sides remember the address and port to which the garbage messages were sent.
- Any incoming messages from that address are considered related to the previous (failed) communication attempt.
- Second Attempt:
- Now, Node A and Node B try again, sending meaningful messages (not garbage).
- The NATs recognize these messages as replies to the previous attempt and allow them through.
- Voilà! A connection is established, and the “hole” is punched.
- Direct Communication:
- Node A and Node B can now communicate directly using their public IP addresses and ports.
- Rendezvous Server (S):
- Here’s how NAT hole punching works step by step:
-
Terminology:
- A: Node 1 (e.g., your computer)
- B: Node 2 (e.g., your friend’s computer)
- S: Rendezvous server
-
Safety and Consent:
- Hole punching is safe because both ends must initiate the connection.
- Consent from both users is required for the process to work.