What is NAT Hole Punching?

• NAT hole punching is a technique used to establish direct connections between devices behind Network Address Translation (NAT) routers or firewalls.
• The goal is to allow communication between two devices (let’s call them Node A and Node B) that are both behind different NATs.

The Problem with NATs:

• NATs map private IP addresses to a single public IP address.
• When Node A wants to communicate with Node B, their private IP addresses are not directly reachable from the public internet.
• NATs typically block unsolicited incoming traffic (for security reasons), making direct communication impossible.

The Hole Punching Process:

• Here’s how NAT hole punching works step by step:
  1. Rendezvous Server (S):
     • A publicly reachable server (often called a rendezvous server) acts as an intermediary.
     • Both Node A and Node B connect to this server.
  2. Exchange Addresses:
     • Node A sends a connection request to the server, indicating its desire to communicate with Node B.
     • The server responds by sharing Node B’s public IP address and port with Node A, and vice versa.
  3. Initial Garbage Messages:
     • Node A sends a “garbage” message to Node B (e.g., an empty packet).
     • Node B does the same, sending a garbage message to Node A.
     • These initial messages are intentionally discarded by their respective NATs.
  4. NAT State Tracking:
     • However, the NATs on both sides remember the address and port to which the garbage messages were sent.
     • Any incoming messages from that address are considered related to the previous (failed) communication attempt.
  5. Second Attempt:
     • Now, Node A and Node B try again, sending meaningful messages (not garbage).
     • The NATs recognize these messages as replies to the previous attempt and allow them through.
     • Voilà! A connection is established, and the “hole” is punched.
  6. Direct Communication:
     • Node A and Node B can now communicate directly using their public IP addresses and ports.

Terminology:

• A: Node 1 (e.g., your computer)
• B: Node 2 (e.g., your friend’s computer)
• S: Rendezvous server

Safety and Consent:

• Hole punching is safe because both ends must initiate the connection.
• Consent from both users is required for the process to work.