NAT punching hole tech

1. What is NAT Hole Punching?

   • NAT hole punching is a technique used to establish direct connections between devices behind Network Address Translation (NAT) routers or firewalls.
   • The goal is to allow communication between two devices (let’s call them Node A and Node B) that are both behind different NATs.

2. The Problem with NATs:

   • NATs map private IP addresses to a single public IP address.
   • When Node A wants to communicate with Node B, their private IP addresses are not directly reachable from the public internet.
   • NATs typically block unsolicited incoming traffic (for security reasons), making direct communication impossible.

3. The Hole Punching Process:

   • Here’s how NAT hole punching works step by step:
     1. Rendezvous Server (S):
        • A publicly reachable server (often called a rendezvous server) acts as an intermediary.
        • Both Node A and Node B connect to this server.
     2. Exchange Addresses:
        • Node A sends a connection request to the server, indicating its desire to communicate with Node B.
        • The server responds by sharing Node B’s public IP address and port with Node A, and vice versa.
     3. Initial Garbage Messages:
        • Node A sends a “garbage” message to Node B (e.g., an empty packet).
        • Node B does the same, sending a garbage message to Node A.
        • These initial messages are intentionally discarded by their respective NATs.
     4. NAT State Tracking:
        • However, the NATs on both sides remember the address and port to which the garbage messages were sent.
        • Any incoming messages from that address are considered related to the previous (failed) communication attempt.
     5. Second Attempt:
        • Now, Node A and Node B try again, sending meaningful messages (not garbage).
        • The NATs recognize these messages as replies to the previous attempt and allow them through.
        • Voilà! A connection is established, and the “hole” is punched.
     6. Direct Communication:
        • Node A and Node B can now communicate directly using their public IP addresses and ports.

4. Terminology:

   • A: Node 1 (e.g., your computer)
   • B: Node 2 (e.g., your friend’s computer)
   • S: Rendezvous server

5. Safety and Consent:

   • Hole punching is safe because both ends must initiate the connection.
   • Consent from both users is required for the process to work.