Archives
/
wireguard-docs
mirror of https://github.com/pirate/wireguard-docs
2
0
Fork 0
Code Issues Releases Wiki Activity

fix entry about UDP hole-punching

Browse Source
pull/13/head
Nick Sweeting 5 years ago committed by GitHub
parent 236923d8a7
commit df3aed1163
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File

6
README.md
Unescape Escape View File

@ -265,8 +265,10 @@ More complex topologies are definitely achievable, but these are the basic routi
When 1 of the 2 parties is behind a remote NAT (e.g. when laptop behind a NAT connects to `public-server2`), the connection will be opened from NAT -> public client, then traffic will route directly between them in both directions as long as the connection is kept alive.
- **Node behind local NAT to node behind remote NAT (via relay)**
In the worst case when both parties are behind remote NATs, both will open a connection to `public-server1`, and traffic will forward through the intermediary bounce server as long as the connections are kept alive.
- **Node behind local NAT to node behind remote NAT (via NAT-busting)**
I'm not sure if Wireguard supports this method yet, but it's definitely possible in theory, see: [WebRTC](https://developer.mozilla.org/en-US/docs/Web/API/WebRTC_API), [N2N](https://www.ntop.org/products/n2n/), [Pwnat](https://samy.pl/pwnat/). A readily available signaling server like`public-server1` should make connection establishment and handoff relatively easy, but ICMP packet trickery can also be used. Please let me know if WireGuard does this via [Github Issue](https://github.com/pirate/wireguard-docs/issues).
- **Node behind local NAT to node behind remote NAT (via NAT-hole-punching)**
"Hole Punching" refers to triggering automatic NAT rules of a router in order to allow inbound traffic. When you send a UDP packet out, the router (usually) creates a temporary rule mapping your source address and port to the destination address and port, and vice versa. UDP packets returning from the destination address and port (and no other) are passed through to the original source address and port (and no other). This rule will timeout after some minutes of inactivity.
Getting this to work when both end-points are behind NATs or firewalls would require that both end-points send packets to each-other at about the same time. This means that both sides need to know each-other's public IP addresses and port numbers and need to communicate this to each-other by some other means.
WireGuard punches holes through NATs natively, but only if a UDP `ListenPort` UDP is hardcoded for peers on both sides of the NAT. It does not find a port automatically for hole-punching like WebRTC/N2N. as it has no concept of a signaling server, it only works with a hardcoded port and `PersistentKeepalive` set to some non-null value.
Choosing the proper routing method is handled automatically by WireGuard as long as at least one server is acting as a public relay with `net.ipv4.ip_forward = 1` enabled, and clients have `AllowIPs = 10.0.0.1/24` set in the relay server `[peer]` (to take traffic for the whole subnet).

Write Preview
Loading…
Cancel
Save