NAT Traversal

Definition

NAT traversal is a mechanism that facilitates the communication between devices behind network address translation (NAT) devices and devices outside the NAT network.

NAT devices allow several devices to share one public IP address. They function by altering the origin and destination of the IP address packet’s IP header as it transmits through the NAT device. Unfortunately, this can present issues for some network traffic, like VPN traffic.

However, the NAT traversal technique enables VPN traffic to transverse the NAT device and create a VPN connection even when the server and VPN client are behind different NAT devices.

VPN Traffic Traversing NAT Devices

• Encapsulating: Enclosing VPN traffic in UDP packets enables it to transverse the NAT device. The encryption inside the UDP packets helps to protect the VPN connection. 
• Third-party server: Session traversal utilities for NAT (STUN) protocol use a third-party server to facilitate the VPN connection. The server and VPN client send requests to the STUN server, which determines the IP address, NAT device, and port mapping used by the NAT device. This information helps establish the VPN connection. 
• TCP hole punching: This method involves sending a small amount of data from the VPN client to the VPN server, creating a hole in the NAT device’s firewall. This hole helps the VPN server and client to create a VPN connection.

How Does NAT Traversal Work?

NAT traversal uses NAT to establish communication between two endpoints. It uses several techniques to enable the endpoints to communicate directly, which is helpful for peer-to-peer applications that require direct communication for optimal performance. 

NAT transversal methods to bypass NAT device restrictions include:

• Port mapping: NAT devices log each device’s ports on a private network. Port mapping enables applications or services to request the NAT device to open specific ports for incoming traffic to communicate with external hosts.
• Keep-Alive messages: Keep-alive messages enable the NAT device to prolong the connection duration, providing more time for successful traversal.
• UDP hole punching: This method involves sending UDP packets from each endpoint to the other, which creates a ‘punching hole’ and tricks the NAT device into creating a connection between them. 
• Session Traversal Utilities for NAT (STUN): This process involves employing a third-party server to identify the NAT device and acquire the public IP address to create a communication.