NAT traversal allows two computers behind their respective NATs to establish secure VPN connections with each other without using a relay. It is believed you need a service (such as ourselves) to do NAT traversal. In truth, any WireGuard peer sitting behind a traditional NAT can be easily accessed using a hole-punch technique.
This technique may not be applicable for coffee house road warriors, but if you have two relatively stable external IP addresses for the machines, you can simply configure WireGuard correctly, set PersistentKeepAlive to 5, and viola, you’ve defeated the NATs. You can consider yourself a true professional the first time you do it. It does not require port forwarding. It does not require UPnP. But it does require a “traditional” NAT, and not a carrier grade NAT.
Hole Punch Technique
The hole-punch technique allows WireGuard peers with relatively stable IP addresses to connect through their respective NATs. Wireguard is a UDP-based protocol, similar to DNS. So to illustrate, we will use DNS as an example.
If one does a DNS query like this:
C:\Users\nettica>nslookup google.com 126.96.36.199 Server: dns.google Address: 188.8.131.52 Non-authoritative answer: Name: google.com Addresses: 2607:f8b0:400a:80b::XXXX 142.250.69.XXX
Programmatically what is happening with your computer and your NAT is this:
- Your UDP packet is sent from 192.168.2.2:12345 to port 184.108.40.206:53 (dns) with a query for google.com
- 220.127.116.11:53 replies with the answer you see above
In reality, the UDP packet is sent to 192.168.2.1, your default gateway. The NAT on this gateway translates the address from 192.168.2.2:12345 to 172.16.45.23:12345 and sends it to 18.104.22.168:53. The reply goes to 172.16.45.23:12345. The NAT sees it recently sent a packet to that address, so it forwards the reply to 192.168.2.2:12345. Note that the network address was translated, but not the port.
This is how and why you can defeat the NATs. By simply knowing each others IP addresses (and ports), and persistently pinging them with a keepalive will cause the request of one machine look like a reply to the other, allowing WireGuard to synchronize the connection. It is safe and secure. Only the addresses you are actively pinging can connect through the NAT. Since you’re using WireGuard, everything sent over the connection is secure.
Pro Tip: Use the same port number on both sides of the connection to simplify the process. You can use the WireGuard port 51820, or, a nice round number like 50000.
Multiple Machines Behind a NAT
To communicate with multiple machines behind the same NAT, you must use unique ports for each machine. While most NATs do use tuples to map who is talking to whom, they can get confused if two machines using the same port are talking to the same remote machine (over UDP).