A technique for getting network traffic through NAT routers.
Communication Across Network Address Translators, the definitive
paper on the matter (with good references, too)
- A post
on the VNC mailing list that mentions another technique, used by some
entity known only as 'Hamachi', which sounds like either (a) a
misunderstanding of hole-punching or (b) something that wouldn't
an internet draft seeking to formalise NAT traversal techniques,
hole-punching in particular.
It would be really useful - and fairly easy, i think - if someone
implemented a tool which holepunched through any NATs in the area to a
peer somewhere else (behind some other NATs) and then set up a VPN over
the hole. Provided the addresses on each end of the link didn't conflict
(which would require some control over the DHCP at either end), you
could essentially establish a little mini-internet between two
disconnected NATted networks, which would be cool. In fact, all you'd
need to do is holepunch a TCP connection, then you could run PPP over
that to do the IP bit - a bit like a PPP-SSH VPN. In fact, you
could probably even run SSH or SSL over the hole to get some security. I
bet someone's already done this.
A technically better solution would be to do UDP holepunching, as
layering IP over TCP leads to head-of-line blocking and other
VTun is part of the
Thinking about the protocol stack here:
- The TCP holepuncher takes a network interface and gives you a
- The UDP holepuncher takes a network interface and gives you a
- PPP takes a stream interface and gives you a packet interface.
- SSH takes a stream interface and gives you a stream interface,
but encrypted (and compressed, if you like).
- TCP takes a packet interface and gives you a stream interface,
but that's not important right now.
- There's nothing i'm aware of which takes a packet interface and
gives you a packet interface with encryption/compression. You could run
PPP over SSH over TCP over your packet interface, but that's madness.
Some IPSEC protocol? ESP? Would be easy to hand-roll something, but this
generally leads to desperately insecure protocols.
- Once you've got a packet interface, i think you can just plug it
into your IP subsystem and use it as a route; i don't think you need a
layer to turn a packet interface into a proper network interface. Well,
not much of a layer - you've just got to serialise the IP packet and put
it in your next-layer-down packet's payload field.