5

I'd like to see UDP hole punching in action. I tested it under Linux, using Ncat. Here's what I tried:

  1. Open port 1234/UDP on host A and port 12345/UDP on host B's firewall (I'm still behind NAT, but if the packet reaches me, at least kernel won't discard it)
  2. sudo ncat -u -p 1234 B 12345 on host A, then try sending a packet to punch a hole
  3. sudo ncat -u -p 12345 A 1234 on host B, then try sending another packet to punch a hole
  4. Try communicating from host A to B and the other way round and see that no packet reaches the other side.

What could I be doing wrong? I know that host A can create a hole to host B because I observed a P2P communicator doing that, but I hadn't yet checked the other way.

Improve this question

2 Answers 2

Reset to default
1

I would suggest starting by taking host B out of the firewall, or just doing one to one NAT to host B (all protocols including TCP and UDP) to completely expose it. Or at least expose port 12345/UDP on host B. Leave host A inside the firewall, no need to open any ports. Send packets from A to B, then back from B to A. If A receive UDP packets from B you have successfully experienced hole punching at host A's firewall.

So my advise is to try to hole punch one firewall first.

I don't think it's possible to hole punch between two host completely covered by NAT unless there is third host C that can be reached by both machines and trick the firewalls to forward UDP packets inside the network.

I hope this helps

Improve this answer
1

NAT rewrites both the source IP and the source port. You can ask a STUN server what your external IP and port are. Fortunately most NAT devices make the source port predictable. You can verify this by checking multiple STUN servers. Your source IP and port should be the same.

To make this work for you, have both of your hosts do STUN requests to get the external IPs and ports. NAT rewrites the source port, so you do not need to use root or set the source port.

A> ncat -u [B external IP] [B external port] punch a hole on A
B> ncat -u [A external IP] [A external port] connect through the hole on A

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .