Bypassing Firewalls and NAT in Zero Trust VPN, What is NAT traversal

Mohamad Tarbin
nat network selfhosting vpn zero_trust

When I used to have a dial-up connection, I didn't have a public static IP assigned to my household. Instead, the ISP shared IPs within my neighborhood or region. This sparked my interest in learning about networking – it's fascinating how a request leaves your PC, travels through your router and ISP, and then across numerous servers before safely returning.

The concept of establishing P2P connections, like when configuring WireGuard, Tailscale, or Headscale (all built on top of WireGuard), is particularly intriguing. How can a PC connect to another without having to configure an open port? I recently got the chance to understand this, and I want to share what I've learned.

Understanding Firewalls

Before diving into P2P, it's essential to grasp how firewalls work. Operating systems like Windows, Linux, or Mac include firewalls (Windows Defender, firewalld, etc.). Typically, they're configured to reject incoming requests on any port while allowing outgoing requests. This means you can download files, watch videos, or do anything you want, as long as you initiated the request.

For example, if you're sending a request to 8.8.8.8:1234, the firewall will let it through because you started it. It also keeps a record to expect a response and forwards it to you. A few milliseconds later, the response reaches your router, which sends it to your PC. Since your PC is awaiting data from 8.8.8.8:1234, it accepts the incoming traffic.

The NAT Challenge

But what if someone else's PC wants to initiate a connection to yours? Your firewall would block any unsolicited incoming requests. This is where things get tricky, especially since you're likely behind NAT (Network Address Translation). NAT allows your router to share a single public IP address with all devices on your network, acting like a doorman in a busy building.

How P2P Works

Here's a breakdown of how P2P connections overcome these hurdles:

  • Establish a connection to a coordinator server: You log in, register yourself as available, and obtain a list of other available devices and their listening ports.

  • Attempt to connect to the client IP: Say you try to connect to 8.8.8.8:1234. This request signals your firewall that it's okay to accept requests from that IP:port.

  • Coordinator informs other clients: The coordinator notifies the other client that you are online. Now, that client can send you a request, prompting their firewall to allow incoming traffic from you. ( this am not sure if happen like a broardcast or the client would like to connect will tell the coordinator to whom they want to connect to)

  • Direct communication: Both firewalls now allow the two clients to communicate directly, without a middleman!

It's a clever approach. The coordinator server primarily handles IP addresses, ports, and some additional information (like public keys for encryption). Once the initial connection is established, the communication becomes P2P and can be encrypted.

 

This article was updated on March 21, 2024