Node to Node UDP Tunnels HOWTO?
Etienne Dechamps
etienne at edechamps.fr
Tue May 15 23:22:21 CEST 2018
On 15 May 2018 at 18:23, Keith Whyte <keith at rhizomatica.org> wrote:
> Also, I have two tinc nodes behind a domestic gateway and one of them is
> doing direct data to a tinc node that is behind a NAT with no explicit
> port forwarding, the other is relaying. This is just the way it is with
> NAT hole punching, I suppose.
If you want to maximize the likelihood of successful UDP hole punching
when more than one node is behind the same NAT, then these nodes need
to use different ports. Otherwise the NAT will be forced to translate
the port of at least one of them (it can't preserve both, since
they're conflicting), which can confuses the hole punching process
since the node on the other side doesn't know the actual UDP port it
should send "punches" to. (Although, if you're using 1.1, it might
still work depending on the behaviour of the NAT, thanks to the
UDP_INFO protocol message that I've added. It's really dependent on
the details of how your NAT does port translation, though.)
In my setup, I solve that port translation problem for "client" nodes
by setting "Port = 0" in tinc.conf. This makes tinc ask the OS for a
random port to use, instead of using 655. That way, multiple nodes
behind the same NAT are very likely to use different ports, and hole
punching will work (or at least is more likely to work) for all of
them.
More information about the tinc
mailing list