4.3.30Computer Networks

NAT traversal, VPN, tunneling

2,058 words9 min readdifficulty · medium

1. Why does NAT break direct connections? (WHAT + WHY)

WHY NAT exists: IPv4 has only ~4 billion addresses. NAT lets a whole home/office share a single public address.

WHY NAT breaks incoming connections: the mapping is created only when the inside host sends first. An outsider has no entry in the table, so an unsolicited packet arriving at the public IP has nowhere to go and is dropped.


2. NAT Traversal — making peers reachable anyway

2.1 Types of NAT (matters for traversal)

  • Full-cone — once an inside host opens a port, anyone can reach it via that public port. Easiest.
  • Restricted-cone — only IPs the host has spoken to may reply.
  • Port-restricted-cone — only the exact IP:port spoken to may reply.
  • Symmetric — a new public port is allocated per destination → hardest, traversal often fails.

2.2 Techniques


3. Tunneling — a packet inside a packet (HOW)

TunnelPacket=Houterdelivery    [Hinnerpayload]original packet, now opaque\text{TunnelPacket} = \underbrace{H_{\text{outer}}}_{\text{delivery}} \;\Vert\; \underbrace{\big[\,H_{\text{inner}} \Vert \text{payload}\,\big]}_{\text{original packet, now opaque}}

WHY this works: routers along the path only read the outer header. They never inspect the inner packet, so they can route an IPv6 packet across an IPv4-only path, or a private 10.x packet across the public Internet.

3.1 Overhead — a real cost you must compute

Every wrapper adds bytes. If the inner packet is LL bytes and the outer header is hh bytes: overhead ratio=hL+h,effective MTUinner=MTUpathh\text{overhead ratio} = \frac{h}{L+h}, \qquad \text{effective MTU}_{\text{inner}} = \text{MTU}_{\text{path}} - h

Figure — NAT traversal, VPN, tunneling

4. VPN — a tunnel that's also encrypted

Common protocols

  • IPsec — operates at L3. Transport mode encrypts only payload; Tunnel mode encrypts the whole inner IP packet (site-to-site VPN).
  • WireGuard / OpenVPN — modern, app-layer-ish, simpler key handling.
  • TLS-based (HTTPS) VPNs — tunnel over port 443 to look like normal web traffic.

5. How it all fits


Flashcards

Why does NAT block unsolicited incoming connections?
The translation entry is only created when the inside host sends first; an outsider's packet has no matching mapping and is dropped.
What does STUN do?
Tells a host its public IP:port as seen from outside, by querying a public server, revealing its NAT mapping.
When must you fall back to TURN instead of STUN?
With symmetric NAT (new port per destination), direct hole punching fails, so a relay (TURN) forwards the traffic.
What is ICE?
A framework that gathers candidate addresses (local, STUN-reflexive, TURN-relayed) and tests pairs to choose the best working connection (used in WebRTC).
Define tunneling/encapsulation.
Wrapping a complete packet as the payload of another protocol so it can cross a network that wouldn't natively route or accept it.
Why can a router carry an inner packet it doesn't understand?
Routers only read the OUTER header; the inner packet is opaque payload to them.
Formula for effective inner MTU through a tunnel with outer header h?
MTU_inner = MTU_path − h.
What three things does a VPN add to a plain tunnel concept?
Encapsulation + Encryption + Authentication.
Difference between IPsec transport and tunnel mode?
Transport mode encrypts only the payload; tunnel mode encrypts the entire inner IP packet (used for site-to-site).
Steel-man: why is "VPN = anonymous" wrong?
Encryption only extends to the VPN server, which sees your traffic and can exit it in the clear; you just move trust to the provider.
Why does hole punching not create a general security hole?
Restricted-cone NAT only admits the specific peer IP:port you spoke to; random attackers still lack a mapping.
Recall Feynman: explain to a 12-year-old

Imagine your house has a secret door that only opens from the inside (that's NAT). A friend outside can't knock and come in. Trick 1: you call a friend at the exact same time so both doors open together (hole punching). Trick 2: a wrapping trick — you put your letter inside another envelope with the post office's address so the mailman delivers it even though he can't read your secret note inside (tunneling). A VPN is the same wrapping, but the inner letter is in a secret code only your office can read — so the mailman carries it but can't snoop.

Connections

  • NAT and Private IP addressing
  • IPsec · TLS · WireGuard
  • WebRTC (uses ICE/STUN/TURN)
  • MTU and fragmentation
  • Firewalls · Port forwarding
  • IPv4 exhaustion · IPv6 transition (6in4 tunnels)

Concept Map

motivates

uses

no inside-first entry

solved by

discovers port via

falls back to

orchestrated by

gathers candidates from

gathers candidates from

technique

reuses

defeats

forces

encrypted form is

NAT rewrites IP:port

IPv4 address shortage

Translation table

Incoming connections break

Tunneling wraps packet

VPN encrypted tunnel

NAT traversal

STUN reveals mapping

TURN relay server

ICE framework

Hole punching

Symmetric NAT

Hinglish (regional understanding)

Intuition Hinglish mein samjho

Socho tumhara laptop ek ghar ke andar hai jiska gate sirf andar se khulta hai — yahi NAT hai. Tum bahar internet pe request bhej sakte ho, par koi bahar wala seedha tumhe knock nahi kar sakta, kyunki NAT table me uska koi entry nahi hota. Isiliye peer-to-peer connections (jaise video calls, gaming) ke liye NAT traversal chahiye. STUN tumhe batata hai ki bahar duniya tumhe kis public IP:port pe dekhti hai. Phir hole punching me dono peers ek saath packet bhejte hain taaki dono ke NAT me hole bann jaye. Agar NAT symmetric hai (har destination ke liye naya port), to ye fail ho jata hai aur TURN relay server beech me baith ke traffic forward karta hai.

Tunneling ka idea bahut simple hai: ek pura packet ko utha ke uske upar ek naya outer header chipka do. Beech ke routers sirf outer header padhte hain, andar wala packet unke liye sirf "data" hai. Isi se ek private 10.x packet ya IPv6 packet public IPv4 internet ke paar ja sakta hai. Bas yaad rakho — har wrapper kuch bytes add karta hai, isliye inner MTU = path MTU − outer header size. Ye ignore karoge to badi files atak jayengi (classic VPN bug).

VPN isi tunnel ka upgraded version hai: encapsulation + encryption + authentication. Yaani packet wrap bhi hota hai aur encrypt bhi, taaki raaste me koi padh ya forge na kar sake. Office ke 10.0.0.5 tak pahunchne ke liye laptop andar wala private packet banata hai, encrypt karta hai, outer public header lagata hai jo VPN gateway tak jata hai; gateway decrypt karke LAN pe chhod deta hai. Important baat: VPN tumhe anonymous nahi banata — encryption sirf VPN server tak hota hai, server sab dekh sakta hai. Tum bas apna trust ISP se hata ke VPN provider pe daal dete ho.

Go deeper — visual, from zero

Test yourself — Computer Networks

Connections