WHY NAT exists: IPv4 has only ~4 billion addresses. NAT lets a whole home/office share a single public address.
WHY NAT breaks incoming connections: the mapping is created only when the inside host sends first. An outsider has no entry in the table, so an unsolicited packet arriving at the public IP has nowhere to go and is dropped.
TunnelPacket=deliveryHouter∥original packet, now opaque[Hinner∥payload]
WHY this works: routers along the path only read the outer header. They never inspect the inner packet, so they can route an IPv6 packet across an IPv4-only path, or a private 10.x packet across the public Internet.
Why does NAT block unsolicited incoming connections?
The translation entry is only created when the inside host sends first; an outsider's packet has no matching mapping and is dropped.
What does STUN do?
Tells a host its public IP:port as seen from outside, by querying a public server, revealing its NAT mapping.
When must you fall back to TURN instead of STUN?
With symmetric NAT (new port per destination), direct hole punching fails, so a relay (TURN) forwards the traffic.
What is ICE?
A framework that gathers candidate addresses (local, STUN-reflexive, TURN-relayed) and tests pairs to choose the best working connection (used in WebRTC).
Define tunneling/encapsulation.
Wrapping a complete packet as the payload of another protocol so it can cross a network that wouldn't natively route or accept it.
Why can a router carry an inner packet it doesn't understand?
Routers only read the OUTER header; the inner packet is opaque payload to them.
Formula for effective inner MTU through a tunnel with outer header h?
MTU_inner = MTU_path − h.
What three things does a VPN add to a plain tunnel concept?
Encapsulation + Encryption + Authentication.
Difference between IPsec transport and tunnel mode?
Transport mode encrypts only the payload; tunnel mode encrypts the entire inner IP packet (used for site-to-site).
Steel-man: why is "VPN = anonymous" wrong?
Encryption only extends to the VPN server, which sees your traffic and can exit it in the clear; you just move trust to the provider.
Why does hole punching not create a general security hole?
Restricted-cone NAT only admits the specific peer IP:port you spoke to; random attackers still lack a mapping.
Recall Feynman: explain to a 12-year-old
Imagine your house has a secret door that only opens from the inside (that's NAT). A friend outside can't knock and come in. Trick 1: you call a friend at the exact same time so both doors open together (hole punching). Trick 2: a wrapping trick — you put your letter inside another envelope with the post office's address so the mailman delivers it even though he can't read your secret note inside (tunneling). A VPN is the same wrapping, but the inner letter is in a secret code only your office can read — so the mailman carries it but can't snoop.
Socho tumhara laptop ek ghar ke andar hai jiska gate sirf andar se khulta hai — yahi NAT hai. Tum bahar internet pe request bhej sakte ho, par koi bahar wala seedha tumhe knock nahi kar sakta, kyunki NAT table me uska koi entry nahi hota. Isiliye peer-to-peer connections (jaise video calls, gaming) ke liye NAT traversal chahiye. STUN tumhe batata hai ki bahar duniya tumhe kis public IP:port pe dekhti hai. Phir hole punching me dono peers ek saath packet bhejte hain taaki dono ke NAT me hole bann jaye. Agar NAT symmetric hai (har destination ke liye naya port), to ye fail ho jata hai aur TURN relay server beech me baith ke traffic forward karta hai.
Tunneling ka idea bahut simple hai: ek pura packet ko utha ke uske upar ek naya outer header chipka do. Beech ke routers sirf outer header padhte hain, andar wala packet unke liye sirf "data" hai. Isi se ek private 10.x packet ya IPv6 packet public IPv4 internet ke paar ja sakta hai. Bas yaad rakho — har wrapper kuch bytes add karta hai, isliye inner MTU = path MTU − outer header size. Ye ignore karoge to badi files atak jayengi (classic VPN bug).
VPN isi tunnel ka upgraded version hai: encapsulation + encryption + authentication. Yaani packet wrap bhi hota hai aur encrypt bhi, taaki raaste me koi padh ya forge na kar sake. Office ke 10.0.0.5 tak pahunchne ke liye laptop andar wala private packet banata hai, encrypt karta hai, outer public header lagata hai jo VPN gateway tak jata hai; gateway decrypt karke LAN pe chhod deta hai. Important baat: VPN tumhe anonymous nahi banata — encryption sirf VPN server tak hota hai, server sab dekh sakta hai. Tum bas apna trust ISP se hata ke VPN provider pe daal dete ho.