Exercises — NAT traversal, VPN, tunneling
Return to the parent: parent topic. Prerequisites you may want open: NAT, Private IP addressing, MTU and fragmentation.
Level 1 — Recognition (do you know the words?)
Q1.1
State, in one sentence each, what NAT, a tunnel, and a VPN do.
Recall Solution
- NAT rewrites the source
IP:portof outgoing packets to the router's publicIP:port, keeping a translation table so replies map back — many private hosts share one public address. - Tunnel wraps a complete packet as the payload of an outer packet so it can cross a network that would not otherwise route it.
- VPN is a tunnel that is also encrypted and authenticated, so two endpoints behave like one private LAN.
Q1.2
Match each tool to its job: STUN, TURN, ICE, hole punching.
Recall Solution
- STUN → tells a host its public
IP:portas seen from outside. - TURN → relays traffic through a public server when direct connection fails.
- ICE → the framework that gathers all candidate addresses and picks the best working pair.
- Hole punching → both peers send simultaneously so each outgoing packet opens a NAT mapping the other's packet can use.
Level 2 — Application (plug numbers into the definitions)
Q2.1 — Effective inner MTU
A path has B. You tunnel with an outer IPv4 header ( B) plus a GRE header ( B). What is the largest inner packet that fits without fragmentation?
Recall Solution
Outer overhead B. The inner packet must fit inside the outer one, so
Figure s01 — what to look for: the cyan outline is the whole 1500 B path budget; the amber block on the left is the B outer header that is spent before any inner data; the faint cyan block is what remains — exactly B. The picture shows the header is subtracted off the front, not added on top.

Q2.2 — Overhead ratio
Using the definition , compute the overhead ratio when the inner payload is B and B. Express as a percentage to one decimal place.
Recall Solution
So for a full-sized packet the tunnel wastes about of the wire on wrapper bytes — small, but it grows sharply for tiny packets (next question).
Q2.3 — Overhead for small packets
Same B, but now the inner payload is only B (think a bare TCP ACK). Overhead ratio?
Recall Solution
The same header now costs — over 20× worse — because the wrapper is a fixed cost spread over fewer payload bytes.
Level 3 — Analysis (why does this behave this way?)
Q3.1 — Which NAT type breaks STUN?
A peer learns its reflexive address from a STUN server as 203.0.113.9:40000, advertises it, and the other peer sends there — but nothing arrives. What NAT type is most likely, and why does the STUN answer become useless?
Recall Solution
Most likely symmetric NAT. A symmetric NAT allocates a new public port per destination. The STUN server saw the mapping created for traffic to the STUN server, i.e. 203.0.113.9:40000. When the same host now sends to the peer (a different destination IP:port), the NAT opens a different public port — so the port the STUN server reported no longer describes the path to the peer. The peer sends to a stale mapping and is dropped. This is exactly why symmetric NAT forces a fall-back to TURN.
Q3.2 — Why hole punching is not a security hole
A restricted-cone NAT is in use. First clarify its two flavours, then answer: you hole-punch to peer P at 198.51.100.7:6000. An attacker at 45.10.10.10 learns your public mapping and blasts packets at it. Do they get in? Justify with the NAT table logic.
Recall Solution
Notation note: below, the double-headed arrow "" just means "is paired/associated with" — it marks the two-way link that one NAT table row records between your public mapping and the specific remote peer it was opened for. It is not a subtraction or any operation, just "these two belong together".
First, the two flavours (both are "restricted-cone", they differ in how strict the return filter is):
- Address-restricted cone — an inbound packet is admitted only if its source IP matches an IP the inside host has already sent to; any port from that IP is allowed.
- Port-restricted cone — stricter: the inbound packet's source IP and source port must both match something the inside host sent to.
Now the attack. Your outgoing punch created the pair
- Under address-restricted NAT the filter checks source IP only → it forwards inbound packets whose source IP is
198.51.100.7. The attacker's source45.10.10.10fails the IP check → dropped. - Under port-restricted NAT the filter is even tighter, checking source IP and port → the attacker fails immediately.
Either way the attacker gets in: no. The "hole" is peer-specific (down to the IP, and under port-restricted NAT down to the exact port), not a general open door.
Q3.3 — Tunnel-in-tunnel MTU (and where the 32 B ESP figure comes from)
You run a VPN whose outer overhead is B, and inside that you additionally carry a 6in4 tunnel whose IPv6-in-IPv4 header adds B. Starting from B, what MTU is available to the innermost IPv6 payload? First justify the B, then budget the MTU.
Recall Solution
Step 1 — derive the outer overhead byte-by-byte. The B is not a magic number; it is a sum of concrete header fields for a common IPsec ESP-in-tunnel-mode configuration with AES-CBC + HMAC:
| Field | Bytes | Why it is there |
|---|---|---|
| Outer IPv4 header | 20 | delivery header (gateway → gateway) |
| ESP header (SPI + sequence) | 8 | identifies the security association, replay counter |
| IV (initialisation vector) | 16 | random block that seeds AES-CBC encryption |
| Padding + Pad-Length + Next-Header (trailer) | ≈ 2–17 | rounds the plaintext up to the 16 B cipher block boundary |
| ICV (integrity check value / auth tag) | ≈ 12 | the authentication tag that detects tampering |
The variable pieces (IV, padding, ICV) are exactly why real ESP overhead fluctuates — worst-case padding can push it well past B. For this exercise we take a representative ESP contribution of B (), giving outer total B. Always state your ESP assumption; do not memorise "32" as universal.
Step 2 — budget the MTU by subtracting each wrapper, outermost first:
Overheads stack additively because each layer's header sits inside the previous layer's payload. Nested tunnels are the classic cause of "big transfers stall" bugs.
Figure s02 — what to look for: three stacked bars for the same 1500 B pipe. The top white outline is the raw path; each lower bar adds another amber (VPN 52 B) or cyan (6in4 20 B) header slice on the left, and the usable payload (faint cyan) shrinks each time — read the labels right-to-left to see .

Level 4 — Synthesis (assemble the whole picture)
Q4.1 — Design a WebRTC call
Two browsers behind unknown NATs must set up a peer-to-peer media stream. Describe, in order, how NAT, STUN, TURN and ICE cooperate, list all four ICE candidate types, and the decision ICE makes.
Recall Solution
Term reminder — "signalling channel": before any media flows, the two browsers need a way to exchange the lists of candidate addresses they discovered. That out-of-band application channel (typically a small WebSocket/HTTPS connection through your own web server, not the peer-to-peer path itself) is called the signalling channel. It carries only setup metadata, never the media.
- Each browser gathers candidates — ICE recognises four kinds:
- host candidate — its own local
192.168.x.x:port. - server-reflexive candidate — its public mapping, learned by asking a STUN server "what address do you see me as?"
- peer-reflexive candidate — a mapping discovered at runtime: when a connectivity check arrives from an address nobody advertised (often because a NAT created a fresh mapping for the peer-to-peer path), the receiver records that newly-seen source as a peer-reflexive candidate and adds it to the pool. This is the quadrant that STUN cannot pre-discover.
- relayed candidate — an address on a TURN server, reserved in advance.
- host candidate — its own local
- Candidates are exchanged over the signalling channel defined above.
- ICE pairs local×remote candidates, orders them by priority (host > peer-reflexive > server-reflexive > relayed, because relay is slowest/costliest), and sends connectivity checks (STUN pings) on each pair — these checks are what reveal peer-reflexive candidates.
- ICE picks the highest-priority pair that actually works. If both sit behind symmetric NAT and no direct pair succeeds, ICE falls back to the TURN-relayed pair — always works, but adds a relay hop. Net effect: direct when possible, relayed only when necessary.
Q4.2 — Choose transport modes
For a site-to-site office link you use IPsec. Which IPsec mode, transport or tunnel, and why? Then explain why a mobile worker's VPN might instead ride over TLS on port 443.
Recall Solution
- Tunnel mode. Site-to-site must carry whole inner IP packets addressed to private
10.xhosts across the public Internet. Tunnel mode encrypts the entire inner IP packet and prepends a new outer IP header (gateway→gateway), so the private addresses stay hidden and routable only inside. Transport mode encrypts only the payload and keeps the original IP header — no good when the original addresses are non-routable private ones. - TLS on 443 for a roaming worker because restrictive networks (hotels, cafés) often block IPsec/UDP but almost never block
443— the VPN traffic looks like ordinary HTTPS and slips through firewalls.
Level 5 — Mastery (multi-constraint, defend your reasoning)
Q5.1 — Budget the whole path
A WireGuard VPN adds a fixed 60 B outer overhead (IPv4 20 + UDP 8 + WireGuard 32). The path MTU is 1420 B (a common mobile-carrier value). A user complains large HTTPS downloads stall while browsing feels fine.
Reminder: the MSS (Maximum Segment Size) is the largest amount of TCP payload (application data) a single TCP segment may carry — it is the inner MTU minus the inner IP+TCP header.
(a) What inner MTU should you advertise? (b) Compute the correct TCP MSS to clamp to, given a standard TCP+IP header of 40 B inside the tunnel. (c) In one line, explain the "stalls but browsing is fine" symptom.
Recall Solution
First, two terms we will need:
- DF (Don't Fragment) flag — a single bit in the IPv4 header. When set, a router that finds the packet too big for the next link is forbidden to fragment it; it must instead drop the packet and send back an ICMP "Fragmentation Needed" message telling the sender the smaller MTU. This mechanism is Path MTU Discovery (PMTUD).
- ICMP black-hole — if a firewall along the way silently discards those ICMP "too big" messages, the sender never learns it must shrink. Large DF packets keep being dropped with no feedback → the transfer just hangs. This broken state is what makes tunnel MTU bugs so maddening.
(a) Inner MTU . (b) MSS is the TCP payload per segment, so subtract the inner IP+TCP header (40 B) from the inner MTU: (c) Bulk downloads use full-size packets that, once wrapped, exceed the path MTU; with the DF flag set they are dropped and — if PMTUD's ICMP feedback is black-holed — never resized, so the transfer stalls, while small browsing requests already fit and feel fine. Clamping MSS to B forces every TCP segment to be born small enough that the full wrapped packet survives.
Q5.2 — Trust-boundary reasoning
A user claims: "I use a VPN, so my bank sees my VPN's IP and my ISP and the VPN provider can't read anything — I'm fully anonymous and fully secure." Identify every false clause and give the correct trust model.
Recall Solution
- "My ISP can't read anything" — partly true: the ISP sees only encrypted VPN traffic to the gateway, so this clause is OK for content, though the ISP still sees you use a VPN and the traffic volume.
- "The VPN provider can't read anything" — false. Traffic is decrypted at the VPN server; beyond it the packets exit toward the bank in whatever form the inner protocol dictates. The provider is now the party who sees your traffic. Only end-to-end TLS (HTTPS) keeps the content hidden from the provider too.
- "Fully anonymous" — false. The bank still authenticates you (login, cookies). A VPN changes which IP appears and who you must trust, not who you are. Correct model: a VPN shifts the trust boundary from your ISP/local network to the VPN provider, and encrypts only up to the VPN server. Anonymity and end-to-end secrecy are separate properties provided by other tools.
Q5.3 — Symmetric-NAT edge case
Both peers are behind symmetric NAT and the TURN server is unreachable (blocked). Enumerate what ICE can still try, and state the honest outcome.
Recall Solution
- host × host candidate pair — only works if both are on the same LAN (not the case for two remote users).
- server-reflexive candidates — useless here: symmetric NAT gives a new port per destination, so the STUN-learned port doesn't apply to the peer path.
- peer-reflexive candidates — symmetric NAT keeps changing the mapping per destination, so even the runtime-discovered address on one check need not survive to the next; unreliable here.
- relayed candidates — the intended fallback, but TURN is blocked, so unavailable. Honest outcome: connection fails. With symmetric NAT on both ends and no working relay, ICE has exhausted its options. This is the textbook scenario where NAT traversal cannot succeed — the only fixes are outside ICE (e.g. Port forwarding / static mapping on one side, IPv6 with a global address, or a reachable relay).
Recall Feynman: the whole page in one breath
NAT hides you, so an outsider can't knock. STUN tells you the address the world sees; if that's stable, you and a friend knock at the same instant (hole punching) and both doors open. If your NAT changes its port for every friend (symmetric), you give up and route through a helper (TURN). Every wrapper you add — tunnel, VPN, nested tunnel — steals bytes from your packet, so you must shrink the packet (lower MSS) to keep it from being too fat to pass. And a VPN doesn't make you invisible; it just changes who you have to trust with your secrets.