4.3.30 · D4Computer Networks

Exercises — NAT traversal, VPN, tunneling

3,217 words15 min readBack to topic

Return to the parent: parent topic. Prerequisites you may want open: NAT, Private IP addressing, MTU and fragmentation.


Level 1 — Recognition (do you know the words?)

Q1.1

State, in one sentence each, what NAT, a tunnel, and a VPN do.

Recall Solution
  • NAT rewrites the source IP:port of outgoing packets to the router's public IP:port, keeping a translation table so replies map back — many private hosts share one public address.
  • Tunnel wraps a complete packet as the payload of an outer packet so it can cross a network that would not otherwise route it.
  • VPN is a tunnel that is also encrypted and authenticated, so two endpoints behave like one private LAN.

Q1.2

Match each tool to its job: STUN, TURN, ICE, hole punching.

Recall Solution
  • STUN → tells a host its public IP:port as seen from outside.
  • TURN → relays traffic through a public server when direct connection fails.
  • ICE → the framework that gathers all candidate addresses and picks the best working pair.
  • Hole punching → both peers send simultaneously so each outgoing packet opens a NAT mapping the other's packet can use.

Level 2 — Application (plug numbers into the definitions)

Q2.1 — Effective inner MTU

A path has B. You tunnel with an outer IPv4 header ( B) plus a GRE header ( B). What is the largest inner packet that fits without fragmentation?

Recall Solution

Outer overhead B. The inner packet must fit inside the outer one, so Figure s01 — what to look for: the cyan outline is the whole 1500 B path budget; the amber block on the left is the B outer header that is spent before any inner data; the faint cyan block is what remains — exactly B. The picture shows the header is subtracted off the front, not added on top.

Figure — NAT traversal, VPN, tunneling

Q2.2 — Overhead ratio

Using the definition , compute the overhead ratio when the inner payload is B and B. Express as a percentage to one decimal place.

Recall Solution

So for a full-sized packet the tunnel wastes about of the wire on wrapper bytes — small, but it grows sharply for tiny packets (next question).

Q2.3 — Overhead for small packets

Same B, but now the inner payload is only B (think a bare TCP ACK). Overhead ratio?

Recall Solution

The same header now costs — over 20× worse — because the wrapper is a fixed cost spread over fewer payload bytes.


Level 3 — Analysis (why does this behave this way?)

Q3.1 — Which NAT type breaks STUN?

A peer learns its reflexive address from a STUN server as 203.0.113.9:40000, advertises it, and the other peer sends there — but nothing arrives. What NAT type is most likely, and why does the STUN answer become useless?

Recall Solution

Most likely symmetric NAT. A symmetric NAT allocates a new public port per destination. The STUN server saw the mapping created for traffic to the STUN server, i.e. 203.0.113.9:40000. When the same host now sends to the peer (a different destination IP:port), the NAT opens a different public port — so the port the STUN server reported no longer describes the path to the peer. The peer sends to a stale mapping and is dropped. This is exactly why symmetric NAT forces a fall-back to TURN.

Q3.2 — Why hole punching is not a security hole

A restricted-cone NAT is in use. First clarify its two flavours, then answer: you hole-punch to peer P at 198.51.100.7:6000. An attacker at 45.10.10.10 learns your public mapping and blasts packets at it. Do they get in? Justify with the NAT table logic.

Recall Solution

Notation note: below, the double-headed arrow "" just means "is paired/associated with" — it marks the two-way link that one NAT table row records between your public mapping and the specific remote peer it was opened for. It is not a subtraction or any operation, just "these two belong together".

First, the two flavours (both are "restricted-cone", they differ in how strict the return filter is):

  • Address-restricted cone — an inbound packet is admitted only if its source IP matches an IP the inside host has already sent to; any port from that IP is allowed.
  • Port-restricted cone — stricter: the inbound packet's source IP and source port must both match something the inside host sent to.

Now the attack. Your outgoing punch created the pair

  • Under address-restricted NAT the filter checks source IP only → it forwards inbound packets whose source IP is 198.51.100.7. The attacker's source 45.10.10.10 fails the IP check → dropped.
  • Under port-restricted NAT the filter is even tighter, checking source IP and port → the attacker fails immediately.

Either way the attacker gets in: no. The "hole" is peer-specific (down to the IP, and under port-restricted NAT down to the exact port), not a general open door.

Q3.3 — Tunnel-in-tunnel MTU (and where the 32 B ESP figure comes from)

You run a VPN whose outer overhead is B, and inside that you additionally carry a 6in4 tunnel whose IPv6-in-IPv4 header adds B. Starting from B, what MTU is available to the innermost IPv6 payload? First justify the B, then budget the MTU.

Recall Solution

Step 1 — derive the outer overhead byte-by-byte. The B is not a magic number; it is a sum of concrete header fields for a common IPsec ESP-in-tunnel-mode configuration with AES-CBC + HMAC:

Field Bytes Why it is there
Outer IPv4 header 20 delivery header (gateway → gateway)
ESP header (SPI + sequence) 8 identifies the security association, replay counter
IV (initialisation vector) 16 random block that seeds AES-CBC encryption
Padding + Pad-Length + Next-Header (trailer) ≈ 2–17 rounds the plaintext up to the 16 B cipher block boundary
ICV (integrity check value / auth tag) ≈ 12 the authentication tag that detects tampering

The variable pieces (IV, padding, ICV) are exactly why real ESP overhead fluctuates — worst-case padding can push it well past B. For this exercise we take a representative ESP contribution of B (), giving outer total B. Always state your ESP assumption; do not memorise "32" as universal.

Step 2 — budget the MTU by subtracting each wrapper, outermost first: Overheads stack additively because each layer's header sits inside the previous layer's payload. Nested tunnels are the classic cause of "big transfers stall" bugs. Figure s02 — what to look for: three stacked bars for the same 1500 B pipe. The top white outline is the raw path; each lower bar adds another amber (VPN 52 B) or cyan (6in4 20 B) header slice on the left, and the usable payload (faint cyan) shrinks each time — read the labels right-to-left to see .

Figure — NAT traversal, VPN, tunneling


Level 4 — Synthesis (assemble the whole picture)

Q4.1 — Design a WebRTC call

Two browsers behind unknown NATs must set up a peer-to-peer media stream. Describe, in order, how NAT, STUN, TURN and ICE cooperate, list all four ICE candidate types, and the decision ICE makes.

Recall Solution

Term reminder — "signalling channel": before any media flows, the two browsers need a way to exchange the lists of candidate addresses they discovered. That out-of-band application channel (typically a small WebSocket/HTTPS connection through your own web server, not the peer-to-peer path itself) is called the signalling channel. It carries only setup metadata, never the media.

  1. Each browser gathers candidates — ICE recognises four kinds:
    • host candidate — its own local 192.168.x.x:port.
    • server-reflexive candidate — its public mapping, learned by asking a STUN server "what address do you see me as?"
    • peer-reflexive candidate — a mapping discovered at runtime: when a connectivity check arrives from an address nobody advertised (often because a NAT created a fresh mapping for the peer-to-peer path), the receiver records that newly-seen source as a peer-reflexive candidate and adds it to the pool. This is the quadrant that STUN cannot pre-discover.
    • relayed candidate — an address on a TURN server, reserved in advance.
  2. Candidates are exchanged over the signalling channel defined above.
  3. ICE pairs local×remote candidates, orders them by priority (host > peer-reflexive > server-reflexive > relayed, because relay is slowest/costliest), and sends connectivity checks (STUN pings) on each pair — these checks are what reveal peer-reflexive candidates.
  4. ICE picks the highest-priority pair that actually works. If both sit behind symmetric NAT and no direct pair succeeds, ICE falls back to the TURN-relayed pair — always works, but adds a relay hop. Net effect: direct when possible, relayed only when necessary.

Q4.2 — Choose transport modes

For a site-to-site office link you use IPsec. Which IPsec mode, transport or tunnel, and why? Then explain why a mobile worker's VPN might instead ride over TLS on port 443.

Recall Solution
  • Tunnel mode. Site-to-site must carry whole inner IP packets addressed to private 10.x hosts across the public Internet. Tunnel mode encrypts the entire inner IP packet and prepends a new outer IP header (gateway→gateway), so the private addresses stay hidden and routable only inside. Transport mode encrypts only the payload and keeps the original IP header — no good when the original addresses are non-routable private ones.
  • TLS on 443 for a roaming worker because restrictive networks (hotels, cafés) often block IPsec/UDP but almost never block 443 — the VPN traffic looks like ordinary HTTPS and slips through firewalls.

Level 5 — Mastery (multi-constraint, defend your reasoning)

Q5.1 — Budget the whole path

A WireGuard VPN adds a fixed 60 B outer overhead (IPv4 20 + UDP 8 + WireGuard 32). The path MTU is 1420 B (a common mobile-carrier value). A user complains large HTTPS downloads stall while browsing feels fine.

Reminder: the MSS (Maximum Segment Size) is the largest amount of TCP payload (application data) a single TCP segment may carry — it is the inner MTU minus the inner IP+TCP header.

(a) What inner MTU should you advertise? (b) Compute the correct TCP MSS to clamp to, given a standard TCP+IP header of 40 B inside the tunnel. (c) In one line, explain the "stalls but browsing is fine" symptom.

Recall Solution

First, two terms we will need:

  • DF (Don't Fragment) flag — a single bit in the IPv4 header. When set, a router that finds the packet too big for the next link is forbidden to fragment it; it must instead drop the packet and send back an ICMP "Fragmentation Needed" message telling the sender the smaller MTU. This mechanism is Path MTU Discovery (PMTUD).
  • ICMP black-hole — if a firewall along the way silently discards those ICMP "too big" messages, the sender never learns it must shrink. Large DF packets keep being dropped with no feedback → the transfer just hangs. This broken state is what makes tunnel MTU bugs so maddening.

(a) Inner MTU . (b) MSS is the TCP payload per segment, so subtract the inner IP+TCP header (40 B) from the inner MTU: (c) Bulk downloads use full-size packets that, once wrapped, exceed the path MTU; with the DF flag set they are dropped and — if PMTUD's ICMP feedback is black-holed — never resized, so the transfer stalls, while small browsing requests already fit and feel fine. Clamping MSS to B forces every TCP segment to be born small enough that the full wrapped packet survives.

Q5.2 — Trust-boundary reasoning

A user claims: "I use a VPN, so my bank sees my VPN's IP and my ISP and the VPN provider can't read anything — I'm fully anonymous and fully secure." Identify every false clause and give the correct trust model.

Recall Solution
  • "My ISP can't read anything" — partly true: the ISP sees only encrypted VPN traffic to the gateway, so this clause is OK for content, though the ISP still sees you use a VPN and the traffic volume.
  • "The VPN provider can't read anything" — false. Traffic is decrypted at the VPN server; beyond it the packets exit toward the bank in whatever form the inner protocol dictates. The provider is now the party who sees your traffic. Only end-to-end TLS (HTTPS) keeps the content hidden from the provider too.
  • "Fully anonymous" — false. The bank still authenticates you (login, cookies). A VPN changes which IP appears and who you must trust, not who you are. Correct model: a VPN shifts the trust boundary from your ISP/local network to the VPN provider, and encrypts only up to the VPN server. Anonymity and end-to-end secrecy are separate properties provided by other tools.

Q5.3 — Symmetric-NAT edge case

Both peers are behind symmetric NAT and the TURN server is unreachable (blocked). Enumerate what ICE can still try, and state the honest outcome.

Recall Solution
  • host × host candidate pair — only works if both are on the same LAN (not the case for two remote users).
  • server-reflexive candidates — useless here: symmetric NAT gives a new port per destination, so the STUN-learned port doesn't apply to the peer path.
  • peer-reflexive candidates — symmetric NAT keeps changing the mapping per destination, so even the runtime-discovered address on one check need not survive to the next; unreliable here.
  • relayed candidates — the intended fallback, but TURN is blocked, so unavailable. Honest outcome: connection fails. With symmetric NAT on both ends and no working relay, ICE has exhausted its options. This is the textbook scenario where NAT traversal cannot succeed — the only fixes are outside ICE (e.g. Port forwarding / static mapping on one side, IPv6 with a global address, or a reachable relay).

Recall Feynman: the whole page in one breath

NAT hides you, so an outsider can't knock. STUN tells you the address the world sees; if that's stable, you and a friend knock at the same instant (hole punching) and both doors open. If your NAT changes its port for every friend (symmetric), you give up and route through a helper (TURN). Every wrapper you add — tunnel, VPN, nested tunnel — steals bytes from your packet, so you must shrink the packet (lower MSS) to keep it from being too fat to pass. And a VPN doesn't make you invisible; it just changes who you have to trust with your secrets.