Cannot get NAT traversal to work

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
marktheman
Posts: 2
Joined: Thu Feb 03, 2022 11:49 pm

Cannot get NAT traversal to work

Post by marktheman » Fri Feb 04, 2022 1:42 am

If I'm understanding correctly, the only config required on the server is to enable the DDNS and point my client to that address. However I've tried it behind NAT routers on two different networks and neither one would work. I can open firewall ports but I really like the idea of not opening any firewall ports to reduce attack surface. I tried the Azure and that works but it's unusably slow because it's routing all the traffic through that service.

Am I missing something, or does the NAT traversal function just not work? Thanks.

eddiewu
Posts: 286
Joined: Wed Nov 25, 2020 9:10 am

Re: Cannot get NAT traversal to work

Post by eddiewu » Fri Feb 04, 2022 2:01 am

Nat traversal works as long as both ends have a Nat type that is not symmetric. That’s something you can do nothing with.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Cannot get NAT traversal to work

Post by solo » Fri Feb 04, 2022 11:31 am

Re "not opening any firewall ports to reduce attack surface", yeah wise policy in general but if an attacker intends to probe SE weakness then simulating a SE client via NAT-T is really simple with the help of the source code...

Code: Select all

// NAT Traversal Server Information
#define	UDP_NAT_T_SERVER_TAG				"x%c.x%c.servers.nat-traversal.softether-network.net."
#define	UDP_NAT_T_SERVER_TAG_ALT			"x%c.x%c.servers.nat-traversal.uxcom.jp."
#define	UDP_NAT_T_PORT						5004

// Related to process to get the private IP address of itself with making a TCP connection to the NAT-T server
#define	UDP_NAT_T_GET_PRIVATE_IP_TCP_SERVER		"www.msftncsi.com."
#define	UDP_NAT_T_PORT_FOR_TCP_1			80
#define	UDP_NAT_T_PORT_FOR_TCP_2			443

marktheman
Posts: 2
Joined: Thu Feb 03, 2022 11:49 pm

Re: Cannot get NAT traversal to work

Post by marktheman » Fri Feb 04, 2022 7:57 pm

You're not wrong, however that's also extra steps beyond what is usually done, that being a typical port scan or Shodan search for candidate targets. Conversely, it's easier to monitor a single open TCP port than to monitor a random UDP NAT tunnel.

solo
Posts: 1228
Joined: Sun Feb 14, 2021 10:31 am

Re: Cannot get NAT traversal to work

Post by solo » Fri Feb 04, 2022 10:35 pm

Re "I tried the Azure and that works but it's unusably slow" - there is an alternative. Cascade it to another SE server under your control which does not need to keep a low profile, while your low profile site will need no NAT-T, port-FWD, nor DDNS, and symmetric NAT or CGNAT are of no concern.

If you don't have another SE server, try a VHUB on http://www.packetix.net/en/vpn/
- perhaps it is faster than the Azure.

Post Reply