If I'm understanding correctly, the only config required on the server is to enable the DDNS and point my client to that address. However I've tried it behind NAT routers on two different networks and neither one would work. I can open firewall ports but I really like the idea of not opening any firewall ports to reduce attack surface. I tried the Azure and that works but it's unusably slow because it's routing all the traffic through that service.
Am I missing something, or does the NAT traversal function just not work? Thanks.
Cannot get NAT traversal to work
-
- Posts: 286
- Joined: Wed Nov 25, 2020 9:10 am
Re: Cannot get NAT traversal to work
Nat traversal works as long as both ends have a Nat type that is not symmetric. That’s something you can do nothing with.
-
- Posts: 1228
- Joined: Sun Feb 14, 2021 10:31 am
Re: Cannot get NAT traversal to work
Re "not opening any firewall ports to reduce attack surface", yeah wise policy in general but if an attacker intends to probe SE weakness then simulating a SE client via NAT-T is really simple with the help of the source code...
Code: Select all
// NAT Traversal Server Information
#define UDP_NAT_T_SERVER_TAG "x%c.x%c.servers.nat-traversal.softether-network.net."
#define UDP_NAT_T_SERVER_TAG_ALT "x%c.x%c.servers.nat-traversal.uxcom.jp."
#define UDP_NAT_T_PORT 5004
// Related to process to get the private IP address of itself with making a TCP connection to the NAT-T server
#define UDP_NAT_T_GET_PRIVATE_IP_TCP_SERVER "www.msftncsi.com."
#define UDP_NAT_T_PORT_FOR_TCP_1 80
#define UDP_NAT_T_PORT_FOR_TCP_2 443
-
- Posts: 2
- Joined: Thu Feb 03, 2022 11:49 pm
Re: Cannot get NAT traversal to work
You're not wrong, however that's also extra steps beyond what is usually done, that being a typical port scan or Shodan search for candidate targets. Conversely, it's easier to monitor a single open TCP port than to monitor a random UDP NAT tunnel.
-
- Posts: 1228
- Joined: Sun Feb 14, 2021 10:31 am
Re: Cannot get NAT traversal to work
Re "I tried the Azure and that works but it's unusably slow" - there is an alternative. Cascade it to another SE server under your control which does not need to keep a low profile, while your low profile site will need no NAT-T, port-FWD, nor DDNS, and symmetric NAT or CGNAT are of no concern.
If you don't have another SE server, try a VHUB on http://www.packetix.net/en/vpn/
- perhaps it is faster than the Azure.
If you don't have another SE server, try a VHUB on http://www.packetix.net/en/vpn/
- perhaps it is faster than the Azure.