* [WireGuard] NAT Hole Punching PoC/Example
@ 2016-08-24 1:12 Jason A. Donenfeld
0 siblings, 0 replies; only message in thread
From: Jason A. Donenfeld @ 2016-08-24 1:12 UTC (permalink / raw)
To: WireGuard mailing list
Hey folks,
Many have asked about NAT traversal and hole punching, and I've
explained that since WireGuard is just usual UDP, you can use any of
the typical techniques. Not satisfied with that, people have demanded
examples. So, I coded up a very short proof of concept of the most
basic hole punching mechanism that integrates with WireGuard. Note:
this is PoC/example code, and as such it has a number of security
problems and thus should not be used in the real world (distros: do
NOT compile and install this); however, it suffices as a nice
illustration of the underlying concepts.
Voila: https://git.zx2c4.com/WireGuard/tree/contrib/examples/nat-hole-punching
Compile with:
$ gcc nat-punch-client.c -o client -lresolv
$ gcc nat-punch-server.c -o server
On the server, simply run "./server" and make sure UDP:49918 is open.
Then, for each client, configure the various peers of a wireguard
interface, as you would normally, except you can omit the endpoint.
That's what the hole punching client adds for us. For each client,
simply run:
# ./client demo.wireguard.io wg0
It will run until it's received the correct path to all of the peers
of wg0. Replace demo.wiregaurd.io with your own server, or use (but do
not abuse!) the demo instance running on the demo box.
Demo:
# wg show wg0
interface: wg0
public key: bqodvMJALCmDU32kcjA/cG4ZMTaX/IihN2NruSGhDXo=
private key: (hidden)
listening port: 25586
peer: aQoADFvA1zZmCs40G/gp1jDCEgRVyWwSWT463VIxXCQ=
allowed ips: 192.168.88.2/32
peer: T3TEQxBh/+4sxuIOUhc2T8VVDhD8JBoM/V3/v72NNDI=
allowed ips: 192.168.88.3/32
# ./client demo.wireguard.io wg0
[+] Requesting IP and port of
aQoADFvA1zZmCs40G/gp1jDCEgRVyWwSWT463VIxXCQ=: 65.182.136.126:999
[+] Requesting IP and port of
T3TEQxBh/+4sxuIOUhc2T8VVDhD8JBoM/V3/v72NNDI=: 88.190.101.12:51821
# wg show wg0
interface: wg0
public key: bqodvMJALCmDU32kcjA/cG4ZMTaX/IihN2NruSGhDXo=
private key: (hidden)
listening port: 25586
peer: aQoADFvA1zZmCs40G/gp1jDCEgRVyWwSWT463VIxXCQ=
endpoint: 65.182.136.126:999
allowed ips: 192.168.88.2/32
latest handshake: 36 seconds ago
bandwidth: 110 B received, 290 B sent
persistent keepalive: every 25 seconds
peer: T3TEQxBh/+4sxuIOUhc2T8VVDhD8JBoM/V3/v72NNDI=
endpoint: 88.190.101.12:51821
allowed ips: 192.168.88.3/32
latest handshake: 36 seconds ago
bandwidth: 110 B received, 290 B sent
persistent keepalive: every 25 seconds
Enjoy!
Jason
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2016-08-24 1:06 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-08-24 1:12 [WireGuard] NAT Hole Punching PoC/Example Jason A. Donenfeld
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).