On Mon, Apr 17, 2017 at 12:55 PM, Jason A. Donenfeld <Jason@zx2c4.com>
wrote:

> On Mon, Apr 17, 2017 at 7:45 PM, Jason E. Aten <j.e.aten@gmail.com> wrote:
> > 1. If it uses UDP only, how does NAT traversal (firewall punch through)
> > work?
>
> The same way UDP punching works every place else.
>

Thanks, Jason, for the quick reply.

If I read through the wikipedia article on UDP hole punching, it (
https://en.wikipedia.org/wiki/UDP_hole_punching) suggests that a public 3rd
party is needed.

> S is a public server with a well-known, globally reachable IP address.

...which makes total sense. Conversely, I don't see described anywhere a
public 3rd party protocol for wireguard clients to rendezvous.

I found this post:
https://lists.zx2c4.com/pipermail/wireguard/2016-August/000372.html, which
makes rendezvous seem like an after thought.

Should I conclude that addressing NAT-ed clients is not something that
WireGuard itself plans to address?

The "number of security problems" with the approach mentioned in passing in
the 2016-August message would need enumeration and addressing. Is anybody
thinking about those? Is this on the roadmap for future plans?

Regards,
Jason