On Mon, Apr 17, 2017 at 12:55 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote:

On Mon, Apr 17, 2017 at 7:45 PM, Jason E. Aten <j.e.aten@gmail.com> wrote:
> 1. If it uses UDP only, how does NAT traversal (firewall punch through)
> work?

The same way UDP punching works every place else.

Thanks, Jason, for the quick reply.

If I read through the wikipedia article on UDP hole punching, it (https://en.wikipedia.org/wiki/UDP_hole_punching) suggests that a public 3rd party is needed.

> S is a public server with a well-known, globally reachable IP address.

...which makes total sense. Conversely, I don't see described anywhere a public 3rd party protocol for wireguard clients to rendezvous.

I found this post: https://lists.zx2c4.com/pipermail/wireguard/2016-August/000372.html, which makes rendezvous seem like an after thought.

Should I conclude that addressing NAT-ed clients is not something that WireGuard itself plans to address?

The "number of security problems" with the approach mentioned in passing in the 2016-August message would need enumeration and addressing. Is anybody thinking about those? Is this on the roadmap for future plans?

Regards,

Jason