From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: j.e.aten@gmail.com Received: from krantz.zx2c4.com (localhost [127.0.0.1]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id 0dd98eb5 for ; Mon, 17 Apr 2017 21:21:06 +0000 (UTC) Received: from mail-wm0-f41.google.com (mail-wm0-f41.google.com [74.125.82.41]) by krantz.zx2c4.com (ZX2C4 Mail Server) with ESMTP id e2197ef6 for ; Mon, 17 Apr 2017 21:21:06 +0000 (UTC) Received: by mail-wm0-f41.google.com with SMTP id o81so42203785wmb.1 for ; Mon, 17 Apr 2017 14:28:49 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: References: From: "Jason E. Aten" Date: Mon, 17 Apr 2017 16:28:47 -0500 Message-ID: Subject: Re: nat traversal / userspace impl To: "Jason A. Donenfeld" , WireGuard mailing list Content-Type: multipart/alternative; boundary=94eb2c1302760276dd054d637a88 List-Id: Development discussion of WireGuard List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , --94eb2c1302760276dd054d637a88 Content-Type: text/plain; charset=UTF-8 On Mon, Apr 17, 2017 at 12:55 PM, Jason A. Donenfeld wrote: > On Mon, Apr 17, 2017 at 7:45 PM, Jason E. Aten wrote: > > 1. If it uses UDP only, how does NAT traversal (firewall punch through) > > work? > > The same way UDP punching works every place else. > Thanks, Jason, for the quick reply. If I read through the wikipedia article on UDP hole punching, it ( https://en.wikipedia.org/wiki/UDP_hole_punching) suggests that a public 3rd party is needed. > S is a public server with a well-known, globally reachable IP address. ...which makes total sense. Conversely, I don't see described anywhere a public 3rd party protocol for wireguard clients to rendezvous. I found this post: https://lists.zx2c4.com/pipermail/wireguard/2016-August/000372.html, which makes rendezvous seem like an after thought. Should I conclude that addressing NAT-ed clients is not something that WireGuard itself plans to address? The "number of security problems" with the approach mentioned in passing in the 2016-August message would need enumeration and addressing. Is anybody thinking about those? Is this on the roadmap for future plans? Regards, Jason --94eb2c1302760276dd054d637a88 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On Mon, Apr 17, 2017 at 12:55 PM, Jason A. Donenfeld <Jason= @zx2c4.com> wrote:
On Mon, Apr 17, 2017 at 7:45 PM, Jason E. Aten <j.e.aten@gmail.com> wrote:
> 1. If it uses UDP only, how does NAT traversal (firewall punch through= )
> work?

The same way UDP punching works every place else.

Thanks, Jason, for the quic= k reply.

If I read through the wikipedia article on UDP h= ole punching, it (https://en.wikipedia.org/wiki/UDP_hole_punching) suggests that a pub= lic 3rd party is needed.

> S is a public server with a well-known= , globally reachable IP address.

...which makes total sen= se. Conversely, I don't see described anywhere a public 3rd party proto= col for wireguard clients to rendezvous.

I found this post: ht= tps://lists.zx2c4.com/pipermail/wireguard/2016-August/000372.html, whic= h makes rendezvous seem like an after thought.

Should I conclude th= at addressing NAT-ed clients is not something that WireGuard itself plans t= o address?

The "number of security problems" with the app= roach mentioned in passing in the 2016-August message would need enumeratio= n and addressing. Is anybody thinking about those? Is this on the roadmap f= or future plans?

Regards,
Jason
--94eb2c1302760276dd054d637a88--