วันอาทิตย์ที่ 28 มิถุนายน พ.ศ. 2569

Techniques for public accessing to private-IP servers

  • Peer-to-peer overlay network Services 

ZeroTierTailscale are not SSL VPN. They use UDP hole punching.

UDP hole punching is a technique that allows two devices behind NAT routers (such as home routers) to establish a direct peer-to-peer connection without requiring manual port forwarding.

Here’s how it works:

  1. Both devices contact a public coordination server
    • Suppose Device A is at your home and Device B is in another organization.
    • Both devices first communicate with a publicly reachable server operated by the VPN service (e.g., ZeroTier).
  2. The coordination server learns their public addresses
    • The server observes the public IP address and UDP port assigned by each device’s NAT router.
  3. The server tells each device how to reach the other
    • Device A learns Device B’s public IP and port, and vice versa.
  4. Both devices simultaneously send UDP packets to each other
    • When Device A sends a packet to Device B, its NAT router creates a temporary mapping (a “hole”) allowing return traffic.
    • Device B does the same.
    • Because both sides have opened these temporary holes, the packets can pass through the NATs, establishing a direct connection.

Device A ── NAT A ── Internet ── NAT B ── Device B

     ↑                                          ↑

     └───── simultaneous UDP packets ─────────┘

Why is it called “hole punching”?

Normally, NAT routers block unsolicited incoming packets. By sending outgoing UDP packets first, each device creates a temporary opening (“hole”) in its NAT table that allows packets from the other device to enter.

Advantages

  • No need to configure port forwarding on routers.
  • Enables direct peer-to-peer communication.
  • Lower latency than relaying traffic through a central server.

Limitations

UDP hole punching does not work with all NAT types. It usually succeeds with:

  • Full-cone NAT
  • Restricted-cone NAT
  • Port-restricted cone NAT

It may fail with:

  • Symmetric NAT (common in some enterprise networks and cellular networks)

When hole punching fails, services such as ZeroTierTailscaleand WebRTC applications often fall back to relaying traffic through intermediary servers.

The coordination protocol commonly used to discover public addresses is based on the STUN standard, while relay fallback often uses TURN servers.

2. Cloudflare tunnels 

It’s a free service requiring registered DNS name. Cloudflare Tunnel: does not use hole punching. It relies on the private server maintaining a long-lived outbound connection to Cloudflare edge server.

เขียนโดย ที่