A most elegant TCP hole punching algorithm(robertsdotpm.github.io)

73 pointsby Uptrenda6 hours ago7 comments

athrowaway3z3 hours ago
- you know each others IP's (or have a way to signal it)
- can't decide on a port in the same message
- don't suffer from NAT port randomization
I'm not saying it will never happen, but the Venn diagram of this being the minimum complexity solution just doesn't seem very large?
lxgran hour ago
Does TCP hole punching actually work with common CPEs and CG-NATs?
I don’t think I’ve ever seen it done successfully and have often wondered if it’s for a lack of use cases or due to its bad success rate and complexity compared to UDP hole punching.
That said, I really wish there was a standardized way to do it. Some sort of explicit (or at least implicit but unambiguous) indicator to all firewalls that a connection from a given host/port pair is desired for the next few seconds. Basically a lightweight, in-band port mapping protocol.
It could have well been an official recommendation to facilitate TCP hole punching, but I guess it’s too late now, as firewall behaviors have had decades to evolve into different directions.
EnigmaCurry4 hours ago
> Many home routers try to preserve the source port in external mappings. This is a property called “equal delta mapping” – it won’t work on all routers but for our algorithm we’re sacrificing coverage for simplicity.
It is precisely this point that has flummoxed me when connecting my p2p wireguard config[1] with a friend that uses a pfsense router, no matter what we tried, pfsense always chooses a random source port.
But in the simple case this blog outlines, if both ends use the same source port, this method punches through 2 firewalls effortlessly:
[1] https://blog.rymcg.tech/blog/linux/wireguard_p2p/
- jonathanlydall3 hours ago
  Does your friend setting up port forwarding on their pfSense not help in your scenario?
  - EnigmaCurry3 hours ago
    Yes, that solves it completely. But the exercise we were trying to do was to do it without that.
- getcrunkan hour ago
  AI ANSWER: (lightly edited)
  The Solution (Static Port)
  To fix this without a permanent port forward, you must enable Static Port in pfSense's Outbound NAT. This doesn't open a hole to the world; it simply tells pfSense: "When this internal IP sends UDP traffic, do not rewrite the source port."
  Navigate to Firewall > NAT > Outbound.
  Switch to Hybrid Outbound NAT (if not already).
  Add a rule at the top:
  Interface: WAN
  Protocol: UDP
  Source: [Friend's WireGuard Internal IP/Port]
  Destination: [Your Public IP]
  Translation: Check Static Port.
  - lxgran hour ago
    Did you validate this solution yourself?
    getcrunkan hour ago
    No, hence the all caps ai disclaimer. But seems plausible
    nneonneo33 minutes ago
    Lord, we're how many years into using LLMs, and people still don't understand that their whole shtick is to produce the most plausible output - not the most correct output?
    The most plausible output might be correct, or it might be utter bullshit hallucinations that only sound correct; the only way to tell is to actually try it or cross-reference primary sources. Unless you do, the AI answer is worthless.
    The reason why they're getting so good at code now is that they can check their output by running and testing it; if you're just prompting questions into a chatbot and then copying their output verbatim to a comment, you're not adding any meaningful value.
    anovikov8 minutes ago
    Exactly! This is what LLMs do: they bullshit you by coming across as extremely knowledgeable, but as soon as you understand 5% of the topic you realise you've been blatantly lied to.
sholladay3 hours ago
This is a great algorithm!
In this era where AI is eating away at how deterministic computers are, I really appreciate reading about an elegant solution to a real problem using deterministic logic.
- CamelCaseCondo32 minutes ago
  We still live in an age of deterministic computers. It’s the software that’s become fuzzy. (And since we’re on the subject: there’s no AI)
jcalvinowens4 hours ago
If you're asking "where is the listener", you don't need one: https://datatracker.ietf.org/doc/html/rfc9293#simul_connect
- cperciva2 hours ago
  RFCs may say that simultaneous connect must be allowed, but that doesn't mean that firewalls can't block it. Plenty of setups block incoming SYN,!ACK packets, and if both sides do that, the connection is never getting established.
elophanto_agent32 minutes ago
[flagged]
- mudkipdev14 minutes ago
  This is an AI slop bot
Veserv2 hours ago
Needing to punch holes in NAT is one of the most idiotic own-goals in the entire field of networking.
NAT is effectively your router doing DHCP with a 17-bit suffix (16-bit port + 1 bit for UDP vs TCP) to each of your applications and then not telling you the address it gave you or how long it is good for (which is what a regular DHCP lease does). This is in addition to it, most likely, already doing regular DHCP and allocating you a IP address that it does tell you about, but which is basically worthless since routing to just that prefix without the hidden suffix goes into a black hole.
If you could just ask your router for a lease on a chunk of IP+NAT addresses that you could allocate to your applications and rotate them as they expire, you would not need this horrifying mess.
The router would just need to maintain the last-leg routing table (what a concept, a router doing routing with routing tables) just like it already does DHCP.
The applications would have short-term stable addresses that they could just tell their peers and just directly tell the router/firewall to block anybody except the desired peer short-term address.
- lxgran hour ago
  > If you could just ask your router for a lease on a chunk of IP+NAT addresses
  The “just” is doing a lot of lifting there. I’m glad the various port mapping protocols didn’t really take off and it looks like IPv6 is going to actually make it instead. Much less complexity in most parts of the stack and network.
  - Veserv30 minutes ago
    It is always a mystery how people just randomly misinterpret what I write. At literally no point did I mention port mapping.
    I am pointing out how the problem NAT “solves” is just dynamic address configuration. They have implemented a N+K bit address where the N-bit prefix is routed and allocated using IP and the low K-bits are routed and allocated like a custom fever dream.
    You can just do it all the same way instead of doing it differently and worse for the low bits.
    To be clear, the router should rewrite zero bits in the packet under the scheme I am describing just like how routers have no need to rewrite any bits when routing to a specific globally-routable IP address.
    You get a lease for a /N+K address. /N routes to your router which routes the last K bits just like normal as if it had a /N-M to a /N route. This is a generic description of homogenous hierarchical routing.
- eptcyka2 hours ago
  Why not use plain IPv6 instead?
  - cbdevidalan hour ago
    V6 adoption has reached 46.82%[1]. So it is increasingly viable for this.
    [1] https://www.google.com/intl/en/ipv6/statistics.html
- takipsizad2 hours ago
  it's been already done ISPs just don't properly implement it (NAT-PMP and it's relatives)
- littlestymaar36 minutes ago
  Hole punching is doing exactly what you describe, just in a non-standardized way.
  We could have a standard for doing that directly at the NAT box level instead of relying on a third party STUN server, it simply didn't happen (and in fairness, the benefits would be quite minimal).