NAT Translation

[Colorfingers]

What are your thoughts on NAT? I see you thought about it in the code a bit yet I am wondering how to connect two computers behind a NAT... There is no real discussion in your Wiki of this.

[kareldonk]

Automatic management of router settings and connecting two computers behind a NAT is planned for the future. Right now if you want to connect two computers behind a NAT there are two options, as far as I can quickly come up with:

1. You can manually configure at least one of your routers if possible to do port forwarding. For example, if you have computers A and B behind a NAT, if you have access to at least one of the routers in front of one of these two computers, say computer A, you could open the listener port for TCP, say 999, on the router and forward it to computer A. That way, when QuantumGate is configured on computer A to listen for incoming TCP connections on port 999, computer B should be able to connect to it.
2. You could also set up a third computer C in the cloud with a public IP address, which could act as a bridge between computers A and B. Computer A could then connect to computer B via computer C in a 2 hop relay connection. If QuantumGate is running on computer C, what you need to do is connect the QuantumGate instance on computer A to computer C, and then also connect the QuantumGate instance on computer B to computer C. And then on computer A, you could create a relayed connection through computer C to computer B. There is actually a tutorial that could help you with this here: How to create a two hop relay.

If you need more assistance let me know.

[Colorfingers]

OK... that's what I was thinking would be an initial solution... How many connections can a single node relay comfortably, otherwise what are your thoughts of using a STURN sever? MongoICE looks like it might fit the bill... https://github.com/esl/MongooseICE We can role our own or there are a number of public ones including Google.

Thank you...

[kareldonk]

I haven't yet had the time to look into how STUN/TURN works in dept. At the very minimum I was thinking of adding automatic port forwarding configuration like https://github.com/miniupnp/miniupnp. However for anything we use, we would need to check how it might increase the attack surface for QuantumGate, for example, by adding to the traffic signature in some way so that traffic analyzers can more easily detect QuantumGate being used. One of the fundamental goals for QuantumGate is to try and make traffic analysis and probing attacks impossible or very difficult.
Since we are also more quickly transitioning to IPv6 it's also the question if it's worth investing much time into these solutions.
In the end it also depends on what kind of apps developers build using QuantumGate and what their threat model is. Right now it's certainly possible to use something like miniupnp together with QuantumGate for example.

[Colorfingers]

Well, is that something I can resolve with an extension? In my application which is an open world MMO, I envision private connections between computers. Then I would like people to also connect to public experiences at the same time... I admit the details of this have not been fleshed out.

[kareldonk]

Yes you can certainly add those features with an extender on QuantumGate. Since you mention that your application is an open world MMO you might also want to check out https://github.com/ValveSoftware/GameNetworkingSockets.

[Colorfingers]

Thanks... I'm sure I'll be back to ask more questions once we dig into it. I appreciate all your work here. It's a great project.

[0x4v0c4d0]

NAT traversal is so important for real-world use cases of this project, so you should prioritise this in you TODO list.

Let this be your starting point:

NAT bypass options:

1.Rape of NATs:

• UDP pounching
• TCP pounching

you need a server behind nat to establish a connection, and probably also to maintain it, but after the connection is established, p2p will go

2.IPv6:

Can be tunneled over IPv4 using Teredo (build-in on Windows) or Miredo (on Linux). But these two protocols can only carry ipv6 traffic over IPv4 networks. They need something else to bypass NAT (Teredo can bypass nat out of the box using UPnP. Doesn't work in symmetric nat.) (I don't know anything about Miredo)

3.Special protocols. Google:

IGD (UPnP), NAT-PMP (within Bonjour), STUN/TURN/ICE , NAT-T (IKE), RSIP, MIDCOM, SBC, ALG, ICM (STUN/TURN extension).

please add if i missed something