Summary
NAT traversal is a collection of techniques that allow two endpoints sitting behind Network Address Translation (NAT) devices to establish a direct connection, despite both being unreachable on a public address.
What is NAT Traversal?
Most devices today live behind NAT: home routers, mobile networks, and cloud instances translate private addresses to a shared public IP. This is fine for outbound traffic, but it breaks any protocol where two hosts behind separate NATs want to talk to each other directly.
NAT traversal solves this problem with a combination of public discovery servers and hole punching. A typical flow uses STUN to let each peer learn the public IP and port its NAT has assigned to a given outbound connection, then exchanges that information over a coordination channel. Both peers then send packets toward each other's mapped address simultaneously, "punching" matching state into both NATs so that traffic can flow.
When the NATs are too restrictive (symmetric NATs, carrier-grade NAT, strict firewalls), direct hole punching fails. In that case a TURN relay forwards traffic through a public server that both peers can reach. Modern peer-to-peer overlays and mesh VPNs combine all of these mechanisms automatically.
Why is NAT Traversal relevant?
- Direct connections: Avoids routing all traffic through a central concentrator
- Mesh VPN feasibility: Enables WireGuard-based and similar overlays to scale across roaming clients
- Performance: Direct peer paths cut latency compared to relayed traffic
- Real-time protocols: Required for WebRTC, voice/video, and many gaming protocols
Related Terms
- STUN: Protocol used to discover the public mapping of a NATed endpoint
- TURN: Relay protocol used when direct traversal cannot succeed
- Peer-to-Peer: Network model that depends on NAT traversal to reach peers
- Mesh VPN: VPN topology that uses NAT traversal between clients
- WireGuard: VPN protocol typically paired with NAT traversal mechanisms