Wireguard does not provide builtin hole punching for NAT-to-NAT connections

[webstrand]

A separate application must open the ports for wireguard in a NAT-to-NAT situation. For example, from wireguard's own set of examples: https://github.com/WireGuard/WireGuard/tree/master/contrib/examples/nat-hole-punching But this example shouldn't be used anywhere in production, as it's not necessarily secure.

wireguard-p2p is the only application that I know of that can traverse NATs and open wireguard connections. But it doesn't work with phones.

[pirate]

Cool, thanks for the info. Do you know if it's possible to run WireGuard over something like https://www.ntop.org/products/n2n/ or https://samy.pl/pwnat/ ?

[webstrand]

Wireguard can be run over any layer 3, so it should be able to run on top of n2n. It may not have the performance that using IP directly can provide, though. (I myself run wireguard on top of itself, so you'll likely have no problems)

pwnat is a nifty piece of software, but it doesn't provide a layer 3 or lower transport. All it does it punch holes through NAT's. You could use pwnat as part of a solution for connecting NATed peers, but there's a whole bunch of other orchestration that needs to happen first, before hole punching can even begin.

[pirate]

In hindsight you're 100% right about this. There was one setup where I had a box behind a NAT connecting to another that made me think it did UDP hole punching originally, but I've come to realize it was actually just using the relay server and never managed to form a connection directly between the peers. I did a ton of testing with netcat behind 4 different NATs over the last week to see if I could get NAT-to-NAT working, and I wasn't able to unless I acted as a human signaling server and manually updated the Wireguard ports on both peers to the NAT-randomized srcports, and even then it was flaky.

I've made major updates to these two sections to reflect what I've learned about the difficulty of NAT-to-NAT on modern networks:

• https://github.com/pirate/wireguard-docs#NAT-to-NAT-Connections
• https://github.com/pirate/wireguard-docs#how-wireguard-routes-packets

Thanks!