[WireGuard] NAT Hole Punching PoC/Example

Jason A. Donenfeld Jason at zx2c4.com
Wed Aug 24 03:12:47 CEST 2016


Hey folks,

Many have asked about NAT traversal and hole punching, and I've
explained that since WireGuard is just usual UDP, you can use any of
the typical techniques. Not satisfied with that, people have demanded
examples. So, I coded up a very short proof of concept of the most
basic hole punching mechanism that integrates with WireGuard. Note:
this is PoC/example code, and as such it has a number of security
problems and thus should not be used in the real world (distros: do
NOT compile and install this); however, it suffices as a nice
illustration of the underlying concepts.

Voila: https://git.zx2c4.com/WireGuard/tree/contrib/examples/nat-hole-punching

Compile with:
    $ gcc nat-punch-client.c -o client -lresolv
    $ gcc nat-punch-server.c -o server

On the server, simply run "./server" and make sure UDP:49918 is open.
Then, for each client, configure the various peers of a wireguard
interface, as you would normally, except you can omit the endpoint.
That's what the hole punching client adds for us. For each client,
simply run:

    # ./client demo.wireguard.io wg0

It will run until it's received the correct path to all of the peers
of wg0. Replace demo.wiregaurd.io with your own server, or use (but do
not abuse!) the demo instance running on the demo box.

Demo:

# wg show wg0
interface: wg0
  public key: bqodvMJALCmDU32kcjA/cG4ZMTaX/IihN2NruSGhDXo=
  private key: (hidden)
  listening port: 25586

peer: aQoADFvA1zZmCs40G/gp1jDCEgRVyWwSWT463VIxXCQ=
  allowed ips: 192.168.88.2/32

peer: T3TEQxBh/+4sxuIOUhc2T8VVDhD8JBoM/V3/v72NNDI=
  allowed ips: 192.168.88.3/32

# ./client demo.wireguard.io wg0
[+] Requesting IP and port of
aQoADFvA1zZmCs40G/gp1jDCEgRVyWwSWT463VIxXCQ=: 65.182.136.126:999
[+] Requesting IP and port of
T3TEQxBh/+4sxuIOUhc2T8VVDhD8JBoM/V3/v72NNDI=: 88.190.101.12:51821

# wg show wg0
interface: wg0
  public key: bqodvMJALCmDU32kcjA/cG4ZMTaX/IihN2NruSGhDXo=
  private key: (hidden)
  listening port: 25586

peer: aQoADFvA1zZmCs40G/gp1jDCEgRVyWwSWT463VIxXCQ=
  endpoint: 65.182.136.126:999
  allowed ips: 192.168.88.2/32
  latest handshake: 36 seconds ago
  bandwidth: 110 B received, 290 B sent
  persistent keepalive: every 25 seconds

peer: T3TEQxBh/+4sxuIOUhc2T8VVDhD8JBoM/V3/v72NNDI=
  endpoint: 88.190.101.12:51821
  allowed ips: 192.168.88.3/32
  latest handshake: 36 seconds ago
  bandwidth: 110 B received, 290 B sent
  persistent keepalive: every 25 seconds


Enjoy!
Jason


More information about the WireGuard mailing list