nat traversal / userspace impl

Jason E. Aten j.e.aten at
Mon Apr 17 23:28:47 CEST 2017

On Mon, Apr 17, 2017 at 12:55 PM, Jason A. Donenfeld <Jason at>

> On Mon, Apr 17, 2017 at 7:45 PM, Jason E. Aten <j.e.aten at> wrote:
> > 1. If it uses UDP only, how does NAT traversal (firewall punch through)
> > work?
> The same way UDP punching works every place else.

Thanks, Jason, for the quick reply.

If I read through the wikipedia article on UDP hole punching, it ( suggests that a public 3rd
party is needed.

> S is a public server with a well-known, globally reachable IP address.

...which makes total sense. Conversely, I don't see described anywhere a
public 3rd party protocol for wireguard clients to rendezvous.

I found this post:, which
makes rendezvous seem like an after thought.

Should I conclude that addressing NAT-ed clients is not something that
WireGuard itself plans to address?

The "number of security problems" with the approach mentioned in passing in
the 2016-August message would need enumeration and addressing. Is anybody
thinking about those? Is this on the roadmap for future plans?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the WireGuard mailing list