Direct connections through NAT/firewall

I'm involved with some research at the University of Manitoba (in Winnipeg,
Canada) this summer. My colleagues and I are in the process of developing a
method for reliably establishing direct connections over the Internet
between two hosts that are both behind NAT gateways.

The software we've come up with runs in userspace linux, so there is no
kernel or network stack tweaking required. It can easily be extended to
multiple operating systems.

No ports have to be explicitly opened at the firewall. And the method is
able to "break through" several kinds of NAT/firewalls - we've tried linux
2.4, as well as some netgear and linksys hardware routers.

Does anyone know if something like this already exists? The only technology
I've seen so far was a windows program that had to modify the network
stacks on both sides - clearly unacceptable for generic use.

--
Jem Berkes
http://www.pc-tools.net/
Windows, Linux & UNIX software

> I'm involved with some research at the University of Manitoba (in
Winnipeg,
> Canada) this summer. My colleagues and I are in the process of developing
a
> method for reliably establishing direct connections over the Internet
> between two hosts that are both behind NAT gateways.

Wonder how you do it? Smth like sending UDP on pre-agreed port (same on both
sides)?

Peter

"Jem Berkes" <(E-Mail Removed)> wrote in message
news:Xns93C0AB1E2CA4Ejbuserspc9org@205.200.16.73.. .
| I'm involved with some research at the University of Manitoba (in
Winnipeg,
| Canada) this summer. My colleagues and I are in the process of developing
a
| method for reliably establishing direct connections over the Internet
| between two hosts that are both behind NAT gateways.
|
| The software we've come up with runs in userspace linux, so there is no
| kernel or network stack tweaking required. It can easily be extended to
| multiple operating systems.
|
| No ports have to be explicitly opened at the firewall. And the method is
| able to "break through" several kinds of NAT/firewalls - we've tried linux
| 2.4, as well as some netgear and linksys hardware routers.
|
| Does anyone know if something like this already exists? The only
technology
| I've seen so far was a windows program that had to modify the network
| stacks on both sides - clearly unacceptable for generic use.
|
| --
| Jem Berkes
| http://www.pc-tools.net/
| Windows, Linux & UNIX software
|

have you researched WebEx? not sure if its exactly the same or not.

ken k

In article <Xns93C0AB1E2CA4Ejbuserspc9org@205.200.16.73>,
Jem Berkes wrote:
> method for reliably establishing direct connections over the Internet
> between two hosts that are both behind NAT gateways.
> [snip]
> Does anyone know if something like this already exists? The only technology

I use OpenVPN in such a manner. It relies upon kernel support in the
form of the universal tun/tap driver, which is ported to numerous
Unix-like OS's already, and [if someone interested wanted to do so]
could probably be implemented on Windows easily enough. But IIUC you're
talking about something *entirely* in userspace? Not setting up a
virtual network interface, but rather just making a peer-to-peer
connection inside your own software?
--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

/dev/rob0 wrote:
> In article <Xns93C0AB1E2CA4Ejbuserspc9org@205.200.16.73>,
> Jem Berkes wrote:
>> method for reliably establishing direct connections over the Internet
>> between two hosts that are both behind NAT gateways.
>> [snip]
>> Does anyone know if something like this already exists? The only
>> technology
>
> I use OpenVPN in such a manner. It relies upon kernel support in the
> form of the universal tun/tap driver, which is ported to numerous
> Unix-like OS's already, and [if someone interested wanted to do so]
> could probably be implemented on Windows easily enough. But IIUC
> you're talking about something *entirely* in userspace? Not setting
> up a
> virtual network interface, but rather just making a peer-to-peer
> connection inside your own software?

there must be a trigger on each end.. in order to set the nat incoming port
redirection ready... i'm intrigued - the website didn't seem to mention
anything.

Maybe machine@net1 tries to establish connection to machine2@net2 which
doesn't work 'cause of the nat router/firewall getting in the way at net2,
but machine2@net2 is trying to establish a similar connection to
machine@net1 and therefore the nat firewall at net2 is awaiting an incoming
connection from machine@net1 that it will happily direct over to
machine@net2

must be some kind of packetfoolery going on..

hey.. that's a cool name "packetfoolery" .. i'm off to register it :-)

In article <bfki4e$ire$1$(E-Mail Removed)>,
Carl Farrington wrote:
>>> method for reliably establishing direct connections over the Internet
>>> between two hosts that are both behind NAT gateways.
>>
>> I use OpenVPN in such a manner. It relies upon kernel support in the
>
> there must be a trigger on each end.. in order to set the nat incoming port

Yes, in OpenVPN it's a preagreed UDP port on each end, and to keep the
connection active in /proc/net/ip_conntrack pings are sent at a fixed
interval. If one or the other side goes offline, the connection will be
silently reestablished when it's up again. Dynamic IP's work as long as
at least one side has a means of resolving the other one's name.

> hey.. that's a cool name "packetfoolery" .. i'm off to register it :-)


--
/dev/rob0 - preferred_email=i$((28*28+28))@softhome.net
or put "not-spam" or "/dev/rob0" in Subject header to reply

Jem Berkes wrote:

> I'm involved with some research at the University of Manitoba (in
> Winnipeg, Canada) this summer. My colleagues and I are in the process of
> developing a method for reliably establishing direct connections over the
> Internet between two hosts that are both behind NAT gateways.
>
> The software we've come up with runs in userspace linux, so there is no
> kernel or network stack tweaking required. It can easily be extended to
> multiple operating systems.
>
> No ports have to be explicitly opened at the firewall. And the method is
> able to "break through" several kinds of NAT/firewalls - we've tried linux
> 2.4, as well as some netgear and linksys hardware routers.
>
> Does anyone know if something like this already exists? The only
> technology I've seen so far was a windows program that had to modify the
> network stacks on both sides - clearly unacceptable for generic use.
>

Well, the CIPE VPN, will do most of that, except "break through" firewalls.
When you talk about breaking through in that manner, I get the impression
you don't know how firewalls work. A tcp packet includes a port number.
The firewall will allow or deny access, depending on the port number. If
it doesn't allow a port, that packet will not get through, no matter what
you do. With that CIPE VPN, you get to specify what UDP port you want to
use. You then have to configure your firewall, to allow those packets in.

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.

> Well, the CIPE VPN, will do most of that, except "break through"
> firewalls. When you talk about breaking through in that manner, I
> get the impression you don't know how firewalls work. A tcp packet
> includes a port number. The firewall will allow or deny access,
> depending on the port number.

Don't worry, I have a pretty good idea of how firewalls work

Firewalls do not necessarily allow/deny access on port number. The method
we have developed works equally well with stateful firewalls as well.

--
Jem Berkes
http://www.pc-tools.net/
Windows, Linux & UNIX software

> Wonder how you do it? Smth like sending UDP on pre-agreed port (same
> on both sides)?

Our method relies heavily upon pre-agreed parameters, though note that port
numbers alone are insufficient to get through NAT routers that re-write
port numbers according to some (user side unknown) algorithm. That's really
the crunch, but we've been able to solve it.

--
Jem Berkes
http://www.pc-tools.net/
Windows, Linux & UNIX software

Jem Berkes wrote:

>> Well, the CIPE VPN, will do most of that, except "break through"
>> firewalls. When you talk about breaking through in that manner, I
>> get the impression you don't know how firewalls work. A tcp packet
>> includes a port number. The firewall will allow or deny access,
>> depending on the port number.
>
> Don't worry, I have a pretty good idea of how firewalls work
>
> Firewalls do not necessarily allow/deny access on port number. The method
> we have developed works equally well with stateful firewalls as well.
>

I'm trying to understand how it's supposed to work. The originating side is
easy, in any firewall that doesn't block it. What happens at the
destination? Are you connecting directly to another computer? If so, how?
Connecting to the firewall? In the CIPE I mentioned, you have to configure
the firewall to allow the specified UDP port?

--

Fundamentalism is fundamentally wrong.

To reply to this message, replace everything to the left of "@" with
james.knott.