HTTP Server behind NATs

Question

I'm trying to make an (apache) server behind multi-layered NAT to be accessible from Internet.

Restrictions:

Avoid relay. There is a public server (we call him the OldMan) for login / stun, but its bandwidth is too poor to carry relay data.
I have no right to configure the NATs manually. 3.User don't have to change their browser or device.(that is, works on android, ios, and any PC)

I tried UPnP, but it only works on 1-layered NAT.

I tried to search NAT traversal solutions for several months, but in vain.

I study STUN/TURN/ICE,and tried pjsip (icedemo.exe + numb), however, its stun cannot punch through 2-layered NAT.

I tried Mist,Pwnat, but with no luck. And libjingle sounds like an API for making Gtalk extension as I know...(?)

I also tried to a make VPN/N2N to solve this, but this will be a heavy overloading to the public server. Any VPN client requires the server(the OldMan server) to relay all the packets to another, isn't it?

Is there any solutions to solve this problem? A HTTP server behind multi-layered NATs.

BTW, if the STUN/TURN/ICE works,my idea is as the following ,is it possible?

User installed an application (ex:stun_browser_agent.exe)
user type the following address on Chrome: 127.0.0.1:9999
Chrome connected to stun_browser_agent.exe daemon
daemon connect to HTTP Server with Stun protocol
A daemon on Http Server(ex: stun_apache_agent.exe) receive all the message and relay it to Apache daemon.
Apache reply all the http infomation -->stun_apache_agent.exe-->stun_browser_agent.exe-->chrome

Then we won't have to modify the browser and Apache.

Any available resource I can refer to implement this?

Thank you for your patience

I guess all NATs have public IP addresses and STUN uses the IP of closest NAT to the peer. So, STUN should work in multi-layered scenario. — Prashant Borde, Dec 06 '13 at 11:02
I'm curious if you ever got around a solution to this. I've got the same question (hole punching a two-layered NAT). Although I have the option to relay, I would love to do it p2p. — denniebee, Aug 04 '15 at 21:26
because I want to access the webpage from browser through normal http that time — Smith.Lai, Dec 09 '15 at 02:01

score 0 · Answer 1 · answered Jul 26 '12 at 09:08

0

Do you have control over all NAT devices between this server and the "outside world"?

One approach would be to setup an SSH tunnel between your internet gateway router and your server.

The SSH tunnel would be initiated from your server and connect to an sshd running on your internet gateway router. Use the port forwarding capabilities of SSH to forward port 80 on the internet gateway back to whatever port Apache is running on on your server.

Another approach would be to setup sshd (or any other tunnelling product) on any other server accessible on the public internet. Initial your connection to it from your server and use that connection to forward traffic from port 80 on that public server to your server.

The approach is basically the same: you need to initiate the tunnel setup from your server and use that connection to forward the traffic from the public server back to yours.

answered Jul 26 '12 at 09:08

Colin 't Hart

7,372
3
28
51

I beg your pardon. Is that means I should have to get the access to setup sshd on these "internet gateway" or "any other server"? I want to use VPN before but these kind of tunneling technique require a relay server, isn't it? I have a computer in my lab with public IP but poor internet bandwidth, which used to register or log something....but too slow to be a relay or proxy server – Smith.Lai Jul 26 '12 at 10:28
Well you have basically 3 possible ways to get this to work: 1. a server on the internet which can function as gateway/relay/proxy (this is the approach I described). 2. Use some tools to see if you can establish NAT traversal, see http://en.wikipedia.org/wiki/NAT_traversal but it sounds like you already tried this without success. 3. Setup portforwarding manually in the NATting devices between you and the public internet. But you've told us you don't have access to do this. So if this is the case, the only option remaining to you is 1: have a gateway/proxy/relay server on the public internet. – Colin 't Hart Jul 26 '12 at 10:44
"1. a server on the internet which can function as gateway/relay/proxy (this is the approach I described)." Excuse me. Is that means there are some "free resource" to use? Or I have to build another gateway/relay/proxy server? As my "restriction 1" described, all public server I have is an old machine with poor bandwidth, which is too slow to be a relay server.....that's why I tried to use STUN(TURN/ICE for future extension) – Smith.Lai Jul 27 '12 at 03:56

hellork · Answer 2 · 2023-01-12T07:44:18.520

A free service like ngrok or remote.it can do the job, as others have reported.

The service sets up an IP tunnel to a server outside your network, which is something you could do yourself with enough time and resources.

Setup of ngrok is a matter of unzipping the executable, and feeding it the provided auth token.

ngrok config add-authtoken somethingsomethingyouwish

To set up an IP tunnel to expose local server to the internet.

ngrok http 80

David Schwartz · Answer 3 · 2012-07-26T09:15:37.473

-1

Configure each NAT device, starting with the one with the Internet connection, to port forward to the next NAT device with the innermost NAT forwarding to the server.

Update: "2.I have no right to configure the NATs manually." I don't understand how you can have the right to run a server behind these NAT devices but not have the right to configure port forwarding in them. Surely the right to run a server includes the right to do what's necessary to run a server.

edited Jul 26 '12 at 09:15

answered Jul 26 '12 at 09:02

David Schwartz

179,497
17
214
278

Thanks for reply....but the NAT devices cannot be modified by us,that's why I tried everything to solve this problem with software. – Smith.Lai Jul 26 '12 at 09:06
1

If you cannot modify the NAT devices, the only solution is some device on the Internet side that accepts the connections on you behalf and proxies them to you. You cannot do it from the inside. (And, most likely, if I knew your full requirements, I'd be recommending something else entirely, such as hosting the site elsewhere.) It's hard for me to imagine how you get in a situation where you are supposed to be doing this but aren't being given the ability to do this. – David Schwartz Jul 26 '12 at 09:13
Yes,there's an server - OldMan, but he (and his bandwidth) is too old to carry these data. I'm tried to establish my own NAS on my desktop at dorm (that's why I cannot configure the NAT devices), then I can access my desktop with my IPAD or Android Phone anytime. – Smith.Lai Jul 26 '12 at 09:16
@user1553917: The right to do something necessarily includes the right to do anything necessary to do that thing. If you have the right to use my car, you have the right to put the key in the ignition because that's necessary to use the car. If you have the right to run servers and modifying the NAT is required to run servers, then you have the right to modify the NAT. If you say you have the right to run servers on the network, and I say you cannot do so without modifying the NAT, and we are both right, then you have the right to modify the NAT devices. This is simple logic. – David Schwartz Jul 26 '12 at 09:23
The dorm provide each tenant an local IP (192.168.x.x) behind 2-NATs. They don't expect any tenant to be an administrator to modify the default NAT settings. Of course these server (including FTP,HTTP...) are built for only personal usage.The landlord won't tell you the password of the devices. Sorry for my poor English that made you confused. – Smith.Lai Jul 26 '12 at 09:39
@Smith.Lai - Unless you can deploy a server outside of the NAT'd network, you won't be able to get incoming connections. But if you can deploy a box outside of your network, then why not just put the HTTP server there>? Managed web servers are very cheap, and a VM on Amazon EC2 is inexpensive too. Run your web server and site there. – selbie Jul 28 '12 at 05:37
Of course an apache server is not too heavy for an old linux pc, but the webpage is nothing more than an interface. The main purpose is to access my own PC at my room - to access the FTP, File management, or others. – Smith.Lai Aug 01 '12 at 05:53

HTTP Server behind NATs

3 Answers3

Linked