6

Which software libraries does exist for such task for Linux, Windows OS?

Does it exist some info in RFC how people should do it?

I'm interesting how can I create functionality for my C++ project like presented here in that software: https://secure.logmein.com/ru/products/hamachi/download.aspx

Konstantin Burlachenko
  • 5,233
  • 2
  • 41
  • 40
  • 1
    A TCP connection over NAT is not different than one without NAT from a client or server perspective. The router will be the one re-writing source IPs. Also, this appears to request a software recommendation, which isn't appropriate for stackoverflow. – ThatOneDude Aug 12 '15 at 01:47
  • Mmm, "TCP connection establishment" from my point of view has a bit difference when clients is behind NAT. They may be have not own public ip. Whenclients behind NAT may be you need third guy for initial connection. The question is about article, software library, or rfc, or something about it..."How clients can connect it they are behind NAT" – Konstantin Burlachenko Aug 12 '15 at 06:11
  • "request a software library recommendation" - I don't know about such restriction – Konstantin Burlachenko Aug 12 '15 at 06:52
  • I now understand that you want to create an INBOUND tcp connection to a system behind NAT. Outbound TCP connection aren't any different, but if there isn't port forwarding in place inbound TCP connections towards NAT clients are a pain. UltraVNC overcomes this using a "repeater" on a public IP that would be the "third guy". Since it's open source, you can look at the code for it to re-implement something similar – ThatOneDude Aug 12 '15 at 17:00
  • You can read the help center's ["on topic"](http://stackoverflow.com/help/on-topic) for more information on what restrictions there are on questions. It says for point 4: Questions asking us to recommend or find a book, tool, software library, tutorial or other off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it. – ThatOneDude Aug 12 '15 at 19:03

1 Answers1

10

There is not much difference if you want to make a connection through TURN relay server. The only difference is how TCP and UDP creates connection and nothing else.

There are some big differences if you want to make P2P connection.

If you are in same network(behind same NAT): In UDP you send a stun binding request to your peer candidate and then if you get a response back then you know you are connected. Same in TCP you have to create one active socket on one side and one passive socket on another. And then send syn from active socket and receive it from passive socket and then send syn ack to the active socket. And then active socket send an ack and the connection is established.

If you are in different Network(behind different NAT): You have to employ TCP hole punching technique for making a connection. Because your NAT won't allow a TCP syn packet through if previously no packet was sent to the address the syn is coming from.

TCP hole punching in details:

You have to use a TCP simultaneous open socket. This socket acts in both active and passive mode. Both end needs to know each others private and public IP:Port. TCP simultaneous open will happen as follows:

  1. Peer A keeps sending SYN to Peer B Peer B keeps sending SYN to Peer A

  2. When NAT-a receives the outgoing SYN from Peer A, it creates a mapping in its state machine. When NAT-b receives the outgoing SYN from Peer B, it creates a mapping in its state machine.

  3. Both SYN cross somewhere along the network path, then:

    SYN from Peer A reaches NAT-b, SYN from Peer B reaches NAT-a Depending on the timing of these events (where in the network the SYN cross), at least one of the NAT will let the incoming SYN through, and map it to the internal destination peer

  4. Upon receipt of the SYN, the peer sends a SYN+ACK back and the connection is established.

From WIKI.

Also to learn about TCP simultaneous open connection read from here. To learn about NAT filtering behavior see this answer.

Community
  • 1
  • 1
Tahlil
  • 2,680
  • 6
  • 43
  • 84
  • From techincal point of view: When I create tcp/ip connection I should know couple - " ip address." Then I can create ARP request to receive mac address, then I should create TCP socket and I also need ip addres for send SYN....So I really need ip address. – Konstantin Burlachenko Aug 12 '15 at 06:29
  • To be more precisely lets assum that NAT hide local private network with 1 public IP address. And NAT support correct processing "input and output packets", but such mechanism operates in context of outcome connections....But the listen part also behind the NAT – Konstantin Burlachenko Aug 12 '15 at 06:36
  • I only understand one - you need third guy for initial connection establishment with public ip and then you should correct tcp/ip packets so, that dataflow will be without third part. Does it exist a name for this tecnique? – Konstantin Burlachenko Aug 12 '15 at 06:44
  • From practical point of view: What should I use. Is it exist extra posix libraries to do it? – Konstantin Burlachenko Aug 12 '15 at 06:46
  • 1
    p.s. I'm interesting in "If you are in different Network(behind different NAT)" case – Konstantin Burlachenko Aug 12 '15 at 06:54
  • You don't need to know mac address for NAT traversal purpose. Both end needs to know private and public IP:Port of each other. You don't need a library for TCP hole punching. I have updated my answer with steps to do that. Also learn about different kind of NATs and their filtering and port allocation behavior. – Tahlil Aug 12 '15 at 07:16
  • Thank you very much for info! I marked your answer with star) – Konstantin Burlachenko Aug 12 '15 at 09:03
  • Thanks about info about TCP hole punching. But what do you think about my question here "You need third guy for initial connection establishment with public ip and then you should correct tcp/ip packets so, that dataflow will be without third part. Does it exist a name for this tecnique?" The idea is that two machines connect to public-server, with out TCP connection from their NAT's...And then the magic happens during proxing data stream! Change source and dest address on whole tcp/ip stack during this session. The goal - to exclude this this third part as a proxy from futher communication – Konstantin Burlachenko Aug 12 '15 at 09:13
  • I think that's call source faking. But your post doesn't ask this question. This should be another question because its totally a different technique. – Tahlil Aug 12 '15 at 10:22
  • I'd like todo it...But I received a lot of minuses for this question and now I'm blocked on stackoverflow. So I will make it when it will be possible – Konstantin Burlachenko Aug 18 '15 at 09:27
  • Well in your profile I don't see you accepting any answers that peoples provided for your questions. Maybe after that your block will be removed. – Tahlil Aug 18 '15 at 09:48
  • I posted question about source faking here http://stackoverflow.com/questions/32075505/how-implement-source-faking-during-tcp-session – Konstantin Burlachenko Aug 18 '15 at 14:40
  • @bruziuz Please be polite and accept the answer if you think it is good. That's what the green tick means. An example http://stackoverflow.com/a/1511632/842860 – stackoverflower Feb 10 '16 at 10:05
  • 1
    Thanks, I didn't know about it. I thought that such semantics has "up triangle" – Konstantin Burlachenko Feb 10 '16 at 12:32