Summary
Tailscale’s deep technical walkthrough of NAT traversal: why UDP is required, how stateful firewalls can be “punched” simultaneously, how STUN reveals your public endpoint, and how easy vs hard NAT differ. Advanced techniques include birthday-paradox port probing, UPnP/NAT-PMP port mapping, ICE candidate gathering, and DERP as an encrypted relay fallback when all else fails.
Tailscale 對 NAT 穿透的深度技術解說:為何需要 UDP、如何同時「打穿」兩道狀態防火牆、STUN 如何揭露公開端點,以及 Easy NAT 與 Hard NAT 的差異。進階技術包含生日悖論端口探測、UPnP/NAT-PMP 端口映射、ICE 候選收集,以及當所有方法失效時作為加密中繼後備的 DERP 協議。
Key Points
- Two requirements: UDP (not TCP) + direct socket access to send/receive out-of-band packets
- Firewall punch: both peers transmit simultaneously so each side’s packets appear as “responses” — works through arbitrary stacked stateful firewalls
- STUN: asks an external server “what does my outbound packet look like from your side?” — solves the self-discovery problem
- Easy NAT (EIM): one public port per source port regardless of destination — predictable, traversable
- Hard NAT (EDM): different public port per destination — requires birthday-paradox probing (256 sockets, ~1024 probes for 98% success); two consecutive hard NATs need ~170k probes
- Port mapping protocols (UPnP, NAT-PMP, PCP): request explicit forwarding from router — effective under single NAT, fails under CGNAT
- ICE: try all candidate paths simultaneously, transparently upgrade to the best one that works
- DERP: Tailscale’s relay fallback — doubles as signaling side-channel and last-resort data path
Insights
- The “simultaneous transmission” insight is counterintuitive but elegant: neither peer needs to know the other’s firewall state in advance — they just both transmit, and the firewalls interpret each other’s packets as valid responses to locally-initiated traffic
- The birthday paradox framing for hard NAT probing is a clean mathematical reframe: what looks like “guessing a random port” is actually a coupon-collector problem where more parallel attempts compress time dramatically
- Double hard NAT (170k probes) is why Tailscale invests in DERP relay — the math makes full traversal impractical for some topologies, so a reliable fallback is not optional
- IPv6 solves the address exhaustion that causes NAT, but stateful firewalls still exist in IPv6 networks — traversal remains a problem even with global addresses
- This article connects directly to the container networking article already in the vault: both are about the Linux primitives (iptables MASQUERADE/DNAT) that underlie these higher-level protocols — the DNAT rule in that tutorial is exactly what NAT-PMP automates
- Tailscale’s architecture (DERP as both signal and relay) is an elegant dual-purpose design: the overhead of maintaining a relay infrastructure is amortized by reusing it for connection setup signaling
Connections
- Container Networking From Scratch
- Networking
- Linux
- iptables
- VPN
- Tailscale
- UDP
- P2P Networking
- Kubernetes
Raw Excerpt
When two firewalled devices attempt direct connection, both must transmit simultaneously. Device A sends packets to Device B’s address; Device B’s packets arriving at Device A are treated as “responses”. Both firewalls now allow bidirectional traffic.