I may be wrong here so please correct me, but this doesn't work as explained without a 3rd server. It is not punching a hole in the NAT because his machines are not using a NAT. If they were the NAT would change the source port. To do a hole punch behind NAT you need a 3rd party server that has visibility on the ports used by each of the two NATs.
To the world, you may be just a teacher but to me, you are a hero! Wishing you a Happy Guru Purnima! I bow to the one who has inspired me and taught the right way of life! You are the inspiration who made me overcome every hurdle in python ❤️
Watch between 1:40 and 3:00 again. All "inbound" traffic is firewalled. So he can still dial out. Because hes making requests on both sides the traffic gets through. If outbound traffic was blocked too, then youd be stuck.
@@AureliusAurelius It's because nowadays you are almost in any case dealing with so called stateful firewalls. Since its a linux machine it's probably iptables, firewalld or sth. similar. So when he sends out the package with src-port 50001 and dst-port: 50002 to ip ... the stateful firewall marks/flags this packet so every return packet for it arriving with dst-port 50001 within a certain threshold time is considered as the answer packet by the firewall and therefore let through. This is often also called UDP pseudo state in firewall systems. For the timeout I think the default is 30 seconds but could be changed in /proc/sys/net/netfilter/nf_conntrack_udp_timeout
@@AureliusAurelius Just a few info to add: if you are on a linux system with iptables, most likely a rule like this is in place on your INPUT chain: " -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" This lets this so called established udp connection/flow pass, which was created from your outgoing packet with src-port:50001 dst-port:50002 you send earlier. Because this pseudo state or in firewall slang called flow got created your input chain let's it go through. If you want to dig in deeper I recommend reading about connecting tracking via the conntrack module within the linux kernel.
So at 6:20 you are typing the command to send from p2 to p1. I see you specified a source port. If I wanted to only do a one way connection where I only send from p2 to p1 would this work if I didn’t specify source port like u did at 6:20?
I know somone may have mentioned somthing about this, but at 6:37 when you send a message from p2p1 to p2p2, and there is still no message recieved on p2p2 listener, and that's because on p2p2 you only punched a hole for port 50002, but p2p1 was trying to send a message to p2p1. So nothing came through. A p2p1's hole punch was on port 50001, and p2p2 was sending packets to 50001. This kinda confusing me when I was trying to write my code in C#, but I eventually figured out what was going on. So when you hole punch, you want both routers (for simplicity sake) to punch a hole for the same port (in your case 50001), it seems like the destination port (50002) doesn't matter as much. But I could be wrong on that.
Did not think this was possible without port forwarding or a third server. From what I understand, this only works with UDP since it's "connection-less", or is this also possible with TCP?
You could always encapsulate TCP over UDP, though unless you know what you are doing you are going to have a world of pain with determining appropriate MTU and TTL values.
something that you miss, Isp currently makes Carrier Grade-nat, that means you have multiple state nat inside Carrier network, too many customers navigate with one public ip
@@grp635 it doesn't work, isp uses Carrier Grade-nat and.your router have to make multiples jump inside carrier.network to navigate to internet, you can use traceroute to see how many jump makes your pc to navigate
what is network condition that prevent UDP hole punch technique? or this technique will work all the time and only need both peer to be connected to the internet?
I'm surprised netcat lets you pick a source port that's already in use by the other process listening on it. I'm simply getting an 'address already in use' error when running the hole punch command.
Hello, i would like to make a server client app, where i would chat, and i was thinking to use a server somewhere over the internet, as php could handle the handshaking process and the clients i would write in C. C is not a problem for me, but networking is. Could you point me in the right direction to read up on this, or if there is an example somewhere for me to take a look at.
I dont really get how you can listen to port 50001 on both machines and then send data from the same port without stopping the listener... why is there no port already used-error?
First al all it is a good explanation, solve part of some daub that I had. But, I have a question, what you show in this video only work because those ip are public? In case I wan to do that between two privates pc (behind a NAT)? Thanks!
Hey. I wonder how do you know that the port chosen on the computer will be the same as the port chosen on the firewall? Especially if the firewall is on an external machine like a router.
Since this a VPS with a public ip he is the firewall so anything he can bind to is free so he knows if he request source port 50001 it will go out with 50001. He's using a oversimplified setup to explain the concept, unfortunately in the real world its a bit more complicated than this because each nat type will handle the outgoing port differently so you can't predict the output port without some help. That why stun servers exist You both ask the stun server which port you have used viewed from the internet and then forward this information to your peer / other client.
I did this and I still get the error. The issue with me is that when issuing the hole punch command, it just hangs and doesn't return control back to the shell. What could that mean? I am using 2 raspberry pis, one is connected to my home network and the other is using my mobile phone's hotspot. The error and hanging occurs on both pis
I would imagine it's up to the service bound to that port to properly implement security. A secure protocol can be implemented on top of an insecure one as can be done with plain text on a sheet of paper. The firewall should also have outbound traffic timeouts so that it will not accept inbound traffic indefinitely.
Interesting stuff, great demo, but how can this be used in a practical manner? This is not a technique that can be leveraged safely in an app? How are companies using this technique currently?
Hi. great vid. Not used DO for a while but I remember that they issue the public IP to the interface directly. So in this case, surely it will be upnp that is dynamically opening the port mapping through the fw and not natting?
This video is awesome!! But then my heart was broken and everything went down the drain when you said you were going to use python for the second part. You should do it with bash scripting.
I would tell everyone a UDP joke, but I'm not sure anyone would get it.
I didn't get that what was it about?
Groannnnnnnnnnnn
Well what is it then, broadcast or multicast?
"Use UDP over TCP to avoid handshakes" ? 🤔
Nice one haha
I'm STUNned that you're talking about this stuff! 😀
Relevant pun. I dig it.
sorry i don't get it, but i'm curious, please explain
@@cloudtraining3816 here you go. en.m.wikipedia.org/wiki/STUN
@@cloudtraining3816 "STUN" is a technology that helps with NAT traversal, hence the "STUNned" pun :D
Informative and Straight to the point as always thanks :). I've learned so much from you!
Great job , this is the easiest way to explain hole punching to someone.
great stuff , title should contain "udp hole punching"
WebRTC would be a cool example for demonstration purposes.
I may be wrong here so please correct me, but this doesn't work as explained without a 3rd server. It is not punching a hole in the NAT because his machines are not using a NAT. If they were the NAT would change the source port. To do a hole punch behind NAT you need a 3rd party server that has visibility on the ports used by each of the two NATs.
Exactly. The source port changes on an outgoing packet after it leaves your network
To the world, you may be just a teacher but to me, you are a hero! Wishing you a Happy Guru Purnima! I bow to the one who has inspired me and taught the right way of life! You are the inspiration who made me overcome every hurdle in python ❤️
i've got nc: bind failed: Address already in use
6:39 wondering why you can reuse the port on p2p-01 machine?
I think you could have explain more about the hole punching mechanism itself; how doe sit work without opening ports on the firewall?
Watch between 1:40 and 3:00 again. All "inbound" traffic is firewalled. So he can still dial out. Because hes making requests on both sides the traffic gets through. If outbound traffic was blocked too, then youd be stuck.
@@cl60cruzer I still don’t get it. Inbound traffic is still blocked, no?
@@AureliusAurelius
It's because nowadays you are almost in any case dealing with so called stateful firewalls. Since its a linux machine it's probably iptables, firewalld or sth. similar.
So when he sends out the package with src-port 50001 and dst-port: 50002 to ip ... the stateful firewall marks/flags this packet so every return packet for it arriving with dst-port 50001 within a certain threshold time is considered as the answer packet by the firewall and therefore let through. This is often also called UDP pseudo state in firewall systems.
For the timeout I think the default is 30 seconds but could be changed in /proc/sys/net/netfilter/nf_conntrack_udp_timeout
@@funkypocorn wow, so interesting. Thank you
@@AureliusAurelius
Just a few info to add: if you are on a linux system with iptables, most likely a rule like this is in place on your INPUT chain:
" -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT"
This lets this so called established udp connection/flow pass, which was created from your outgoing packet with src-port:50001 dst-port:50002 you send earlier. Because this pseudo state or in firewall slang called flow got created your input chain let's it go through.
If you want to dig in deeper I recommend reading about connecting tracking via the conntrack module within the linux kernel.
So at 6:20 you are typing the command to send from p2 to p1. I see you specified a source port. If I wanted to only do a one way connection where I only send from p2 to p1 would this work if I didn’t specify source port like u did at 6:20?
I know somone may have mentioned somthing about this, but at 6:37 when you send a message from p2p1 to p2p2, and there is still no message recieved on p2p2 listener, and that's because on p2p2 you only punched a hole for port 50002, but p2p1 was trying to send a message to p2p1. So nothing came through. A p2p1's hole punch was on port 50001, and p2p2 was sending packets to 50001.
This kinda confusing me when I was trying to write my code in C#, but I eventually figured out what was going on.
So when you hole punch, you want both routers (for simplicity sake) to punch a hole for the same port (in your case 50001), it seems like the destination port (50002) doesn't matter as much. But I could be wrong on that.
When Anycast starts interfering with this shit really hits the fan.
Great video. This is exactly why most corporate networks disable up, at least my company does.
Did not think this was possible without port forwarding or a third server. From what I understand, this only works with UDP since it's "connection-less", or is this also possible with TCP?
It's in the title, did you watch the video?
You could always encapsulate TCP over UDP, though unless you know what you are doing you are going to have a world of pain with determining appropriate MTU and TTL values.
@@Belioythe had a valid question you just didn’t understand his question
Yes, I don't understand how he knew port 50002 was going to be the translated port. Maybe he made it open for the demo?
something that you miss, Isp currently makes Carrier Grade-nat, that means you have multiple state nat inside Carrier network, too many customers navigate with one public ip
In this case, the technique won't works?
@@grp635 it doesn't work, isp uses Carrier Grade-nat and.your router have to make multiples jump inside carrier.network to navigate to internet, you can use traceroute to see how many jump makes your pc to navigate
what is network condition that prevent UDP hole punch technique? or this technique will work all the time and only need both peer to be connected to the internet?
How do you know the routers will use 50002 as the translated port?
I'm surprised netcat lets you pick a source port that's already in use by the other process listening on it. I'm simply getting an 'address already in use' error when running the hole punch command.
Me too not sure how he got around this.
YES, me too, tried everything, but always an error saying port is already being used
@@JonathanJardine
No BS straight Info. That's Engineer man for you. :)
what about traffic security? Is the transfer of data encrypted / secured by netcat?
Hello, i would like to make a server client app, where i would chat, and i was thinking to use a server somewhere over the internet, as php could handle the handshaking process and the clients i would write in C. C is not a problem for me, but networking is. Could you point me in the right direction to read up on this, or if there is an example somewhere for me to take a look at.
I dont really get how you can listen to port 50001 on both machines and then send data from the same port without stopping the listener... why is there no port already used-error?
I get a "bind failed: Address already in use' error
Nice information! Looking forward to the next part!
this doesn't seem to work on my network, it's stuck in the 'punch hole' command on both the machines. Are there any limitations to this?
This is perfect, Love your videos 👍
First al all it is a good explanation, solve part of some daub that I had. But, I have a question, what you show in this video only work because those ip are public? In case I wan to do that between two privates pc (behind a NAT)? Thanks!
Hey. I wonder how do you know that the port chosen on the computer will be the same as the port chosen on the firewall? Especially if the firewall is on an external machine like a router.
Since this a VPS with a public ip he is the firewall so anything he can bind to is free so he knows if he request source port 50001 it will go out with 50001. He's using a oversimplified setup to explain the concept, unfortunately in the real world its a bit more complicated than this because each nat type will handle the outgoing port differently so you can't predict the output port without some help. That why stun servers exist You both ask the stun server which port you have used viewed from the internet and then forward this information to your peer / other client.
This code will only work on machine with direct public IPs , not device behind NAT
Is it possible for two devices behind NAT to establish a peer to peer connection?
Netcat is giving me bing failed: address already in use for the second command
If you get that error, run the second command first and then start the listener.
I did this and I still get the error. The issue with me is that when issuing the hole punch command, it just hangs and doesn't return control back to the shell. What could that mean? I am using 2 raspberry pis, one is connected to my home network and the other is using my mobile phone's hotspot. The error and hanging occurs on both pis
I found the reason for me. It's because i am on symmetric nat for both networks
@@amir3515 how did you find out?
@@martinseminsky8580 by querying a stun server as a stun client
Not working. nc -u -l 50001 outputs UDP listen needs -p arg error
Curious if this leaves either machine vulnerable for anyone to take advantage of with no passwords, encryption...
port scanners?
I would imagine it's up to the service bound to that port to properly implement security. A secure protocol can be implemented on top of an insecure one as can be done with plain text on a sheet of paper. The firewall should also have outbound traffic timeouts so that it will not accept inbound traffic indefinitely.
Are the port numbers the router's port numbers or the vm's?
Also does the first command not result in a NAT entry on either router?
Interesting stuff, great demo, but how can this be used in a practical manner? This is not a technique that can be leveraged safely in an app? How are companies using this technique currently?
Looking forward to part 2!
tres bien, thank you, mungu akubariki
Great video!
I didn't quite get why you chose port 5002 when punching the hole. Is that arbitrary?
Yes, as long as they are used consistently. What is source port for one machine is the destination port from the standpoint of another machine.
Is there a way I could send a VPN over it ???
really appreciate the demo
This is awesome content ❤
Good job. Thanks for taking the time to explain that. These things (NAT) we use every day and often don't really know whats going on in there. :-)
Nice one... learned something... quickly... THX
this video was so sick dude
Great video. Love the how-tos!
Looking forward to the next vid
Why can't this concept work with tcp?
why not terminator/tmux ?
you earned a subscribe thanks
Nicely explained. By the way, do you do hacking ? You're so smart in how you explain your videos!
Hi. great vid.
Not used DO for a while but I remember that they issue the public IP to the interface directly. So in this case, surely it will be upnp that is dynamically opening the port mapping through the fw and not natting?
Excelente video
great video…Ive used version in past to scan ports, etc in “zero mode” …not really new..but cloud environments make it mire useful
Next do how to use remote device to steal transaction data
I successfully created hole punching...
Just a suggestion... If you made.. just use Single socket for all.. with different IPEndPoints
That’s what I did
Cool 👍 I'm making a multiplayer python game so I'm interested in the next vid
Honestly you can get some useful info from this video but you will, in most cases, not use p2p for video games. It can still be a cool project tho
@@ibnbroly if its a game where the connection between two playesr really matters, liek a fighting game for example, then p2p would really help
Awesome thanks
COOOOOOOOOOOOOOL ! THANKS
Just wanted to share with everyone that I shit my pants again.
information injection
Anyone else love the UDP vs TCP meme? 😂😂
Some did not get your question, you must have sent it through udp
@@abdelmalekaktir2608 😂
Please use proper social distancing and UDP signaling to reduce the spread.
UDP segmentation 🤮
This video is awesome!!
But then my heart was broken and everything went down the drain when you said you were going to use python for the second part. You should do it with bash scripting.
why u dont make some hacking videos !!
crap