Hole punching (networking)

Hole punching (or sometimes punch-through) is a technique in computer networking for establishing a direct connection between two parties in which one or both are behind firewalls or behind routers that use network address translation (NAT). To punch a hole, each client connects to an unrestricted third-party server that temporarily stores external and internal address and port information for each client. The server then relays each client's information to the other, and using that information each client tries to establish direct connection; as a result of the connections using valid port numbers, restrictive firewalls or routers accept and forward the incoming packets on each side.

Hole punching does not require any knowledge of the network topology to function. ICMP hole punching, UDP hole punching and TCP hole punching respectively use Internet Control Message, User Datagram and Transmission Control Protocols.

Overview
Networked devices with public or globally accessible IP addresses can create connections between one another easily. Clients with private addresses may also easily connect to public servers, as long as the client behind a router or firewall initiates the connection. However, hole punching (or some other form of NAT traversal) is required to establish a direct connection between two clients that both reside behind different firewalls or routers that use network address translation (NAT).

Both clients initiate a connection to an unrestricted server, which notes endpoint and session information including public IP and port along with private IP and port. The firewalls also note the endpoints in order to allow responses from the server to pass back through. The server then sends each client's endpoint and session information to the other client, or peer. Each client tries to connect to its peer through the specified IP address and port that the peer's firewall has opened for the server. The new connection attempt punches a hole in the client's firewall as the endpoint now becomes open to receive a response from its peer. Depending on network conditions, one or both clients might receive a connection request. Successful exchange of an authentication nonce between both clients indicates the completion of a hole punching procedure.

Examples
VoIP products, online gaming applications, and P2P networking software all use hole punching.
 * Telephony software Skype uses hole punching to allow users to communicate with one or more users audibly.
 * Fast-paced online multi-player games may use a hole punching technique or require users to create a permanent firewall pinhole in order to reduce network latency.
 * VPN applications such as Hamachi, ZeroTier, and Tailscale utilize hole punching to allow users to connect directly to subscribed devices behind firewalls.
 * Decentralized peer-to-peer file sharing software relies on hole punching for file distribution.

Requirements
Reliable hole punching requires consistent endpoint translation, and for multiple levels of NATs, hairpin translation.

When an outbound connection from a private endpoint passes through a firewall, it receives a public endpoint (public IP address and port number), and the firewall translates traffic between them. Until the connection is closed, the client and server communicate through the public endpoint, and the firewall directs traffic appropriately. Consistent endpoint translation reuses the same public endpoint for a given private endpoint, instead of allocating a new public endpoint for every new connection.

Hairpin translation creates a loopback connection between two of its own private endpoints when it recognizes that the destination endpoint is itself. This functionality is necessary for hole punching only when used within a multiple-layered NAT.