search
APIGitHubYouTubeCommunityWebsite

NAT Traversal

Netmaker makes it easy to create secure, peer-to-peer networks over the internet — even when nodes are behind NAT (Network Address Translation). This guide walks you through ensuring that your VPN network is taking advantage of the NAT Traversal functionalities of Netmaker.

NAT (Network Address Translation) traversal is a technique that allows devices behind NAT firewalls to establish direct connections with each other or with devices on the public internet. Netmaker leverages WireGuard, STUN, and TURN servers to achieve this when direct connections aren't possible.

hashtag
Assign a Failover Node

circle-info

Netmaker Pro can interconnect hard-to-reach edge devices automatically by designating a publicly reachable device (for example, the Netmaker Server) as a Failover Node. When Netmaker detects peers that cannot communicate directly (for example, nodes in different private networks behind NAT), it will automatically reroute traffic through the Failover Node, enabling those peers to connect via that node. It functions similarly to a TURN server.

You can only designate one device as a Failover Node per VPN network. This feature requires machines to be running Netclient.

See this guide for instructions on how to set a device as a Failover Node.

hashtag
Use [Relay] Gateways

circle-info

[Relay] Gateways behave like a failover node but do not automatically reroute traffic. They let you control which nodes they relay traffic for. A [Relay] Gateway can be any public machine; [relay] clients are typically machines behind NAT (but can also be public machines).

See this guide for instructions on setting up a device as a [Relay] Gateway and assigning [Relay] Clients. You can assign as many Relay Gateways as needed.

hashtag
Ensure STUN Servers are Running

As of v0.18.0, Netmaker uses a STUN server (Session Traversal Utilities for NAT). STUN helps communications protocols detect and traverse NATs that are between two endpoints. By default, Netmaker uses publicly available STUN servers. You may set up your own STUN servers to augment or replace the public ones by updating the STUN_LIST to include the STUN servers you want to use.

Two resources for installing your own STUN/TURN server:

  • https://github.com/coturn/coturn

  • https://ourcodeworld.com/articles/read/1175/how-to-create-and-configure-your-own-stun-turn-server-with-coturn-in-ubuntu-18-04

  • https://cloudkul.com/blog/how-to-install-turn-stun-server-on-aws-ubuntu-20-04/

hashtag
References and Other Sources

  • https://docs.netmaker.io/docs/how-to-guides/integrating-non-native-devices

  • https://docs.netmaker.io/docs/how-to-guides/how-to-setup-a-full-mesh-site-to-site-vpn-with-netmaker

  • https://docs.netmaker.io/docs/how-to-guides/stabilize-netclient-connections-behind-nat

  • https://docs.netmaker.io/docs/how-to-guides/securely-interconnecting-ec2-instances-across-private-amazon-vpc-subnets-using-netmaker

PreviousSecurely Interconnecting EC2 Instances Across Private Amazon VPC Subnets Using NetmakerNextExternal Guides

Was this helpful?