Skip to main content


Home NAT traversal

NAT traversal

(also Network address translation traversal, NAT-T)

NAT traversal definition

NAT traversal is a technique that allows devices behind a NAT (network address translation) device to communicate with devices outside the NAT network.

NAT devices allow multiple devices to share a single public IP address, and NAT works by modifying the source and destination IP addresses in the IP header of packets as they pass through the NAT device. This can cause problems for certain types of network traffic, particularly VPN traffic.

NAT traversal allows VPN traffic to traverse the NAT device and establish a VPN connection even when the VPN client and server are behind different NAT devices. NAT traversal uses various techniques to ensure that VPN traffic can successfully traverse NAT devices and establish a secure and private communication channel.

How does VPN traffic traverse NAT devices?

  • Encapsulating. Encapsulating VPN traffic in UDP packets makes it possible to forward it through the NAT device. The VPN traffic is encrypted inside the UDP packets, which helps to ensure the security of the VPN connection.
  • Third-party server. STUN (Session Traversal Utilities for NAT) is a protocol that uses a third-party server to help establish the VPN connection. The VPN client and server send requests to the STUN server, which helps to determine the type of NAT device and the IP address and port mapping used by the NAT device. This information is then used to establish the VPN connection.
  • TCP hole punching. This technique involves sending a small amount of data from the VPN client to the VPN server to create a “hole” in the NAT device's firewall. The VPN client and server can then use this hole to establish the VPN connection.