What is NAT Traversal?#
When we have a NAS at home and want to access it from the school/company network, we need to use NAT traversal to achieve external access to internal services. The principle generally involves P2P hole punching and server relay traffic.
Preliminary Preparation#
Enable UPnP on the router
Disable the router's IPv4 and IPv6 firewalls
Using Zerotier/Tailscale for NAT Traversal#
Both of their principles involve attempting to establish a P2P connection with the peer, requiring the peer to install a software and run it continuously.
Detailed Tutorial on Using Zerotier for NAT Traversal#
Create a Zerotier Account#
If you can't create an account, just give up.
Create a New Zerotier Network Group#
Once you successfully log in to your account, you will be automatically redirected to this page. Click Create A Network. If not, please visit ZeroTier Central.
The list below will add a new network group; click on it.
The default network group mode for Zerotier is Private. Even if others know your Network ID, they will need your verification to join your network group.
Copy the Network ID. We will use this to join the network group later.
Install the Zerotier Application on Devices#
Windows:#
Go to Download - ZeroTier, and download the exe installation file.
After installation, check the tray in the lower right corner and follow the image instructions to join the network group.
Here you can find your device ID and your IP in this network group.
Linux (Feiniu OS):#
Connect to your Linux device via SSH.
Check the installation command: Download - ZeroTier
Execute in the terminal: curl -s https://install.zerotier.com | sudo bash
When you see this line, the installation is complete; the following string is your device ID:
Join the network: sudo zerotier-cli join your Network ID
Android#
Download the client.
-
Zerotier One: ZeroTier One APK Download for Android - Latest Version
-
ZerotierFix: Releases · kaaass/ZerotierFix
Follow the instructions in the images.
Authorize Devices in Zerotier#
Go to Zerotier's web console: ZeroTier Central.
Authorize the device you just joined.
Check the box and then save.
Zerotier Connectivity Test#
If you already have more than two devices in the same network group, you can try pinging to test connectivity. Please ensure that the two devices are not on the same local area network (for example, the phone using mobile data and the NAS using home Wi-Fi).
You can check the IP here.
Ping test:
Detailed Tutorial on Using Tailscale for NAT Traversal#
Create a Tailscale Account#
Go to: Tailscale. If you can't access it, try using a VPN. If you don't understand English, you can enable your browser's translation feature.
Install the Tailscale Application on Devices#
Windows:#
Go to Download · Tailscale, and download the exe installation file.
Official tutorial:
Linux (Feiniu OS):#
Connect to your Linux device via SSH.
Check the installation command: Download · Tailscale
Execute in the terminal: curl -fsSL https://tailscale.com/install.sh | sh
Wait for the installation to complete, then enter: tailscale login
Open the pop-up browser window and log in to your account.
Android#
Download the client (Google Play): Download · Tailscale
Log in to your account.
Tailscale Connectivity Test#
Go to Tailscale's web console: Machines - Tailscale. You can see the IP assigned to each device by Tailscale.
Ping test:
Using Cloudflare Tunnel for NAT Traversal#
This method allows direct access on the public network without any configuration, but is limited to web services. If you want to tunnel game servers, this method is not applicable. You need to host your domain on Cloudflare first.
Create a Cloudflare account Homepage | Cloudflare
Enter Cloudflare One (requires linking a PayPal account).
Follow the instructions to create a Tunnel.
Docker Method#
Using 1Panel
Copy the command as shown in the image.
Paste it and copy the token that follows.
Search for cloudflared in the 1Panel app store.
Enter the token.
Check the IP of cloudflared#
If you are in Docker mode, you need to check the host IP by entering ip a in the SSH terminal. Here it is 192.168.124.34.
root@n100-debian:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether bc:24:11:33:e1:7d brd ff:ff:ff:ff:ff:ff
altname enp0s18
inet 192.168.124.34/24 brd 192.168.124.255 scope global dynamic ens18
valid_lft 46579sec preferred_lft 46579sec
inet6 2409:8a30:320:a170:be24:11ff:fe33:e17d/64 scope global dynamic mngtmpaddr
valid_lft 1902sec preferred_lft 1898sec
inet6 fe80::be24:11ff:fe33:e17d/64 scope link
valid_lft forever preferred_lft forever
Native Mode (Using Debian as an Example)#
Select Debian, then copy the command below and execute it directly in the terminal.
If your environment cannot connect to GitHub, try downloading manually: https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb
Then transfer it to Linux via SSH or other means, as shown in the terminal for MobaXterm.
Then use: dpkg -i cloudflared-linux-amd64.deb to install this package.
Then directly copy the command on the right to execute in the SSH terminal.
Android (Termux)#
Install Termux | The main termux site and help pages. on Android.
Execute in the terminal: pkg install cloudflared
Select Debian, then copy the command on the far right and execute it in the terminal.
If you cannot use the built-in cloudflared in Termux, try installing a proot container.
Enter the commands sequentially:
pkg update && pkg upgrade
pkg install proot
pkg install proot-distro
proot-distro list
proot-distro install debian
proot-distro login debian
apt install wget
wget https://github.com/cloudflare/cloudflared/releases/download/2024.10.1/cloudflared-linux-arm64.deb
dpkg -i cloudflared-linux-amd64.deb
Then directly copy the command on the right to execute in the SSH terminal.
Configure and Access Tunnel#
Configuration via Web#
This method requires running the token directly on the device where cloudflared is installed.
Enter as shown in the image to create an HTTP tunnel.
Fill in your IP and port; in non-Docker mode, you can directly fill in localhost.
Local Method#
This method only requires entering some commands on the device where cloudflared is installed and then authorizing via the web. Subsequent configuration changes also need to be done locally.
Log in and authorize: cloudflared tunnel login
Create a tunnel and set the tunnel (HTTP mode penetration, target address 127.0.0.1, port: 8080, external domain: test.onani.cn): cloudflared tunnel --name test --url http://127.0.0.1:8080 --http2 --hostname test.onani.cn
Access Test#
Successfully accessed.
Using STUN Hole Punching#
This method allows direct access on the public network without any configuration, and all types of services can be used normally. However, NAT traversal using this method cannot be fixed or specified for IP and port, and will change after 3 to 7 days.
Install Lucky#
Execute: curl -o /tmp/install.sh http://6.666666.host:6/files/golucky.sh && sh /tmp/install.sh http://6.666666.host:6/files 2.13.4
Access the Lucky backend through host:16601 and set up STUN traversal. If the DMZ host is not set as the Lucky host, it may fail. The masked area is the public access IP and port.