What's a NAT?

The traditional way to reach a server on the Internet is with an IPv4 address and a port number. But because there are a limited number of IPv4 addresses out there, home routers implement something called Network Address Translation that allows all of your home devices to share a single IPv4 address. The downside is that it makes it harder for a device outside your home network to communicate with a device inside it.

There are many ways to reach a computer behind a NAT. I'll first outline some options, and then go into which option we picked and why.

NAT traversal options

  1. Port forwarding Routers let you configure static port ranges to forward to a specific device on your network. This approach looks different for every router manufacturer and is too technical for most users to grasp. It can also break if your ISP changes your IPv4 address, which can happen from time-to-time.
  2. Hole-punching Hole-punching is the most common approach used for NAT traversal today. With hole-punching, two parties that are each behind a NAT resolve to connect to each other. They both start out by connecting to an intermediary server that can be accessed on the public Internet. This connection "punches a hole" by setting up a port on each router that the router knows to forward to the client. After the holes are punched, the two clients proceed to communicate with each other directly.
  3. Tunnelling With tunneling, a direct communication between the two parties is never established. Instead, each party connects to an intermediary server that then shuttles traffic between the two parties.

Why tunnelling?

Tunnelling has two main downsides:

  1. The intermediary can read all of the communication between the two parties. If the communication is encrypted, then the intermediary can only see metadata – who is communicating, how many messages are being sent and of what size, and when the messages are being sent.
  2. It's more expensive for the intermediary, since they have to proxy all communication between the two parties.

Access to metadata

While the intermediary can access metadata in the case of tunnelling, it's worth considering who can access this data in alternative approaches. In any scheme where two parties are talking to each directly over IP (eg. hole-punching), there are many more parties who can track this metadata. ISPs, tier 1 networks, and governments generally have access to IP routes.

We think it makes more sense for our customers to trust us in this role than to trust governments and ISPs. And while we will have access to the aforementioned metadata, we won't be collecting it, processing it, or storing it.

The cost of tunneling

If tunneling eventually ends up being too expensive we might end up needing to consider alternatives. We could restrict usage of our tunneling service to paid customers and add support for cheaper alternatives. Or we could limit free users to a certain amount of traffic per week.

Ultimately we're not too worried about this now – if we get into a position where our service is too popular, that's probably a good problem to have.

Connecting without an intermediary

Some users may want to connect without any intermediary at all. This might be a more common scenario for dissidents with restricted access to the Internet. There are a couple of approaches we could imagine for these users: