UDP Hole Punching: how Skype gets through firewalls

UDP Hole Punching: how Skype gets through firewalls

When two machines running Skype need to communicate directly, but are both behind a NAT firewall, there’s a clever trick that’s employed to start a communication channel. It works like this:

First, both machines open a connection to a non-firewalled server. The server takes note of the source port (which may have been altered by the firewall) and sends this information to the other party to give it an idea of what port future connections might be coming from.

Client A then attempts to connect to a range of ports on client B’s machine. All these requests will fail at client B’s firewall, of course. However, in the process a side effect has occurred. Client A has told its own firewall to allow traffic from all of client B’s scanned ports! Now, when client B attempts to connect to client A, assuming its outgoing port was previously scanned (which it likely will be), the request will get through to client A’s machine.

If all else fails, both machines can use a central server to proxy their connection, but the UDP hole punching trick will typically allow two NAT firewalled machines to communicate directly, which means less latency and a significantly lighter load on the server.

How Skype & Co. get round firewalls – Link
RFC3489 STUN – Simple Traversal of UDP through NAT – Link

11 thoughts on “UDP Hole Punching: how Skype gets through firewalls

  1. MePerson says:

    This is my guide to using JanusVM in qemu
    First download and extract QEMU for Windows (Google it, first result)
    Then copy JanusVM.vmdk to this directory.
    Then open Command Prompt, cd to where QEMU is installed, and type:

    qemu-img convert JanusVM.vmdk -O qcow2 JanusVM.img

    When it is done, then type:

    qemu -L . -m 80 -net nic -redir tcp:8118::8118 -boot c -hda JanusVM.img

    It should now work. Set your browser’s proxy settings to and port 8118.

    Second script (launcher script) has not been tested, if it doesn’t work, play around with the -net settings.

  2. tangent47 says:

    anyone gotten it to work in OS X yet?

  3. pavs.ma says:

    I am using this for my final presentation in my college in 2 weeks. Its about using proxy to bypass sonicwall content filtering system. This will be one of the three ways I will demonstrate in the presentation. At the end of the presentation I will show how this can also stop LAN users from sniffing packets.

    I read about it here first so thanks. I will post a paper onthe presentation after it’s over in my site http://www.linuxhaxor.net/blog


  4. Chris Weiss says:

    Still looking for anyone who’s gotten this working with OS-X…

  5. Geeberd says:

    Can’t get it to work on XP.

  6. nickganga says:

    Anyone been able to get it working with OS X yet?

Comments are closed.

Discuss this article with the rest of the community on our Discord server!
Maker Faire Bay Area 2023 - Mare Island, CA

Escape to an island of imagination + innovation as Maker Faire Bay Area returns for its 15th iteration!

Buy Tickets today! SAVE 15% and lock-in your preferred date(s).