The NAT Problem

Most devices aren't directly accessible on the internet. They sit behind NAT (Network Address Translation) routers that:

Share a single public IP among many devices
Block unsolicited incoming connections
Make direct P2P connections challenging

Understanding NAT Types

1. Full Cone NAT

Most permissive

Once a mapping is created, anyone can reach the internal host

P2P connections relatively easy

2. Restricted Cone NAT

Allows incoming packets only from addresses the internal host has sent to

Requires coordination to establish connections

3. Port Restricted Cone NAT

More restrictive: checks both IP and port

Requires precise coordination

4. Symmetric NAT

Most restrictive

Different mappings for different destinations

Direct P2P often impossible, requires relay

STUN: Session Traversal Utilities for NAT

What STUN Does

STUN helps a device discover:

Its public IP address

The type of NAT it's behind

The public port mapping

How It Works

1. Device sends request to STUN server
STUN server sees the public IP:port
STUN server responds with that information
Device now knows its public address

Limitations

STUN only works when direct connections are possible. It fails with:

Symmetric NAT

Strict firewall policies

Carrier-grade NAT

TURN: Traversal Using Relays around NAT

When TURN is Needed

When direct connections fail, TURN provides a fallback:

Relays data through a server

Works with any NAT type

Guarantees connectivity

How TURN Works

Device A → [TURN Server] → Device B
              ↑
    Data relayed, but still encrypted!

Security Consideration

Even though data passes through TURN:

It remains encrypted (DTLS)

TURN server cannot read contents

Only relays encrypted packets

ICE: Interactive Connectivity Establishment

ICE combines STUN and TURN intelligently:

The ICE Process

Gather Candidates

Connectivity Checks

Select Best Path

Priority Order

Direct connection (best)
STUN-assisted connection (good)
TURN relay (fallback)

In Practice: ZeroSend

ZeroSend uses Cloudflare's TURN service:

Connection Attempt:
Try direct P2P connection
If blocked, try STUN-assisted
If still blocked, use TURN relay
All paths encrypted end-to-end

Why This Matters

~85% of connections succeed directly
~10% need STUN assistance
~5% require TURN relay
100% maintain encryption

Technical Details

STUN Message Format

0                   1                   2                   3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 0STUN Message TypeMessage Length
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Magic Cookie
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Transaction ID (96 bits)
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Candidate Format

a=candidate:1 1 UDP 2122260223 192.168.1.100 54321 typ host
a=candidate:2 1 UDP 1686052607 203.0.113.50 12345 typ srflx
a=candidate:3 1 UDP 41885439 turn.example.com 3478 typ relay

Conclusion

STUN and TURN servers are essential infrastructure that enable P2P connections across the complex reality of modern networks. They solve the NAT traversal problem while maintaining end-to-end encryption.