NAT penetration allows your intranet services to easily "break through the wall"
2025.05.05
1. What is intranet penetration (NAT penetration)?
In modern network environments, most homes and businesses connect to the Internet through routers (NAT devices). NAT (Network Address Translation) allows multiple intranet devices to share a public IP, but it also brings a problem: the external network cannot directly access the intranet host. Intranet penetration (NAT penetration) refers to the technology that allows the external network to access the intranet host behind NAT.
Common application scenarios include:
Remote desktop, remote SSH
Intranet website, home NAS, external service release
Remote monitoring, IoT device management
2. Working principle of NAT penetration
NAT equipment will convert the private IP address of the intranet host into a public IP address and maintain an address mapping table. Problem: The external host cannot actively initiate a connection to the internal host behind NAT because NAT does not know how to forward the packet to the internal network.
The core idea of penetration:
Let the intranet host actively establish a connection with an external server (usually a public network server)
The external host communicates with the intranet host through this server "transit" or "negotiate"
3. Common intranet penetration methods
1. Port forwarding
Manually configure on the router/NAT device to forward the traffic of a certain port to the internal network host.
Advantages: simple and efficient
Disadvantages: requires router management permissions, not suitable for dynamic IP
2. Reverse Proxy
The internal host actively connects to the public network server, and the public network server acts as a proxy to forward external requests.
Typical applications: ngrok, frp, peanut shells, etc.
3. NAT traversal technology
(1) STUN (Session Traversal Utilities for NAT)
Mainly used for UDP protocol
Intranet hosts obtain their own public network addresses and ports through STUN servers
Applicable to most NAT types except symmetric NAT
(2) TURN (Traversal Using Relays around NAT)
When STUN fails, use TURN server to relay all traffic
Applicable to all NAT types, but bandwidth consumption is high
(3) UPnP (Universal Plug and Play)
Intranet host requests router to automatically configure port mapping
Requires router to support and enable UPnP function
(4) P2P hole punching (UDP/TCP Hole Punching)
Both hosts send data packets to each other at the same time, using NAT's "connection tracking" feature to establish a direct connection
A third-party server is needed to assist in "pulling the line"
IV. Commonly used intranet penetration tools
1. frp (Fast Reverse Proxy)
frp is an open-source, high-performance reverse proxy application that supports multiple protocols such as TCP, UDP, HTTP, HTTPS, etc., and is suitable for self-built intranet penetration services.
2. ngrok
ngrok supports intranet penetration of protocols such as HTTP and TCP, provides public network access addresses, and is suitable for temporary debugging and demonstration. There are official and third-party open-source versions, and the commercial version can be used directly.
3. Oray
A well-known intranet penetration service in China, it can expose the devices or services located in the intranet to the public network, allowing users to access these devices or services through the public network, providing client and cloud services, suitable for novice users.
4. Zerotier, Tailscale
Virtual networking tools, using P2P technology to achieve intranet penetration, suitable for forming virtual local area networks and realizing multi-site interconnection.
5. OpenVPN, WireGuard
Virtual private network (VPN) solutions, which enable internal network interconnection through VPN tunnels and have high security (encrypted transmission).