I wrote a long devlog/guide on how to establish peer to peer connection between players without them needed to port forward.
https://blog.crowsneststudio.org/posts/nat/
It is not directly related to godot, but it showcases some gdscript examples. In general it is more engine agnostic. That being said I thought it was a good idea to post it here as godot does not have guides dedicated to NAT traversal, so I figured it would be of help to people using godot.
I’m surprised this works, I thought you needed UPnP to hole punch, is this a feature of UDP? I wish I knew anything about ipv6 as my ipv4 knowledge is that local networks are often very locked down without UPnP and a standard firewall.
UPnP does not hole punch - it straight up opens a port that ANYONE can join to. It is basically an automatic port forwarding. The trick is UPnP would also close the port afterwards. Hole punching opens a port to a specific IP:PORT depending on your NAT type - I explain the theory around it here: War on NAT, or how to let your players connect without port forwarding
And here is the explanation on how different NAT types behave: War on NAT, or how to let your players connect without port forwarding
You can also check the link in the footnotes on the STUN server documentation for more information on them.
As for ipv6 - it is not really much different in terms of the method - you just punch a hole in the ipv6 space rather than ipv4. Obviously both users have to have ipv6 access. Really the main difference is that ipv6 does not really suffer from NAT issues, except if the user makes this specifically with their router - but that would mean they know what they are doing and are doing it intentionally. For example it could be for security, but then they shouldn’t be expecting to play peer to peer games. The other difference with ipv6 is that really in there you are not actually punching a hole in the router most of the time - you are actually punching a hole in the firewall. Technically with ipv6 you could also achive a similar thing by just changing the firewall settings to allow the game.
I have been struggling with this for years now and barely got anywhere.
UPnP is useless since most routers don’t support it. Also its not that great in terms of security.
STUN and TURN seem great, unfortunately you now need a signaling server.
For small games setting up a signaling server doesn’t feel like its worth it (at least to me it doesn’t).
I tried azure free tier with coturn and found out that STUN fails most of the time, so you end up just using TURN.
One interesting option is https://www.w4games.com/w4cloud but it seems now it is only available for enterprises or whatever.
I also found out that oracle has a interesting free tier (that is if you manage to create an account - tip: it works better on mobile), so idk if you want to start small with webRTC, that could be an option.
Most people now recommend just using Steam/Epic for handling this.
Idk what you guys think, but so far all the solutions feel quite bad…
So every year I get my hopes up and try looking for solutions again…
This year I have been looking into yggdrasil.
With the help of chatGPT managed to make this awful demo
https://github.com/Aendryr/yggdrasil_wrapper
(just some wrappers that help me start yggdrasil from godot - there are other ways to do it but after many tries I stuck with this)
And well it works (only for windows so far).
Is this a better solution? nope, you’re still better of with webRTC
But I personally like this solution better (idk about security risks tho).
P.S.
If you want to build boardgames or games that are played in turns you could also use some cloud services like supabase, firebase and so on.
UPnP is useless since most routers don’t support it. Also its not that great in terms of security.
UPnP is not really useless, since there are routers that supported and you really need only 1 player to have it on to make a server. It allows you to connect people with symetric NAT easily to just people with UPnP. In terms of security P2P is bad in general. If you want security you want a relay server, so just hosting your own servers.
I tried azure free tier with coturn and found out that STUN fails most of the time, so you end up just using TURN.
I haven’t tried any services, but honestly I don’t see what they can do that just coding your own structure yourself. Like I doubt they would give you a way to setup matchmaking properly. One of the things with a self-made solution is that you can create a matchmaking server that would match people ONLY if they can join together. So you could redistribute the player’s connections based on their router information, allowing you to consistently match people up without a relay.
I’m also suprised STUN fails most of the time, I would assume the STUN server is not setup well, but I lack the stats to say for sure. Based on just general stats I’ve seen around about ~25 % of people are behind symetric NAT, ~50 % behind are port protected and ~25 % are ip protected or more open. So you should be able to connect ip protected people with symetric NAT folks (and everyone else can connect to each other), and if someone has UPnP they can also connect to symetric NAT, or if they have IPv6.
That is the only option you have as far as I know.
You might consider looking into TCP connection for turn based games. I haven’t personally researched it, but back when I was looking into networking I remember that most of the problems with connecting people comes when using UDP. So you probably have a much easier solution there that does not require screwing around with STUN and TURN servers and checking all methods to connect.
The problem is that TCP is not great for real time games, hence if you are doing turn based games you should look into it.
I often see one argument that I dislike and it goes something like: just let your users handle the problem, it worked for old games (i do not try to imply that you said that or even implied it).
For this suggestion yes, UPnP is a fair option. If you want to let your users handle it themselves adding UPnP as a way of helping them a little bit seem to me like a great idea.
But for peer to peer connection without port forwarding I do not want to even consider that option (leaving it to the end user). I dislike it with a passion =).
UPnP seems to me to have had a little bit of popularity in the past. From what I’ve heard its become less used now because of security concerns (i haven’t looked into this that much, since it didn’t work for me).
Only need 1 player to have it, is quite a limitation when you cant find that player =/
I tried testing it with 5 people and well none of these 5 had it. This was my experience and 5 people are just too few, but if the solution does not work for me how can I expect it will work for others…
UPnP is the first solution a lot of people recommend. I do not understand why
IPV6 suffers a similar problem, still a lot of people do not have a IPV6 Address including me.
By azure free tier I was referring to the “free” vm (on which I had to configure coturn) option they have.
I have seen similar stats online, the problem with them is that it really depends on where you are located.
Unfortunately the free tier “expired” sooner then I expected it so idk, it was my first time setting up Coturn so it could be that I didn’t configured it properly (since the TURN part worked I assume that it was working)
It bothers me, the idea is to set up a peer to peer connection without port forwarding, STUN/TURN just moves the port forwarding to the middleman. So you still do port forwarding to some extent. I get why this happens and why things are made to be so. I get it. I have read it over and over again in the past few years.
I simply want a “better” solution =), one that works for small games, doesn’t require paid services etc etc
I know you can set up you own device to be the middleman like an “old” smartphone or an arduino or …
VPNs are also an option to some extent.
I did consider TCP/UPD, it was mby the first thing that I have tried. And the most pointless =/ since it made no difference whatsoever. When it works it works for both and when it doesn’t it doesn’t.
Yggdrasil is quite obscure but its closer to what I want so, I thought that sharing it here will be helpful for those that are searching for such a solution. if there are any =). And mby someone else will share something similar here in the future. who knows? I dare hope there will be a better solution in the future =|
Only need 1 player to have it, is quite a limitation when you cant find that player =/
IPV6 suffers a similar problem, still a lot of people do not have a IPv6 Address including me.
The point is that you can create a solution that tests ALL available types of connection and uses the one they have. Sure not every player will have UPnP, but if they have it use it. Again your players might not have IPv6, but if they do use it, it is the most relyable method.
Some for port forward - allow people to port forward. There are people locked behind a symetric NAT, which makes P2P unreliable. However people that are behind a symetric NAT could potentially ask their ISP to open a port for them. Hence it makes sense to create an option of using a manually opened port if someone goes through the trouble of setting it up.
The point here is, you are NOT going to find a solution that works for everyone outside for relay servers!!! Your best bet is to implement ALL the different methods for connection there are to increase the chance of connecting 2 players together. No single solution will be better than this.
It bothers me, the idea is to set up a peer to peer connection without port forwarding, STUN/TURN just moves the port forwarding to the middleman. So you still do port forwarding to some extent. I get why this happens and why things are made to be so. I get it. I have read it over and over again in the past few years.
You are not really port forwarding with STUN/TURN servers. However you are right you are relying on signaling server so you need to pay server cost. In case cost is the issue there are 2 things you can do:
I simply want a “better” solution =), one that works for small games, doesn’t require paid services etc etc
There simply isn’t a solution that does everything for free currently. It WILL eventually come though. When the transition from IPv4 to IPv6 is complete you won’t need to do any more shinanigans to connect players. You would be able to just connect them via IPv6 and a hole punching directly without relying on any signaling servers. You could already do that, but as you said, not everyone have IPv6. However that is not really happening any time soon, but it is the only “better” solution you can anticipate in the future.
On a side note, people behind symetric NAT (the only problematic NAT that makes STUN servers unreliable) usually have IPv6. This means that if you have a IPv6 solution in your game you could usually at least connect symetric NAT players to each other via IPv6.
PS:
Here another solution that people might consider for turn based games - play by mail. It is a very old method for playing games, starting with physical games and physical mail. Essentially when you finish your game turn the game generates a save file and tells you to which player’s email you need to send it (a password can be added to protect the player saves).
This allows you to play the game without people gathering up to play at a specific time of the night. So everyone just plays their own turns at their own time before sending it forward.
The obvious downside is that this is an awful solution for turn based games with rapid turns. But if you are making a turn based games where turns take a long time to finish, something like grand strategy games, where players would have to be waiting regardless for other players to think and play through their turns - then this is a very good and unique solution to your game!
I am aware of what you have mentioned and I agree to almost all the points you made.
The points I don’t necessarily agree completely are:
only a signaling server (no TURN). Signaling server is quite cheap as it is only needed when connecting people, meaning that once you connect them you don’t really need to use any more bandwidth or CPU power.
When STUN doesn’t work (which has been my case) you have to use TURN. Still this is not that expensive, I agree with that.
I got really hyped when I first learned about STUN, and my disappointment when it didn’t work was proportionate to the hype. It sounds great until it doesn’t work or you get stuck for hours configuring it.
I agree that this is probably the best solution we have right now.
I do struggle to recommend it as THE solution after having tried it…
There simply isn’t a solution that does everything for free currently. It WILL eventually come though. When the transition from IPv4 to IPv6 is complete you won’t need to do any more shinanigans to connect players.
Mby you are more hopeful than me about IPv6, in the last 5 years I have seen little to no progress. I imagine that in 30 years this will still not be complete, at least based on what I am seeing.
There has to be another solution. I do not expect it to do everything. Mby not even be completely free. If it works for desktops/mobile/web and can be used as is without having to configure a bunch of things then I would consider that an interesting option.
I am not ready to say that there are no solution that works for everyone. It depends on what “everyone” means =) (everyone on desktop, everyone on mobile, everyone on all platforms etc.)
I am happy to have a solution for desktops (mainly windows seems to be the problem) only at this point.
The “can be used as is without having to configure a bunch of things” seems to be the big constraint.
Thx for the recommendation, it could be fun to try making a game with play by mail as some constraints can lead to more creativity. For now that isn’t what I am looking for unfortunately. I will keep it in mind tho.
The “can be used as is without having to configure a bunch of things” seems to be the big constraint.
Yeah setting up networking it takes time, as you need to cover all the edge cases. Still once you have a working system you could reuse it for other games potentially. Personally I spend like a week of hard labour to set it up, but it has been working well enough for me. I’m yet to expand the server to work on multiple threads though.
Also if you are targeting mobile it might be worth it to consider non UDP options, and probably games that do not rely on fast real time inputs. Mobile would add a lot of packet loss leading to more lag, or rollback depending on your networking setup.
I got really hyped when I first learned about STUN, and my disappointment when it didn’t work was proportionate to the hype. It sounds great until it doesn’t work or you get stuck for hours configuring it.
It does work however just not for all connections. You said before that you’ve tested with 5 people. Do you have information on the NAT configuration of those 5 people? If you do or you can get it, we can figure out if the STUN server was just setup improperly, or if it was just truly impossible to connect those people without TURN.
Generally you are looking for this information:
For a symetric NAT test there are some online tests like this one: NAT Test: Am I behind a Symmetric or Normal NAT?
I haven’t really checked through the source code since I test this myself.
Unfortunately I don’t know of any online solutions that test for ip-restricted NAT. You would need to test that yourself.
My experience was similar, it took about a week to configure the signaling server.
I was happy that at least the TURN part was working properly. Tho I cant say I would use coturn again or Azure for that matter. If I were to try this again I would probably only use a relay server on whatever hosting provider I can find.
An important mention is that STUN didn’t even work for me to connect to my own server.
The three checks have been somewhere along these lines:
The yggdrasil “wrapper” for godot took me about a week to create, tho most of that time was spent on looking into other solutions. And at least, it “works”, for free =).
UPnP is a massive security risk, and should be disabled on all routers by default.
plus NaN for analog PBM ref, +1 for old school PBEM reference.
Thanks for sharing your know how! 
Cheers !
The link you’ve send there incorrectly assumes my nat is port-restricted, while it is actually symetric. Try the one I posted before.
Also IPv6 and UPnP should not be rare, maybe your sample of people are using the same IPS that does not provide them?
Any P2P option is a security risk. The main issue with UPnP is that it can be mishandled by programs, but this is not it not inherently a security risk. Manual port forwarding is actually more of a security risk. Hole punching is just slightly better.
Did that. You can see it in the previous message.
Normal NAT using the link you have sent
I took a look into it, more often then not UPnP is disabled by ISPs (at firmware level).
The 5 people had different ISPs (2/3 different ISPs but from the same country).
IPv6 seems to be around ~40% in adoption (i have my doubts about this number).
Maybe they will be better in the future but as they are now they do no seem to be good solutions.
And its is obvious that no one can use only one of them as a general solution.
To me these seem like the last things one should try, after all other options didn’t work.
Did that. You can see it in the previous message.
Sorry I misread that.
If you have normal NAT that means you should have no issue with connecting to anyone who doesn’t have symmetric NAT using only a stun server. Is it possible all the 5 other people you tested with are behind a symmetric NAT? If not then the STUN server was probably not setup correctly.
IPv6 seems to be around ~40% in adoption (i have my doubts about this number).
I don’t know the actual number, but you will see IPv6 more oft with people with symmetric NAT. Often times what companise do is provide you an IPv6, but will not provide you a unique IPv4.