Algorithm
Let A and B be the two hosts, each in its own private network; N1 and N2 are the two NAT devices with globally reachable IP addresses P1 and P2 respectively; S is a public server with a well-known globally reachable IP address.
- A and B each begin a UDP conversation with S; the NAT devices N1 and N2 create UDP translation states and assign temporary external port numbers
- S examines the UDP packet to see if the source port used by A and B match what is actually received (otherwise, N1 or N2 must be performing port randomisation thus making hole punching impossible)
- If ports were not randomised, A and B select ports X and Y respectively and advise S of these ports; S then tells A to send a UDP packet to P2:Y and B to connect to P1:X
- A and B contact each others' NAT devices directly.
The only exception to this is where port randomisation is not performed on a per-outbound host basis; in this instance, UDP hole punching is still possible if the same source port used to contact S is used to contact the other NAT host.
Read more about this topic: UDP Hole Punching