GitLab

In investigating high proxy failure rates at clients (legacy/trac#33666 (moved)) and the logistics of running our own STUN server (legacy/trac#25591 (moved)), I came across RFC5780, which outlines steps to identify NATs with "endpoint independent mapping and filtering".

Section 4.3 outlines how a client can use a STUN server with an alternate IP address (returned in the first STUN binding request response) to determine how restrictive their NAT is.

This would be useful to match up clients with snowflake proxies that have compatible NATs. We still have the following questions:

• are there public STUN servers that support this feature? Yes there are several candidates.

• does the pion/stun library we use support this feature for STUN clients? Not yet but we can implement the feature.

• If we're able to implement our own STUN server behind a domain-fronted connection (legacy/trac#25591 (moved)), how can we implement this functionality?

I see at least one open source STUN server implementation that claims to support this (written in C): https://github.com/coturn/coturn