NAT Traversal
How PC2 makes nodes accessible from behind firewalls.
The Problem
Most home and office networks use NAT. External users can't reach a PC2 node behind a router without port forwarding.
The Solution: Active Proxy
PC2 uses the Boson Active Proxy to tunnel connections through a super node:
PC2 Node (behind NAT) Super Node Client
| | |
|---- AUTH Packet ---------->| |
| (Ed25519 signature) | |
| | |
|<--- AUTH_ACK + Port -------| |
| (Allocated: 25001) | |
| | |
|---- PING (every 30s) ---->| |
| |<-- HTTP Request ---|
|<--- Relay Data ------------| |
|---- Response ------------->| |
| |--- Response ------>|
How It Works
1. Authentication
Your PC2 node connects to the Active Proxy with an Ed25519-signed AUTH packet. The proxy verifies the signature and responds with AUTH_ACK and an allocated port.
2. Port Allocation
The proxy assigns a unique port (e.g., 25001) for your node:
yourname.ela.city -> 198.51.100.1:25001 -> tunnel -> your PC2
3. Keepalive
PC2 sends PING packets every 30 seconds to maintain the tunnel.
4. Request Relay
When someone visits yourname.ela.city:
Browser -> DNS -> Super Node (:443)
Super Node -> Lookup "yourname" -> Port 25001
Super Node -> Proxy to 25001 -> Tunnel -> Your PC2 Node
Your PC2 Node -> Response -> Tunnel -> Super Node -> Browser
Protocol Details
Packet Types
| Type | Purpose |
|---|---|
| AUTH | Initial authentication |
| AUTH_ACK | Port assignment |
| PING | Keepalive |
| PONG | Keepalive response |
| DATA | Relayed HTTP data |
| CLOSE | Session termination |
Encryption
All proxy traffic is encrypted:
- TLS 1.3 -- transport encryption
- CryptoBox -- session encryption (curve25519-xsalsa20-poly1305)
- Ed25519 -- authentication signatures
Automatic Detection
PC2 automatically detects if NAT traversal is needed:
- Public IP matches actual IP? (no NAT needed)
- Port 4200 externally reachable? (no proxy needed)
- Neither? Activate Active Proxy
VPS nodes with public IPs don't need the proxy -- they connect directly.
Configuration
Active Proxy settings in data/config/pc2.json:
{
"boson": {
"superNodes": [
{
"host": "198.51.100.1",
"proxyPort": 8090
}
],
"proxy": {
"enabled": true,
"keepaliveInterval": 30000,
"reconnectDelay": 5000
}
}
}
Monitoring
curl http://localhost:4200/api/boson/status
{
"connected": true,
"proxyEnabled": true,
"allocatedPort": 25001,
"superNode": "198.51.100.1"
}
Comparison
| Method | Latency | Setup | Reliability |
|---|---|---|---|
| Direct (VPS) | Lowest | Requires VPS | High |
| Active Proxy | +50-100ms | Automatic | High |
| Port Forward | Low | Manual router config | Medium |
Troubleshooting
Proxy won't connect: Check outbound TCP to port 8090: nc -vz 198.51.100.1 8090. Verify identity exists: cat data/identity/identity.json.
Tunnel drops: Check internet stability. Increase keepalive frequency if needed. Look for reconnection in logs.
Slow connection: Proxied connections add latency. For better performance, use a VPS with public IP or choose a super node closer to your location.