WebRTC NAT Traversal: How STUN, TURN, and ICE Enable Peer-to-Peer Connections

When you make a video call, your browser establishes a direct connection to the other person — no server relaying video in between. But both of you are behind NAT. How does this work? The answer involves three protocols: STUN, TURN, and ICE.

The NAT Problem

Your device has a private IP (like 192.168.1.100). NAT translates this to a public IP when packets leave your router. But the mapping is created only when YOU initiate the connection. An external peer cannot reach you directly.

STUN: Discovering Your Public Address

Session Traversal Utilities for NAT (STUN) helps you discover your public IP and port. Your browser sends a request to a STUN server on the public internet. The STUN server responds with "you appear to me as IP:Port".

Now you know your "reflexive candidate" — the public address that external peers can use to reach you, assuming the NAT allows it.

NAT Types and Hole Punching

Not all NATs are equal:

• Full Cone NAT: Most permissive. Once a port mapping exists, anyone can send packets to it. Easy to traverse.
• Restricted Cone NAT: Only allows incoming packets from IPs you have sent to.
• Port Restricted Cone NAT: Only allows packets from specific IP:Port pairs you have contacted.
• Symmetric NAT: Creates different mappings for each destination. STUN fails here.

TURN: The Relay Fallback

When direct connection fails (e.g., both peers behind Symmetric NAT), Traversal Using Relays around NAT (TURN) provides a relay server. Both peers connect to TURN, and it forwards packets between them.

TURN is expensive — relay bandwidth costs money. This is why it is a fallback, not the first choice.

ICE: Orchestrating Everything

Interactive Connectivity Establishment (ICE) coordinates the whole process:

1. Gather all possible candidates: host (local IP), server-reflexive (STUN), relay (TURN)
2. Exchange candidates with the remote peer via signaling server
3. Test connectivity for each candidate pair
4. Select the best working path

Debugging WebRTC

Chrome users can visit chrome://webrtc-internals/ to see ICE candidates, connection states, and packet statistics in real-time. Use our IP lookup to verify your public IP matches your STUN-discovered address.