LinuxCommandLibrary

stun

Discover public IP address and NAT type

TLDR

Make a STUN request

$ stun [stun.1und1.de]
copy

Make a STUN request and specify the source port
$ stun [stun.1und1.de] -p [4302]
copy

SYNOPSIS

stunclient [OPTIONS] STUN_SERVER_ADDRESS[:PORT]

PARAMETERS

--help, -h
    Display help message and exit.

--verbose, -v
    Enable verbose output, showing more details about the STUN process.

--port=, -p
    Specify the STUN server port. The default is usually 3478.

--bind=

, -b

    Bind to a specific local IP address for outgoing connections.

--interface=, -i
    Bind to a specific network interface.

--full-nat-test, -f
    Perform a comprehensive NAT behavior test, which might involve multiple queries to determine the exact NAT type (e.g., Full Cone, Restricted Cone, Port Restricted Cone, Symmetric NAT).

--username=, -u
    Provide a username for STUN authentication.

--password=, -w
    Provide a password for STUN authentication.

DESCRIPTION

STUN (Session Traversal Utilities for NAT) is a protocol that allows applications operating behind a Network Address Translator (NAT) to discover their public IP address and the type of NAT they are behind. The stun command (typically implemented as stunclient) facilitates this discovery by sending requests to a STUN server.

The server responds with the client's observed public IP address and port, enabling the client to understand how the NAT modifies its connections. This information is crucial for establishing direct peer-to-peer communication, especially in Voice over IP (VoIP), video conferencing, and online gaming, where endpoints need to know each other's reachable addresses. Without STUN, applications behind complex NATs might struggle to establish direct connections, often resorting to relay servers, which add latency and consume bandwidth.

CAVEATS


The "stun" command is most commonly implemented as stunclient on Linux systems. It requires a functioning STUN server to query.

While STUN helps in many NAT scenarios, it is less effective with Symmetric NATs, which change the mapped port for each new destination. For such complex NATs, TURN (Traversal Using Relays around NAT) might be required, which involves relaying media through a server.

The exact options and their behavior might vary slightly depending on the specific stunclient implementation or version installed (e.g., from libnice-tools or stuntman packages).

EXAMPLE USAGE

To test your NAT type against a public STUN server (e.g., stun.l.google.com:19302), you would typically run:
stunclient stun.l.google.com
Or, for a more detailed test:
stunclient -f stun.l.google.com
The output will usually show your observed external IP address and the detected NAT type.

OUTPUT INTERPRETATION

The stunclient output typically indicates the 'Mapped Address' (your public IP and port) and the 'NAT Type' (e.g., 'Full Cone', 'Restricted Cone', 'Port Restricted Cone', or 'Symmetric NAT'). Understanding your NAT type helps in configuring applications for optimal peer-to-peer connectivity.

HISTORY


The Session Traversal Utilities for NAT (STUN) protocol was originally specified in RFC 3489 in 2003, with an updated, more robust version defined in RFC 5389 in 2008. Its development was driven by the increasing need for applications like VoIP and peer-to-peer file sharing to function reliably behind NAT devices, which became ubiquitous with the rise of broadband internet. Early implementations of STUN clients and servers emerged to address these connectivity challenges, making it a fundamental component in many real-time communication protocols like SIP and WebRTC. The stunclient utility became a common command-line tool for developers and network administrators to test and understand NAT traversal behavior.

SEE ALSO

turnclient(1), netstat(8), ss(8), ip(8)

Copied to clipboard