4. WAN Configuration¶
In order to communicate a DDS Router via WAN, some configurations may be required.
4.1. NAT Traversal¶
If the DDS Router is under a NAT, a remote DDS Router in a different LAN will not be able to reach it. Thus, NAT traversal methods will be required. The most common method that we recommend is configuring the network router so it forwards a specific port from the Internet to a specific host.
Note
NAT Traversal communication only affects to IPv4 communication. Using IPv6 would not create NAT under network routers so every device could be accessed externally. Thus, configurations explained in this section do not apply to IPv6 deployments.
4.1.1. Port Forwarding¶
This is the easiest way to achieve NAT traversal. Most network routers support a graphical interface where port forwarding could be easily set.
4.1.1.1. External port¶
In order to configure the DDS Router to connect under a NAT, two ports must be taken into account.
The internal port (a.k.a. port
) is the one that the host of the DDS Router will use to open a socket and
to receive information.
The external port (external-port
) references the public port meant for other entities to be able
to locate this DDS Router.
Setting the external port is useful so the network router port forwarding could redirect from a public port
to a different value of internal host port.
Note
External port configuration is not mandatory. If not set the internal and the external port must coincide in the network router port forwarding rules.
Warning
External port is only available for TCP communication. In UDP communication the internal and the external port must coincide in the network router port forwarding rules.
4.2. TCP vs UDP¶
TCP and UDP are two well known network transport protocols. Both have their advantages and disadvantages depending on the scenario. The following comparison is meant to help users choose between one or the other.
Feature |
UDP |
TCP |
---|---|---|
Communication |
Faster. |
Slower. |
Reliability |
No Transport Layer reliability |
Transport Layer reliability |
Port Forwarding |
Both sides of the communication must have |
Only the server side of the communication |
Note
DDS is thought to work over UDP and has its own reliability mechanisms. Thus, the DDS Router uses UDP transport by default for every address that has not explicitly specified a transport in the configuration file.
4.3. TLS¶
eProsima DDS Router also supports TLS over TCP,
and its configuration can be set per participant for types WAN Discovery Server and WAN. The following is a list of the
accepted entries under the tls
tag:
Tag |
Requirements |
Description |
Example |
---|---|---|---|
|
Mandatory for TLS clients if |
Path to the CA (Certification- Authority) file. |
|
|
Optional for TLS servers. |
Password of the |
|
|
Mandatory for TLS servers. |
Path to the private key certificate file. |
|
|
Mandatory for TLS servers. |
Path to the public certificate chain file. |
|
|
Mandatory for TLS servers. |
Path to the Diffie-Hellman parameters file. |
|
|
Optional for clients. |
Whether to verify the server. (Default true). |
|
|
Optional for clients if using SNI. |
Name of the server to connect with. |
|
Note
Although in principle only required for TLS clients (with peer verification), the CA (Certification- Authority) file may also be provided for TLS servers when willing to connect them to other participants configured as servers.
4.4. Examples¶
4.4.1. TCP Port Forwarding Example¶
Let there be a scenario where user A with host HA has a private IP 192.168.1.2
given by the network router
RA with public IP 1.1.1.1
.
Let user B with host HB have a private IP 192.168.2.2
given by the network router RB
with public IP 2.2.2.2
.
A will act as the server of the TCP communication and B will act as the client.
User A should set a port forwarding rule in router RA as 11666 -> 192.168.1.2:11667
.
That is, every datagram that arrives to IP 1.1.1.1:11666
will be forwarded to 192.168.1.2:11667
.
User A should set its listening-addresses as follows:
- name: WANServerParticipant_userA
kind: wan
listening-addresses:
- ip: 1.1.1.1 # Public IP of host Ha
port: 11667 # Physical port used for the dds router host
external-port: 11666 # Port forwarded router Ra
transport: tcp # Transport protocol
User B should set connection-addresses to connect to HA as follows:
- name: WANClientParticipant_userB
kind: wan
connection-addresses:
- ip: 1.1.1.1 # Public IP of Ha
port: 11666 # Port forwarded in Ra
transport: tcp # Transport protocol
This way, B will connect to A. A will be able to receive the message because RA will forward the message to HA. Once A has received the message, a TCP channel will be set, and the communication will travel both ways without requiring to traverse any other NAT.
4.4.2. UDP Port Forwarding Example¶
Let there be a scenario where user A with host HA has a private IP 192.168.1.2
given by the network router
RA with public IP 1.1.1.1
.
Let user B with host HB have a private IP 192.168.2.2
given by the network router RB
with public IP 2.2.2.2
.
A and B will communicate via UDP, so there is no need to set a client and a server.
It does not matter whether A knows B address, B knows A, or both know each other.
In this example, B will know A address, and not the other way around.
User A should set a port forwarding rule in router RA as 11666 -> 192.168.1.2:11666
.
That is, every datagram that arrives to IP 1.1.1.1:11666
will be forwarded to 192.168.1.2:11666
.
User A should set its listening-addresses as follows:
- name: WANServerParticipant_userA
kind: wan
listening-addresses:
- ip: 1.1.1.1 # Public IP of host Ha
port: 11666 # Internal and External port
User B should set a port forwarding rule in router RB as 11777 -> 192.168.2.2:11777
.
This is, every datagram that arrives to IP 2.2.2.2:11777
will be forwarded to 192.168.2.2:11777
.
User B should set its listening-addresses and connection-addresses as follows:
- name: WANClientParticipant_userB
kind: wan
listening-addresses:
- ip: 2.2.2.2 # Public IP of host Hb
port: 11777 # Internal and External port
connection-addresses:
- ip: 1.1.1.1 # Public IP of Ha
port: 11666 # Port forwarded in Ra
This way, B will connect to A.
Once A receives the message from B, it will communicate with it via address 2.2.2.2:11777
.
B will continue communicating with A via address 1.1.1.1:11666
.
4.4.3. TLS Configuration Example¶
Below is an example on how to configure a WAN participant as a TLS server and client:
- name: TLS_Server
kind: wan
listening-addresses:
- ip: 1.1.1.1
port: 11666
transport: tcp
tls:
ca: ca.crt
password: ddsrouterpass
private_key: ddsrouter.key
cert: ddsrouter.crt
dh_params: dh_params.pem
- name: TLS_Client
kind: wan
connection-addresses:
- ip: 1.1.1.1
port: 11666
transport: tcp
tls:
ca: ca.crt
You may also have a look at the <path/to/ddsrouter_tool>/share/resources/configurations/security/
directory, which
contains examples of key and certificate files as well as a script with the commands used to generate them.