Link Search Menu Expand Document

Routing Basics

Routing is the process of getting IP packets from one host to another. A typical packet takes many hops over a network until it reaches its destination.

You can think of TunnelHound as allowing your connected devices to route packets to hosts within your private cloud network. TunnelHound sits in the middle, ensuring that the packets sent between your device and the private part of the network are encrypted, even when the devices are connected to unsecured networks (such as unencrypted WiFi).

There are two ways TunnelHound can route packets: NAT and peer. These are described below

NAT (Network Address Translation) routing

The default routing strategy is NAT, which rewrites each packet to appear as if the packet originated from your TunnelHound appliance. This means that when your device sends packets to a private host, the IP packet on the private network will contain the TunnelHound appliance’s source IP. Because the private network is likely automatically configured to correctly route packets destined for your appliance, the NAT strategy typically just works.

However, NAT has some downsides. Namely, without application-level protocol support, it can be impossible for private servers to really know where packets came from.

Here are some articles on the downsides of NAT:

Nevertheless, keep in mind that for most purposes (accessing HTTP, FTP, SSH, etc), NAT works just fine.

Peer routing

You can also ask TunnelHound not to modify the IP packets and send the incoming packets directly on to the private network. Hosts within the network will now see the true origin of the IP packets. This routing strategy will work for every conceivable service and purpose. However, you will need to configure your private network to route any packets destined to the VPN subnet to the TunnelHound appliance. This requires outside configuration that TunnelHound cannot (yet) perform.

For example, on AWS, you’ll need to consider a route on your Amazon AWS Cloud VPC. If your private cloud network spans the IP range, your VPN segment (the endpoint route) is, and the address of your TunnelHound appliance on the private network is, then you’ll need to configure your VPC route table as follows:

  • For Destination, choose the VPN part of your network, in this case
  • For Target, choose your TunnelHound appliance address on the private network, in this case

For AWS, you will also need to configure your TunnelHound appliance’s EC2 security group to allow all traffic from the private network to the instance.

For other cloud providers, please consult their documentation.

Copyright © 2020 F Omega Enterprises LLC
"WireGuard" and the "WireGuard" logo are registered trademarks of Jason A. Donenfeld.