[uuidgen]

Punching holes doesn't work only when network devices in between are broken or are actively preventing it.

From the network point of view it looks the same as two hosts starting an outgoing TCP connection through nat - if that works then hole punching should work too.

[labawi]

Not TCP. UDP - there are no connection in UDP, so the routers / firewalls don't really differentiate between a new connection and packets that happen to have the correct ip+port.

Some are trickier than others, as there are 2 IPs and 2 ports in a packet (at any point), and it can be hard to match all of them for the stricter devices, esp. on NATs that do source port randomization.

[a1369209993]

> when network devices in between are broken or are [maliciously] actively preventing it.

Those are called "middleboxes" (IIRC) and they're unfortunately somewhat pervasive.