hole punching, nat, wireguard, hidden services for public ip detection
Clients that are trying to connect to each other through wireguard have a problem if they are behind NAT since they cannot know each others IP.
In fact, they don't even know their own IP. They only see their local address like: 192.168.1.50:54321.
So there is a process they can go through:
Both peers query STUN servers (a server that just gives you back your public IP address) to get their public IP adress.
Both peers report these endpoints to a different coordination/signalling server
The coordination server exchanges this info between the peers
Both peers simultaneously send packets to each other. They need to do this at the same time because NAT connections only forward incoming packets if there is also an outgoing connection to that source. When A sends to B, NAT A creates a mapping that will accept packets from B. If both sides have sent before the other's packets arrives, both NATs have the necessary mappings and the packets get through.
Not a wireguard thing but you can also get your public IP from a network behind a NAT by hosting a hidden service there. Hidden services have a static .onion address. You can ssh into that service through tor you can find the public ip of that server by doing something like curl ifconfig.me. Its a bit hacky.