中文版本: 《NAT 穿透失败?P2P 连接问题排查》
Your P2P remote desktop tool spins forever and then says "connection failed." This guide walks through the five things it usually is, in roughly the order to check.
Quick Diagnostic Tree
Both machines online? ──No──► Check internet on both sides.
│
Yes
│
Signaling server reachable? ──No──► Outbound HTTPS blocked? Try mobile hotspot.
│
Yes
│
Direct UDP works? ──No──► UDP blocked. Tool should fall back to TURN.
│
Yes
│
Symmetric NAT both sides? ──Yes──► Use TURN relay.
│
No (one side OK)
│
Should work. Get logs.
Cause 1: One Side Isn't Actually Online
The simplest. The remote machine sleeps, the Wi-Fi dropped, the unattended-access service crashed.
Diagnostic: Can you ping the remote machine from a known-good network? Does the unattended-access tool show "online" in its dashboard?
Fix:
- Wake the machine (manually or via Wake on LAN).
- Restart the remote desktop service.
- Make sure the machine's sleep/hibernate settings allow remote wake.
Cause 2: Signaling Server Unreachable
The two peers can't even start a handshake because they can't reach the rendezvous point.
Diagnostic: Look at your tool's connection log. If it never gets past "connecting to signaling server," this is it.
Fix:
- Check outbound HTTPS (443) is allowed. Try from a phone hotspot to rule out corporate network.
- If your org blocks the vendor's signaling domain, request an exception.
- Self-hostable tools let you run signaling inside your network.
Cause 3: UDP Blocked
P2P needs UDP. Some networks (overly strict corporate firewalls, captive portals, a few cellular APNs) drop or rate-limit UDP.
Diagnostic: Tool log shows handshake completes but no media frames flow. Or both peers show as "online" but session times out.
Fix:
- Tool should fall back to TURN over TCP/TLS automatically. If it doesn't, that's a tool problem.
- Test from a 5G hotspot. If it works there, your network blocks UDP.
- Work with IT to allow UDP outbound to STUN/TURN ports.
Cause 4: Symmetric NAT on Both Sides
The hardest NAT type to traverse. Cellular carriers love it; some enterprise firewalls do too.
Diagnostic: Run an STUN test (online or via webrtc-internals in Chrome). If the public port differs each time you query, you're behind symmetric NAT.
Fix:
- Use the tool's TURN fallback. The session will work, just at higher latency.
- If you control the network: switch the router to "Full Cone" NAT or similar.
- For cellular: try a different carrier or Wi-Fi.
Cause 5: Outbound Proxy Mangling the Connection
Corporate proxies that "inspect" TLS traffic break WebRTC's DTLS handshake. The tool can't establish encryption.
Diagnostic: Connection works at home / on hotspot, fails at office. Other WebRTC tools (Meet, Whereby) also fail.
Fix:
- Add the remote desktop tool's domains to the proxy bypass list.
- For SSL-inspecting proxies: install a TURN-over-TCP bypass.
- Confirm with IT that DTLS / SCTP traffic isn't being modified.
What to Send Your Support Team
If you've gone through the above and it still doesn't work, send your tool's support team:
- The session ID (in the connection error or log)
- Timestamps in UTC
- Output of an STUN test from both sides (shows NAT type)
- Whether the issue reproduces on a phone hotspot
- Output of
tracerouteto the signaling domain from both sides
That's enough to diagnose 95% of remaining cases without back-and-forth.
When to Give Up on Direct Connection
Some networks (highly locked-down corporate, certain government, some hotel chains with paranoid captive portals) just won't allow P2P. Don't fight it — use TURN, accept the latency penalty, and move on. A reliable session at 120ms is better than no session.
What to Read Next
- Background: P2P vs Relay-Based Remote Desktop
- Why this is a thing: Remote Desktop Across NAT/Firewall
- Setup that avoids most of this: How to Set Up Remote Desktop Access for Your Team