Over the past couple of weeks since I got a GTX 760 for my main rig, I've been playing with getting Shield streaming to work through a NAT. With a combination of an Android app and Windows app, I've been able to get the Shield to stream through a NAT device.
This is alpha software, so it may not work for you. I'll be continuing development on it to make it more robust based on bug reports filed here and on the GitHub projects
This method is potentially more complex than running a VPN, but it is lower overhead and works in environments where VPNs cannot.
For those who don't care about the technical details, skip the next section.
Relay Technical Details
The Shield uses MDNS to discover compatible streaming PCs. It issues a query for _nvstream._tcp.local to which streaming PCs reply with PTR, A, AAAA, and TXT records. MDNS isn't routable outside of the local network (and sometimes blocked within the network too), so naturally PCs outside the Shield's local network won't be available as streaming targets.
To solve the MDNS problem, I wrote MDNS relays for Android and Windows that operate on UDP port 5354. The Android relay sends MDNS queries to the Windows relay where the Windows relay replays them local and sends the reply back to the Shield. The Android relay then takes the reply and parses it to look at the A record. It replaces the IP address specified in the A record with the IP address it received the MDNS reply from so it can properly connect to PCs behind a NAT. With the MDNS relay code in place, the Shield could see the PC and even start games.
There was still a problem getting the video stream back. It turns out that the way that UDP port 47998 is used on the Shield streaming software running on the PC prevents it from traversing NATs when going back to the Shield because it assumes that the source is always 47998. This is IMHO a bug because all other ports deal with NAT traversal properly, but needless to say I still had to deal with this.
The only option I had for fixing the port 47998 issue was to capture the packets as they go onto the wire in the Windows relay. I used WinPcap to capture the UDP packets leaving the machine. I then filter based on whether the packet was addressed to us. If it's a packet from the Shield to us on port 47998, then I save the source port of that packet. When I see a packet going out from us to port 47998, I extract the data from that packet and send it again on my own socket also bound to port 47998 (so the source port is correct) with the destination specified in the packet and the port that we saved from the Shield's last communication. With this code, the Shield can connect to a PC from behind a NAT.
Instructions
1. Download and install the Shield Proxy APK on the Shield from https://github.com/cgutman/ShieldProxyAndroid/releases
2. Install WinPcap on your streaming PC from http://www.winpcap.org/install/
2.1 Only required for v0.1-- Install the Visual C++ 2013 runtime library for x86 (use x86 even on x64 systems) from http://www.microsoft.com/en-us/download/details.aspx?id=39315
3. Ensure your router is configured properly as described in the next section.
4. Download and run the Shield Proxy Windows program on your streaming PC from https://github.com/cgutman/ShieldProxyWindows/releases
5. On the Android app, fill in the externally accessible IP address or DNS name for your router. You can get your external IP address from http://www.whatsmyip.org/ on your streaming PC.
6. Tap the start button to start the Android relay service
7. Stream like normal from the TegraZone app
NAT/Router configuration for Shield streaming
The following ports need to be forwarded to the streaming PC:
UDP 47998, 47999, 48000, 5354 (MDNS relay port)
TCP 35043, 47989, 47991, 47995, 47996
Troubleshooting
Make sure ShieldProxy.exe is allowed through Windows Firewall for Private and Public networks.
Make sure ShieldProxy.exe and the Android Shield Proxy service are running
Make sure the external IP address of your streaming PC is correct in the Android app (use http://www.whatsmyip.org/ from your streaming PC)
If TegraZone doesn't show your PC as online and you see "We haven't received any DNS responses. Is the Windows Shield Proxy running on your PC?",
Ensure the router is properly forwarding the specified ports to your PC. Note that TCP vs UDP matters when setting the router forwarding configuration.
Issues
If anyone encounters problems, please report them here or on the GitHub issues page. I'll try my best to get them fixed.
This is alpha software, so it may not work for you. I'll be continuing development on it to make it more robust based on bug reports filed here and on the GitHub projects
This method is potentially more complex than running a VPN, but it is lower overhead and works in environments where VPNs cannot.
For those who don't care about the technical details, skip the next section.
Relay Technical Details
The Shield uses MDNS to discover compatible streaming PCs. It issues a query for _nvstream._tcp.local to which streaming PCs reply with PTR, A, AAAA, and TXT records. MDNS isn't routable outside of the local network (and sometimes blocked within the network too), so naturally PCs outside the Shield's local network won't be available as streaming targets.
To solve the MDNS problem, I wrote MDNS relays for Android and Windows that operate on UDP port 5354. The Android relay sends MDNS queries to the Windows relay where the Windows relay replays them local and sends the reply back to the Shield. The Android relay then takes the reply and parses it to look at the A record. It replaces the IP address specified in the A record with the IP address it received the MDNS reply from so it can properly connect to PCs behind a NAT. With the MDNS relay code in place, the Shield could see the PC and even start games.
There was still a problem getting the video stream back. It turns out that the way that UDP port 47998 is used on the Shield streaming software running on the PC prevents it from traversing NATs when going back to the Shield because it assumes that the source is always 47998. This is IMHO a bug because all other ports deal with NAT traversal properly, but needless to say I still had to deal with this.
The only option I had for fixing the port 47998 issue was to capture the packets as they go onto the wire in the Windows relay. I used WinPcap to capture the UDP packets leaving the machine. I then filter based on whether the packet was addressed to us. If it's a packet from the Shield to us on port 47998, then I save the source port of that packet. When I see a packet going out from us to port 47998, I extract the data from that packet and send it again on my own socket also bound to port 47998 (so the source port is correct) with the destination specified in the packet and the port that we saved from the Shield's last communication. With this code, the Shield can connect to a PC from behind a NAT.
Instructions
1. Download and install the Shield Proxy APK on the Shield from https://github.com/cgutman/ShieldProxyAndroid/releases
2. Install WinPcap on your streaming PC from http://www.winpcap.org/install/
2.1 Only required for v0.1-- Install the Visual C++ 2013 runtime library for x86 (use x86 even on x64 systems) from http://www.microsoft.com/en-us/download/details.aspx?id=39315
3. Ensure your router is configured properly as described in the next section.
4. Download and run the Shield Proxy Windows program on your streaming PC from https://github.com/cgutman/ShieldProxyWindows/releases
5. On the Android app, fill in the externally accessible IP address or DNS name for your router. You can get your external IP address from http://www.whatsmyip.org/ on your streaming PC.
6. Tap the start button to start the Android relay service
7. Stream like normal from the TegraZone app
NAT/Router configuration for Shield streaming
The following ports need to be forwarded to the streaming PC:
UDP 47998, 47999, 48000, 5354 (MDNS relay port)
TCP 35043, 47989, 47991, 47995, 47996
Troubleshooting
Make sure ShieldProxy.exe is allowed through Windows Firewall for Private and Public networks.
Make sure ShieldProxy.exe and the Android Shield Proxy service are running
Make sure the external IP address of your streaming PC is correct in the Android app (use http://www.whatsmyip.org/ from your streaming PC)
If TegraZone doesn't show your PC as online and you see "We haven't received any DNS responses. Is the Windows Shield Proxy running on your PC?",
Ensure the router is properly forwarding the specified ports to your PC. Note that TCP vs UDP matters when setting the router forwarding configuration.
Issues
If anyone encounters problems, please report them here or on the GitHub issues page. I'll try my best to get them fixed.
Last edited: