I'm trying to make an (apache) server behind multi-layered NAT to be accessible from Internet.

Restrictions:

1. Avoid relay. There is a public server (we call him the OldMan) for login / stun, but its bandwidth is too poor to carry relay data.
2. I have no right to configure the NATs manually. 3.User don't have to change their browser or device.(that is, works on android, ios, and any PC)

I tried UPnP, but it only works on 1-layered NAT.

I tried to search NAT traversal solutions for several months, but in vain.

I study STUN/TURN/ICE,and tried pjsip (icedemo.exe + numb), however, its stun cannot punch through 2-layered NAT.

I tried Mist,Pwnat, but with no luck. And libjingle sounds like an API for making Gtalk extension as I know...(?)

I also tried to a make VPN/N2N to solve this, but this will be a heavy overloading to the public server. Any VPN client requires the server(the OldMan server) to relay all the packets to another, isn't it?

Is there any solutions to solve this problem? A HTTP server behind multi-layered NATs.

BTW, if the STUN/TURN/ICE works,my idea is as the following ,is it possible?

1. User installed an application (ex:stun_browser_agent.exe)
2. user type the following address on Chrome: 127.0.0.1:9999
3. Chrome connected to stun_browser_agent.exe daemon
4. daemon connect to HTTP Server with Stun protocol
5. A daemon on Http Server(ex: stun_apache_agent.exe) receive all the message and relay it to Apache daemon.
6. Apache reply all the http infomation -->stun_apache_agent.exe-->stun_browser_agent.exe-->chrome

Then we won't have to modify the browser and Apache.

Any available resource I can refer to implement this?

Thank you for your patience

Do you have control over all NAT devices between this server and the "outside world"?

One approach would be to setup an SSH tunnel between your internet gateway router and your server.

The SSH tunnel would be initiated from your server and connect to an sshd running on your internet gateway router. Use the port forwarding capabilities of SSH to forward port 80 on the internet gateway back to whatever port Apache is running on on your server.

Another approach would be to setup sshd (or any other tunnelling product) on any other server accessible on the public internet. Initial your connection to it from your server and use that connection to forward traffic from port 80 on that public server to your server.

The approach is basically the same: you need to initiate the tunnel setup from your server and use that connection to forward the traffic from the public server back to yours.

Configure each NAT device, starting with the one with the Internet connection, to port forward to the next NAT device with the innermost NAT forwarding to the server.

Update: "2.I have no right to configure the NATs manually." I don't understand how you can have the right to run a server behind these NAT devices but not have the right to configure port forwarding in them. Surely the right to run a server includes the right to do what's necessary to run a server.