Does it work if both machines are behind NAT?

Yes. This is the case LRO is built for. Both ends — the machine you want to reach and the machine you reach it from — can sit behind NAT, on dynamic IPs, inside corporate networks, with no inbound access whatsoever. As long as each can make ordinary outbound connections to the internet, a tunnel works.

Both sides dial outward

An LRO agent never waits for an incoming connection. It opens an outbound WebSocket connection to the public LRO core and keeps it alive with periodic keepalives. Outbound is the direction NAT and firewalls already allow by default — the same direction a browser or an update check uses — so there is nothing to configure on either network.

The core relays the stream

When you open a tunnel between two agents, the core sits in the middle and relays bytes from one to the other in both directions. Each side already has its outbound channel established, so the core can pass data between them without either ever accepting an inbound connection. From each network’s point of view there is only the outbound session it permitted in the first place.

The relay is always through the core — there is no peer-to-peer hole-punching or STUN dance that can fail on strict or symmetric NAT. If both agents can reach the core, the tunnel works, full stop.

What you don’t need

No public IP on either machine.
No port forwarding and no inbound firewall rules.
No static address or dynamic-DNS workaround.
No VPN concentrator or router changes.

And because the relayed stream is end-to-end encrypted between the agents, routing it through a shared core does not expose its contents — see can LRO see my traffic?

Reach a machine behind NAT from anywhere — no network changes on either side.

Create an account →