nat-traversal | js package that contains a relay server | TLS library

I am currently writing a P2P application using golang. I have chosen Noise for that, since it provides an easy to use network stack.

My application provides a REST API that can be accessed via localhost. Data that are sent to the locally provided endpoints will then be transferred to all connected peers, which then distribute the data to their connected peers to keep the network synchronized.

So far I have succeeded with my implementation, however this only works for publicly exposed nodes or nodes within the same Network.

I would like to keep the usability of my application as easy as possible, also for users in private networks. Therefore I want to avoid manual configuration overhead (i.e. port forwarding in their router settings). If at all possible, I also would like to avoid using a central server for the NAT-Traversal, since my goal is to have a truly decentralized application.

I understand that there are several NAT-Traversal techniques, such as STUN and TURN, alongside others, and I am aware that Noise offers already NAT-PMP and UPnP, but somehow I cannot wrap my head around how exactly they work.

I know, that some VoIP or File-Sharing services use NAT-PMP and they seem to work on pretty much every Network, without any user interaction. That just seems a little weird to me and I am stuck.

How is it possible, that my application just magically changes some Router configurations to accept incoming traffic? To me that seems to be a huge security risk, especially if the user of my application does not even know about it. Also, I figured that not every Router supports NAT-PMP and UPnP. What if my users have one of those?