We use UDP Hole Punching + STUN to allow anybody to host games in the lobby.
The technology is simple and described on wikipedia, but basically we need Client and Server to 'punch a hole' to the other. Note that our current hole-punching works iff the outgoing port matches what the STUN endpoint says (which is likely, but some NAT configurations won't allow it).
Since we request the IP from the server, we know _always_ have a communication from client to server via XMPP, which can be used to transmit the client's IP, allowing hole-punching to start there. We could skip the glooxICE from D364 entirely and save some round trips.
Current code is a bit hacky, but I did a quick test locally and it appeared ready to work.