1badvpn-tun2socks(8) System Manager's Manual badvpn-tun2socks(8)
2
6 badvpn-tun2socks - create a TUN device to route TCP traffic through a
7 SOCKS server
8
10 badvpn-tun2socks
11 [--help]
12 [--version]
13 [--logger <stdout/syslog>]
14 [--syslog-facility <string>] [--syslog-ident <string>]
15 [--loglevel <0-5/none/error/warning/notice/info/debug>]
16 [--channel-loglevel <channel-name> <0-5/none/error/warn‐
17 ing/notice/info/debug>] ...
18 [--tundev <name>]
19 --netif-ipaddr <ipaddr>
20 --netif-netmask <ipnetmask>
21 --socks-server-addr <addr>
22 [--udpgw-remote-server-addr <addr>]
23 [--udpgw-max-connections <number>]
24 [--udpgw-connection-buffer-size <number>]
25 Address format is a.b.c.d:port (IPv4) or [addr]:port (IPv6).
27
29 badvpn-tun2socks is a network utility used to "socksify" TCP connec‐
30 tions at the network layer. It implements a TUN device which accepts
31 all incoming TCP connections (regardless of destination IP), and for‐
32 wards them through a SOCKS server. This allows you to forward all con‐
33 nections through SOCKS, without any need for application support. It
34 can be used, for example, to forward connections through a remote SSH
35 server.
36
38 This example demonstrates using tun2socks in combination with SSH's
39 dynamic forwarding feature.
40 Connect to the SSH server, passing -D localhost:1080 to the ssh command
42 to enable dynamic forwarding. This will make ssh open a local SOCKS
43 server which tun2socks forward connection through.
44 First create a TUN device (eg. using openvpn):
46 openvpn --mktun --dev tun0 --user <someuser>
48 Configure the IP of the new tun device:
50 ifconfig tun0 10.0.0.1 netmask 255.255.255.0
52 Now start the badvpn-tun2socks program:
54 badvpn-tun2socks --tundev tun0 --netif-ipaddr 10.0.0.2 --netif-netmask 255.255.255.0 \
56 --socks-server-addr 127.0.0.1:1080
57 Note that the address 10.0.0.2 is not a typo. It specifies the IP
59 address of the virtual router inside the TUN device, and must be dif‐
60 ferent from the IP of the TUN interface itself (but in the same sub‐
61 net).
62 Now you should be able to ping the virtual router's IP (10.0.0.2):
64 ping -n 10.0.0.2
66 All that remains is to route connections through the TUN device instead
68 of the existing default gateway. This is done as follows:
69 1. Add a route to the SSH server through your existing gateway, with a
71 lower metric than the original default route.
72 2. If your DNS servers are in a network that is not direcly attached
74 (e.g. in the Internet), also add routes for them (like for the SSH
75 server). This is needed because tun2socks does not forward UDP by
76 default (see below).
77 3. Add a default route through the virtual router in the TUN device,
79 with a lower metric than the original default route, but higher than
80 the SSH and DNS routes.
81 This will make all external connections go through the TUN device,
83 except for the SSH connection (else SSH would go through the TUN
84 device, which would go through... SSH).
85 For example (assuming there are no existing default routes with metric
87 <=6; otherwise remove them or change their metrics):
88 route add <IP_of_SSH_server> gw <IP_of_original_gateway> metric 5
90 <same for DNS>
91 route add default gw 10.0.0.2 metric 6
92
94 tun2socks can forward UDP, however this requires a forwarder daemon,
95 badvpn-udpgw to run on the remote SSH server:
96 badvpn-udpgw --listen-addr 127.0.0.1:7300
98 Then tell tun2socks to forward UDP via the forwarder:
100 --udpgw-remote-server-addr 127.0.0.1:7300
102
104 Copyright © 2010 Ambroz Bizjak <ambrop7@gmail.com>
105 This is free software; see the source for copying conditions. There is
106 NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
107 PURPOSE.
108 February 2012 badvpn-tun2socks(8)