phantun: lightweight and fast UDP to TCP obfuscator

Phantun

A lightweight and fast UDP to TCP obfuscator.

Phantun is a project that obfuscated UDP packets into TCP connections. It aims to achieve maximum performance with minimum processing and encapsulation overhead.

It is commonly used in environments where UDP is blocked/throttled but TCP is allowed through.

Phantun simply converts a stream of UDP packets into obfuscated TCP stream packets. The TCP stack used by Phantun is designed to pass through most L3/L4 stateful/stateless firewalls/NAT devices. It will not be able to pass through L7 proxies. However, the advantage of this approach is that none of the common UDP over TCP performance killers such as retransmissions and flow control will occur. The underlying UDP properties such as out-of-order delivery are fully preserved even if the connection ends up looking like a TCP connection from the perspective of firewalls/NAT devices.

Phantun means Phantom TUN, as it is an obfuscator for UDP traffic that does just enough work to make it pass through stateful firewall/NATs as TCP packets.

Usage

For the example below, it is assumed that Phantun Server listens for incoming Phantun Client connections at port 4567 (the --local option for server), and it forwards UDP packets to UDP server at 127.0.0.1:1234 (the --remote option for server).

It is also assumed that Phantun Client listens for incoming UDP packets at 127.0.0.1:1234 (the --local option for client) and connects to Phantun Server at 10.0.0.1:4567 (the --remote option for the client).

Phantun creates a TUN interface for both the Client and Server. For Client, Phantun assigns itself the IP address 192.168.200.2 by default and for Server, it assigns 192.168.201.2 by default. Therefore, your Kernel must have net.ipv4.ip_forward enabled and setup appropriate iptables rules for NAT between your physical NIC address and Phantun’s TUN interface address.

You may customize the name of Tun interface created by Phantun and the assigned addresses. Please run the executable with -h options to see how to change them.

Another way to help understand this network topology:

Phantun Client is like a machine with private IP address (192.168.200.2) behind a router. In order for it to reach the Internet, you will need to SNAT the private IP address before it’s traffic leaves the NIC.

Phantun Server is like a server with a private IP address (192.168.201.2) behind a router. In order to access it from the Internet, you need to DNAT it’s listening to port on the router and change the destination IP address to where the server is listening for incoming connections.

In those cases, the machine/iptables running Phantun acts as the “router” that allows Phantun to communicate with outside using it’s private IP addresses.

As of Phantun v0.2.2, IPv6 support for UDP endpoints has been added, however, Fake TCP IPv6 support has not been finished yet. To specify an IPv6 address, use the following format: [::1]:1234 with the command-line options.

Download & Tutorial

Copyright (c) 2021-2022 Datong Sun (dndx@idndx.com)