search

dndx / phantun

Transforms UDP stream into (fake) TCP streams that can go through Layer 3 & Layer 4 (NAPT) firewalls/NATs.
Apache License 2.0
1.58k stars 128 forks source link

Unable to connect to remote #114

Closed faritor closed 1 year ago

faritor commented 1 year ago

version: 0.6.0

preconditions:

firewall allows 1-65535 ports and and all protocol

question:

unable to connect to remote. using the netstat -anp | grep 50000 has no results on the server. How can I adjust it for normal use?

config:

client: 

PreUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PreUp = RUST_LOG=info phantun_client --local 127.0.0.1:18080 --remote x.x.x.x:50000 --ipv4-only &> /var/log/phantun_client.log &

server:

PreUp = iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 50000 -j DNAT --to-destination 192.168.201.2
PreUp = RUST_LOG=info phantun_server --local 50000--remote 127.0.0.1:51822 --ipv4-only &> /var/log/phantun_server.log &

log:

client: 

 INFO  client   > New UDP client from 127.0.0.1:55551
 INFO  fake_tcp > Sent SYN to server
 INFO  fake_tcp > Waiting for SYN + ACK timed out
 INFO  fake_tcp > Sent SYN to server
 INFO  fake_tcp > Waiting for SYN + ACK timed out
 INFO  fake_tcp > Sent SYN to server
 INFO  fake_tcp > Waiting for SYN + ACK timed out
 INFO  fake_tcp > Fake TCP connection to (Fake TCP connection from 192.168.200.2:13661 to x.x.x.x:50000) closed
 ERROR client   > Unable to connect to remote x.x.x.x:50000
 INFO  client   > New UDP client from 127.0.0.1:55551
 INFO  fake_tcp > Sent SYN to server
 INFO  fake_tcp > Waiting for SYN + ACK timed out
 INFO  fake_tcp > Sent SYN to server
 INFO  fake_tcp > Waiting for SYN + ACK timed out
 INFO  fake_tcp > Sent SYN to server
 INFO  fake_tcp > Waiting for SYN + ACK timed out
 INFO  fake_tcp > Fake TCP connection to (Fake TCP connection from 192.168.200.2:22883 to x.x.x.x:50000) closed
 ERROR client   > Unable to connect to remote x.x.x.x:50000
 INFO  client   > New UDP client from 127.0.0.1:55551

server:

 INFO  server > Remote address is: 127.0.0.1:51822
 INFO  server > 2 cores available
 INFO  server > Created TUN device tun0
 INFO  server > Listening on 50000
dndx commented 1 year ago

Use tcpdump on the tun0 interface for debugging, this is user-space TCP stack and netstat will show nothing.

faritor commented 1 year ago

yes, tcpdump are used for traffic monitoring. There is traffic on the client side tun0 and eth0, but there is no traffic on the server side.

dndx commented 1 year ago

Hmm, if you can not see any traffic on the traffic side, maybe the server side iptables rule are not configured correctly. Or you did not enable masquerade on the client side and the client is using the private address of tun0 as the source IP. It will be helpful if you can provide some tcpdump on the eth0 of client.

whale2022 commented 1 year ago

I also encountered the same problem, did you solve it?

irocnX commented 11 months ago

@dndx hello, I can't caputure any traffic on eth0 ( did sysctl -w .forwarding=1 / iptables -I FORWORD -j ACCEPT), even if I iptables -t nat -A PREROUTING -j MASQUERADE, but I can caputure some traffic on tun0. Could you give any hints? 

$>tcpdump -i tun0 dst port=4567 (OK)
$>tcpdump -i eth0 dst port=4567 (KO) nothing showed