Phantun - A Lightweight Tool for Tunneling UDP Traffic Over TCP

Phantun - A Lightweight Tool for Tunneling UDP Traffic Over TCP

Phantun is a lightweight tool designed to obfuscate UDP packets into TCP connections, making it ideal for environments where UDP is blocked or throttled but TCP is allowed.

It achieves this with minimal processing and encapsulation overhead, preserving the original UDP properties such as out-of-order delivery while avoiding common performance issues associated with tunneling UDP over TCP.

This guide explains how Phantun works, its setup process, and its performance characteristics.

What is Phantun?

Phantun (short for Phantom TUN) converts UDP traffic into an obfuscated TCP stream that can pass through most Layer 3/4 stateful or stateless firewalls and NAT devices. Unlike traditional UDP-over-TCP solutions, Phantun avoids retransmissions and flow control issues, ensuring low latency and efficient performance.

Key features include:

  • Written in 100% safe Rust for reliability and performance.

  • Fully supports IPv6 alongside IPv4.

  • Minimal tunneling overhead (12 bytes compared to 44 bytes in some alternatives).

  • Optimized for multi-core systems, capable of saturating high-speed connections.

How Phantun Works

Phantun operates by creating TUN interfaces for both the client and server. These virtual interfaces handle the obfuscation of UDP packets into fake TCP streams.

Network Topology

  • Client: Listens for incoming UDP packets on a local address (e.g., 127.0.0.1:1234) and connects to the server's TCP port.

  • Server: Listens for incoming TCP connections (e.g., port 4567) and forwards the obfuscated traffic to a specified UDP destination.

Both ends require proper IP forwarding and NAT rules to translate between the virtual TUN interface addresses and physical network interfaces.

Setup Guide

1. Enable Kernel IP Forwarding

Enable IP forwarding on your system to allow traffic routing:

1.Edit /etc/sysctl.conf:

net.ipv4.ip_forward=1

2.Apply changes:

sudo sysctl -p /etc/sysctl.conf

For IPv6 forwarding, ensure net.ipv6.conf.all.forwarding=1 is set in /etc/sysctl.conf.

2. Configure Firewall Rules

Client-Side NAT (SNAT)

The client needs Source NAT (SNAT) rules to translate Phantun's TUN interface address into a routable address on the physical network.

Using nftables:

table inet nat {

    chain postrouting {

        type nat hook postrouting priority srcnat; policy accept;

        iifname tun0 oif eth0 masquerade

    }

}

Using iptables:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Server-Side NAT (DNAT)

The server requires Destination NAT (DNAT) rules to forward incoming TCP connections to the Phantun TUN interface.

Using nftables:

table inet nat {

    chain prerouting {

        type nat hook prerouting priority dstnat; policy accept;

        iif eth0 tcp dport 4567 dnat ip to 192.168.201.2

        iif eth0 tcp dport 4567 dnat ip6 to fcc9::2

    }

}

Using iptables:

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 4567 -j DNAT --to-destination 192.168.201.2

ip6tables -t nat -A PREROUTING -p tcp -i eth0 --dport 4567 -j DNAT --to-destination fcc9::2

3. Run Phantun as Non-Root User (Optional)

To avoid running Phantun as root, grant it the necessary capabilities:

sudo setcap cap_net_admin=+pe phantun_server

sudo setcap cap_net_admin=+pe phantun_client

4. Start the Phantun Daemon

Server Command:

RUST_LOG=info /usr/local/bin/phantun_server --local 4567 --remote 127.0.0.1:1234

Replace 127.0.0.1:1234 with your target UDP server address.

Client Command:

RUST_LOG=info /usr/local/bin/phantun_client --local 127.0.0.1:1234 --remote 10.0.0.1:4567

Replace 10.0.0.1:4567 with your server's address and port.

Performance Overview

Phantun is optimized for high-speed networks, leveraging multi-threading to maximize throughput on multi-core systems.

Benchmark Results

Performance tests were conducted on AWS t4g.xlarge instances with a 5 Gb/s NIC:

Mode

Send Speed

Receive Speed

CPU Usage

Direct (1 stream)

3 Gbps

2.37 Gbps

25% (1 core)

Phantun (1 stream)

1.3 Gbps

1.2 Gbps

60% (multi-core)

Direct (5 streams)

5 Gbps

3.64 Gbps

25% (1 core)

Phantun (5 streams)

5 Gbps

2.38 Gbps

~95% (all cores)

MTU Considerations

Phantun adds only a minimal overhead of 12 bytes per packet compared to raw UDP:

  • Standard UDP packet: 

  • 20 bytes (IP header)+8 bytes (UDP header)=28 bytes

  • 20bytes(IP header)+8bytes(UDP header)=28bytes

  • Obfuscated TCP packet: 

  • 20 bytes (IP header)+20 bytes (TCP header)=40 bytes

  • 20bytes(IP header)+20bytes(TCP header)=40bytes

For WireGuard users:

  • IPv4 MTU = Interface MTU 

  • 1500

  • 1500

  • 20

  • 20 (IP header) - 

  • 20

  • 20 (TCP header) - 

  • 32

  • 32 (WireGuard overhead) = 

  • 1428

  • 1428

  • IPv6 MTU = Interface MTU 

  • 1500

  • 1500

  • 40

  • 40 (IP header) - 

  • 20

  • 20 (TCP header) - 

  • 32

  • 32

  • 1408

  • 1408

Ensure consistent MTU settings across both ends of your tunnel to avoid packet loss.

Comparison with udp2raw

Phantun was inspired by udp2raw but focuses on performance over feature completeness:

Feature

Phantun

udp2raw

UDP over FakeTCP

UDP over ICMP

Multi-threaded

Anti-replay/encryption

Tunneling MTU Overhead

12 bytes

44 bytes

Phantun provides an efficient solution for tunneling UDP traffic in restricted environments while maintaining high performance and minimal overhead! You can learn more and Download Phantun in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

 

Back to blog