How can I transform UDP to TCP with netfilter?
Clash Royale CLAN TAG#URR8PPP
I have a wonderful ISP blocking all UDP traffic (except DNS to its own DNS servers).
However, I want to use UDP for my VPN solution. I have root over both VPN endpoints, and both of them are using Linux.
My idea is to simply overwrite the packet type field in my outgoing UDP packets to look as TCP, and doing the reverse on the server side.
Thus, the routers/firewall of my wonderful ISP will see bad TCP packets, while my VPN processes will be able to communicate on UDP.
I strongly suspect, that the firewall of the ISP is not enough smart to detect, that something is not okay.
Of course it would be a dirty trick, but not more dirty than simply forbidding the second most used IP protocol and selling this as ordinary internet connection.
As far I know, there are some iptables rules for that, but which one?
linux iptables netfilter
asked Feb 27 at 12:12
peterhpeterh
4,499113361
add a comment |
I have a wonderful ISP blocking all UDP traffic (except DNS to its own DNS servers).
However, I want to use UDP for my VPN solution. I have root over both VPN endpoints, and both of them are using Linux.
My idea is to simply overwrite the packet type field in my outgoing UDP packets to look as TCP, and doing the reverse on the server side.
Thus, the routers/firewall of my wonderful ISP will see bad TCP packets, while my VPN processes will be able to communicate on UDP.
I strongly suspect, that the firewall of the ISP is not enough smart to detect, that something is not okay.
Of course it would be a dirty trick, but not more dirty than simply forbidding the second most used IP protocol and selling this as ordinary internet connection.
As far I know, there are some iptables rules for that, but which one?
linux iptables netfilter
asked Feb 27 at 12:12
peterhpeterh
4,499113361
Have you tried contacting your ISP about them blocking UDP?
– Torin
Feb 27 at 12:25
@Torin Chanceless. ("Your call is very important for us. Please wait until our customer specialist...blahblah") It is a Big Company. If I could access this customer specialist, he wouldn't understand my problem. Then he would sent me to some level-0 support who will want me to plug in/plug out my cable, reboot my router, reboot my windows..................
– peterh
Feb 27 at 12:27
You'll probably need something better thaniptablesrules, as you'll need to fool all the middleboxes on the way which will track the TCP connection, so it least it should look like a proper TCP connection, even if there are no retransmission semantics. Have a look at raw sockets (man 7 raw), and be prepared to add a bit of source code to your VPN software.
– dirkt
Feb 27 at 14:00
technically nftables can mangle "ip protocol udp" into "ip protocol 6". but you get what you asked then: except for the ports no information is the same. the checksum which isn't at the same place is now wrong, and if corrected (which might happen automatically) will overwrite some data, etc. couldn't get it to be accepted on the other side of the same wire after the reverse operation
– A.B
Feb 28 at 18:21
add a comment |
I have a wonderful ISP blocking all UDP traffic (except DNS to its own DNS servers).
However, I want to use UDP for my VPN solution. I have root over both VPN endpoints, and both of them are using Linux.
My idea is to simply overwrite the packet type field in my outgoing UDP packets to look as TCP, and doing the reverse on the server side.
Thus, the routers/firewall of my wonderful ISP will see bad TCP packets, while my VPN processes will be able to communicate on UDP.
I strongly suspect, that the firewall of the ISP is not enough smart to detect, that something is not okay.
Of course it would be a dirty trick, but not more dirty than simply forbidding the second most used IP protocol and selling this as ordinary internet connection.
As far I know, there are some iptables rules for that, but which one?
linux iptables netfilter
asked Feb 27 at 12:12
peterhpeterh
4,499113361
I have a wonderful ISP blocking all UDP traffic (except DNS to its own DNS servers).
However, I want to use UDP for my VPN solution. I have root over both VPN endpoints, and both of them are using Linux.
My idea is to simply overwrite the packet type field in my outgoing UDP packets to look as TCP, and doing the reverse on the server side.
Thus, the routers/firewall of my wonderful ISP will see bad TCP packets, while my VPN processes will be able to communicate on UDP.
I strongly suspect, that the firewall of the ISP is not enough smart to detect, that something is not okay.
Of course it would be a dirty trick, but not more dirty than simply forbidding the second most used IP protocol and selling this as ordinary internet connection.
As far I know, there are some iptables rules for that, but which one?
linux iptables netfilter
linux iptables netfilter
asked Feb 27 at 12:12
peterhpeterh
4,499113361
asked Feb 27 at 12:12
peterhpeterh
4,499113361
asked Feb 27 at 12:12
peterhpeterh
4,499113361
asked Feb 27 at 12:12
peterhpeterh
4,499113361
asked Feb 27 at 12:12
peterhpeterh
4,499113361
4,499113361
Have you tried contacting your ISP about them blocking UDP?
– Torin
Feb 27 at 12:25
@Torin Chanceless. ("Your call is very important for us. Please wait until our customer specialist...blahblah") It is a Big Company. If I could access this customer specialist, he wouldn't understand my problem. Then he would sent me to some level-0 support who will want me to plug in/plug out my cable, reboot my router, reboot my windows..................
– peterh
Feb 27 at 12:27
You'll probably need something better thaniptablesrules, as you'll need to fool all the middleboxes on the way which will track the TCP connection, so it least it should look like a proper TCP connection, even if there are no retransmission semantics. Have a look at raw sockets (man 7 raw), and be prepared to add a bit of source code to your VPN software.
– dirkt
Feb 27 at 14:00
technically nftables can mangle "ip protocol udp" into "ip protocol 6". but you get what you asked then: except for the ports no information is the same. the checksum which isn't at the same place is now wrong, and if corrected (which might happen automatically) will overwrite some data, etc. couldn't get it to be accepted on the other side of the same wire after the reverse operation
– A.B
Feb 28 at 18:21
add a comment |
Have you tried contacting your ISP about them blocking UDP?
– Torin
Feb 27 at 12:25
@Torin Chanceless. ("Your call is very important for us. Please wait until our customer specialist...blahblah") It is a Big Company. If I could access this customer specialist, he wouldn't understand my problem. Then he would sent me to some level-0 support who will want me to plug in/plug out my cable, reboot my router, reboot my windows..................
– peterh
Feb 27 at 12:27
You'll probably need something better thaniptablesrules, as you'll need to fool all the middleboxes on the way which will track the TCP connection, so it least it should look like a proper TCP connection, even if there are no retransmission semantics. Have a look at raw sockets (man 7 raw), and be prepared to add a bit of source code to your VPN software.
– dirkt
Feb 27 at 14:00
technically nftables can mangle "ip protocol udp" into "ip protocol 6". but you get what you asked then: except for the ports no information is the same. the checksum which isn't at the same place is now wrong, and if corrected (which might happen automatically) will overwrite some data, etc. couldn't get it to be accepted on the other side of the same wire after the reverse operation
– A.B
Feb 28 at 18:21
Have you tried contacting your ISP about them blocking UDP?
– Torin
Feb 27 at 12:25
Have you tried contacting your ISP about them blocking UDP?
– Torin
Feb 27 at 12:25
@Torin Chanceless. ("Your call is very important for us. Please wait until our customer specialist...blahblah") It is a Big Company. If I could access this customer specialist, he wouldn't understand my problem. Then he would sent me to some level-0 support who will want me to plug in/plug out my cable, reboot my router, reboot my windows..................
– peterh
Feb 27 at 12:27
@Torin Chanceless. ("Your call is very important for us. Please wait until our customer specialist...blahblah") It is a Big Company. If I could access this customer specialist, he wouldn't understand my problem. Then he would sent me to some level-0 support who will want me to plug in/plug out my cable, reboot my router, reboot my windows..................
– peterh
Feb 27 at 12:27
You'll probably need something better than
iptables rules, as you'll need to fool all the middleboxes on the way which will track the TCP connection, so it least it should look like a proper TCP connection, even if there are no retransmission semantics. Have a look at raw sockets (man 7 raw), and be prepared to add a bit of source code to your VPN software.– dirkt
Feb 27 at 14:00
You'll probably need something better than
iptables rules, as you'll need to fool all the middleboxes on the way which will track the TCP connection, so it least it should look like a proper TCP connection, even if there are no retransmission semantics. Have a look at raw sockets (man 7 raw), and be prepared to add a bit of source code to your VPN software.– dirkt
Feb 27 at 14:00
technically nftables can mangle "ip protocol udp" into "ip protocol 6". but you get what you asked then: except for the ports no information is the same. the checksum which isn't at the same place is now wrong, and if corrected (which might happen automatically) will overwrite some data, etc. couldn't get it to be accepted on the other side of the same wire after the reverse operation
– A.B
Feb 28 at 18:21
technically nftables can mangle "ip protocol udp" into "ip protocol 6". but you get what you asked then: except for the ports no information is the same. the checksum which isn't at the same place is now wrong, and if corrected (which might happen automatically) will overwrite some data, etc. couldn't get it to be accepted on the other side of the same wire after the reverse operation
– A.B
Feb 28 at 18:21
add a comment |
2 Answers
2
active
oldest
votes
I doubt iptables alone will be enough, as TCP and UDP are fundamentally different protocols.
You can forget setting up an IPsec VPN with such scenario (ISP blocking all UDP ports).
Tunnel all the traffic via ICMP. (best old school solution I know of. Lots of organizations still do not filter out any kind of ICMP) see https://github.com/DhavalKapil/icmptunnel
'icmptunnel' works by encapsulating your IP traffic in ICMP echo
packets and sending them to your own proxy server. The proxy server
decapsulates the packet and forwards the IP traffic. The incoming IP
packets which are destined for the client are again encapsulated in
ICMP reply packets and sent back to the client. The IP traffic is sent
in the 'data' field of ICMP packets.
RFC 792, which is IETF's rules governing ICMP packets, allows for an
arbitrary data length for any type 0 (echo reply) or 8 (echo message)
ICMP packets.
So basically the client machine uses only the ICMP protocol to
communicate with the proxy server. Applications running on the client
machine are oblivious to this fact and work seamlessly.
also, as A.B. points out, you have a UDP-to-raw tunneling software at https://github.com/wangyu-/udp2raw-tunnel
Or in alternative, setup an OpenVPN solution. If you manage to talk outside run OpenVPN over port 53/UDP, or on the lack of that, run it over TCP. Mind you that doing a VPN over TCP will be slower than UDP, but it works.
As for the actual question of changing an IP field: You want to look at the mangle table in iptables, however: 1) I suspect your ISP is blocking that too 2) I know mangle supports modifying some IP fields, not sure about the one you need. See https://serverfault.com/questions/467756/what-is-the-mangle-table-in-iptables
More alternatives, you can try GRE tunnels (protocol 47), see https://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.tunnel.gre.html ( it is easier than trying to develop an application ). Some organizations block this. Basically it is encapsulating IP/ICMP/UDP over protocol 47.
Or if nothing else works, you can tunnel it via an IP tunnel over SSH (mind you tun over SSH, not TCP port tunneling). see Ip Tunnel Over Ssh With Tun http://www.marcfargas.com/posts/ip-tunnel-over-ssh-with-tun/ By the way, no technology of smart/adaptative/deep inspection traffic shapper/firewall that will detect and block all the methods on this thread will be able to block a TUN over SSH.
PS. It is hard to believe an ISP blocking UDP, and furthermore, NTP and DNS UDP ports.
answered Feb 27 at 13:15
Rui F RibeiroRui F Ribeiro
41.7k1483142
I use openvpn. I've already tested UDP port 53, the packets don't arrive. I suspect, an intermediary DNS proxy could be in the background. I did not very deeply tested, exactly which UDP ports are allowed.
– peterh
Feb 27 at 13:31
OpenVPN run over TCP too, albeit slower.
– Rui F Ribeiro
Feb 27 at 13:32
1
Yes, I use OpenVPN over TCP (I think it is not important to answer the question). I want to use OpenVPN over UDP due to better performance.
– peterh
Feb 27 at 13:35
Quite by the contrary, if you state you have all UDP blocked, it might be your only chance to run OpenVPN.
– Rui F Ribeiro
Feb 27 at 13:36
2
github.com/wangyu-/udp2raw-tunnel : uses so-called FakeTCP mode for its tunnel to bypass firewalls. Simulates TCP without getting the tcp-over-tcp penality.
– A.B
Feb 27 at 23:23
|
show 13 more comments
This will popably not work. The Firewall surely will track the TCP setup packets (SYN,SYN-ACK,ACK) needed for a correct TCP Connection, which are missing if you just use altered UDP Packets.
What you could do is: Write a small Application which picks up UDP on the one side, connects to the other side via TCP, and another application which accepts the incoming TCP Connection and Forwards TCP traffic to UDP.
answered Feb 27 at 12:29
gerhard d.gerhard d.
1,271412
It could work, but I could change the VPN to use TCP with a single-line change in the vpn configuration. The problem is that exactly this is what I want to avoid - sending TCP packets over the (encrypted) TCP VPN connection triples the tcp handshake time, and this is exactly what I want to avoid.
– peterh
Feb 27 at 12:33
Are you sure that it would track?
– peterh
Feb 27 at 12:34
Well, i am not sure that it does, but it is very likely. You don't Need the vpn, just run a daemon here and there, connecting to each other. Do you Need multiple UDP Ports ? If not, just use the existing Connection to "tunnel" the udp data.
– gerhard d.
Feb 27 at 14:09
The goal of using UDP is exactly to spare the TCP handshake and ACKs. Using a TCP VPN could work, but it would be slow. I want to make it quick.
– peterh
Feb 27 at 14:16
@peterh You mean you need to optimize the initial TCP handshake of the VPN connection (latency of bringing up the VPN tunnel)? Because that's the only point where the extra TCP handshake matters. Tunneled TCP handshakes work just the same inside TCP or UDP tunnels. The performance disadvantages of tunneling in TCP are in congestion avoidance, retransmission, and a bit of extra bandwidth consumption.
– TooTea
Feb 27 at 14:23
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503320%2fhow-can-i-transform-udp-to-tcp-with-netfilter%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I doubt iptables alone will be enough, as TCP and UDP are fundamentally different protocols.
You can forget setting up an IPsec VPN with such scenario (ISP blocking all UDP ports).
Tunnel all the traffic via ICMP. (best old school solution I know of. Lots of organizations still do not filter out any kind of ICMP) see https://github.com/DhavalKapil/icmptunnel
'icmptunnel' works by encapsulating your IP traffic in ICMP echo
packets and sending them to your own proxy server. The proxy server
decapsulates the packet and forwards the IP traffic. The incoming IP
packets which are destined for the client are again encapsulated in
ICMP reply packets and sent back to the client. The IP traffic is sent
in the 'data' field of ICMP packets.
RFC 792, which is IETF's rules governing ICMP packets, allows for an
arbitrary data length for any type 0 (echo reply) or 8 (echo message)
ICMP packets.
So basically the client machine uses only the ICMP protocol to
communicate with the proxy server. Applications running on the client
machine are oblivious to this fact and work seamlessly.
also, as A.B. points out, you have a UDP-to-raw tunneling software at https://github.com/wangyu-/udp2raw-tunnel
Or in alternative, setup an OpenVPN solution. If you manage to talk outside run OpenVPN over port 53/UDP, or on the lack of that, run it over TCP. Mind you that doing a VPN over TCP will be slower than UDP, but it works.
As for the actual question of changing an IP field: You want to look at the mangle table in iptables, however: 1) I suspect your ISP is blocking that too 2) I know mangle supports modifying some IP fields, not sure about the one you need. See https://serverfault.com/questions/467756/what-is-the-mangle-table-in-iptables
More alternatives, you can try GRE tunnels (protocol 47), see https://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.tunnel.gre.html ( it is easier than trying to develop an application ). Some organizations block this. Basically it is encapsulating IP/ICMP/UDP over protocol 47.
Or if nothing else works, you can tunnel it via an IP tunnel over SSH (mind you tun over SSH, not TCP port tunneling). see Ip Tunnel Over Ssh With Tun http://www.marcfargas.com/posts/ip-tunnel-over-ssh-with-tun/ By the way, no technology of smart/adaptative/deep inspection traffic shapper/firewall that will detect and block all the methods on this thread will be able to block a TUN over SSH.
PS. It is hard to believe an ISP blocking UDP, and furthermore, NTP and DNS UDP ports.
answered Feb 27 at 13:15
Rui F RibeiroRui F Ribeiro
41.7k1483142
I use openvpn. I've already tested UDP port 53, the packets don't arrive. I suspect, an intermediary DNS proxy could be in the background. I did not very deeply tested, exactly which UDP ports are allowed.
– peterh
Feb 27 at 13:31
OpenVPN run over TCP too, albeit slower.
– Rui F Ribeiro
Feb 27 at 13:32
1
Yes, I use OpenVPN over TCP (I think it is not important to answer the question). I want to use OpenVPN over UDP due to better performance.
– peterh
Feb 27 at 13:35
Quite by the contrary, if you state you have all UDP blocked, it might be your only chance to run OpenVPN.
– Rui F Ribeiro
Feb 27 at 13:36
2
github.com/wangyu-/udp2raw-tunnel : uses so-called FakeTCP mode for its tunnel to bypass firewalls. Simulates TCP without getting the tcp-over-tcp penality.
– A.B
Feb 27 at 23:23
|
show 13 more comments
I doubt iptables alone will be enough, as TCP and UDP are fundamentally different protocols.
You can forget setting up an IPsec VPN with such scenario (ISP blocking all UDP ports).
Tunnel all the traffic via ICMP. (best old school solution I know of. Lots of organizations still do not filter out any kind of ICMP) see https://github.com/DhavalKapil/icmptunnel
'icmptunnel' works by encapsulating your IP traffic in ICMP echo
packets and sending them to your own proxy server. The proxy server
decapsulates the packet and forwards the IP traffic. The incoming IP
packets which are destined for the client are again encapsulated in
ICMP reply packets and sent back to the client. The IP traffic is sent
in the 'data' field of ICMP packets.
RFC 792, which is IETF's rules governing ICMP packets, allows for an
arbitrary data length for any type 0 (echo reply) or 8 (echo message)
ICMP packets.
So basically the client machine uses only the ICMP protocol to
communicate with the proxy server. Applications running on the client
machine are oblivious to this fact and work seamlessly.
also, as A.B. points out, you have a UDP-to-raw tunneling software at https://github.com/wangyu-/udp2raw-tunnel
Or in alternative, setup an OpenVPN solution. If you manage to talk outside run OpenVPN over port 53/UDP, or on the lack of that, run it over TCP. Mind you that doing a VPN over TCP will be slower than UDP, but it works.
As for the actual question of changing an IP field: You want to look at the mangle table in iptables, however: 1) I suspect your ISP is blocking that too 2) I know mangle supports modifying some IP fields, not sure about the one you need. See https://serverfault.com/questions/467756/what-is-the-mangle-table-in-iptables
More alternatives, you can try GRE tunnels (protocol 47), see https://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.tunnel.gre.html ( it is easier than trying to develop an application ). Some organizations block this. Basically it is encapsulating IP/ICMP/UDP over protocol 47.
Or if nothing else works, you can tunnel it via an IP tunnel over SSH (mind you tun over SSH, not TCP port tunneling). see Ip Tunnel Over Ssh With Tun http://www.marcfargas.com/posts/ip-tunnel-over-ssh-with-tun/ By the way, no technology of smart/adaptative/deep inspection traffic shapper/firewall that will detect and block all the methods on this thread will be able to block a TUN over SSH.
PS. It is hard to believe an ISP blocking UDP, and furthermore, NTP and DNS UDP ports.
answered Feb 27 at 13:15
Rui F RibeiroRui F Ribeiro
41.7k1483142
I use openvpn. I've already tested UDP port 53, the packets don't arrive. I suspect, an intermediary DNS proxy could be in the background. I did not very deeply tested, exactly which UDP ports are allowed.
– peterh
Feb 27 at 13:31
OpenVPN run over TCP too, albeit slower.
– Rui F Ribeiro
Feb 27 at 13:32
1
Yes, I use OpenVPN over TCP (I think it is not important to answer the question). I want to use OpenVPN over UDP due to better performance.
– peterh
Feb 27 at 13:35
Quite by the contrary, if you state you have all UDP blocked, it might be your only chance to run OpenVPN.
– Rui F Ribeiro
Feb 27 at 13:36
2
github.com/wangyu-/udp2raw-tunnel : uses so-called FakeTCP mode for its tunnel to bypass firewalls. Simulates TCP without getting the tcp-over-tcp penality.
– A.B
Feb 27 at 23:23
|
show 13 more comments
I doubt iptables alone will be enough, as TCP and UDP are fundamentally different protocols.
You can forget setting up an IPsec VPN with such scenario (ISP blocking all UDP ports).
Tunnel all the traffic via ICMP. (best old school solution I know of. Lots of organizations still do not filter out any kind of ICMP) see https://github.com/DhavalKapil/icmptunnel
'icmptunnel' works by encapsulating your IP traffic in ICMP echo
packets and sending them to your own proxy server. The proxy server
decapsulates the packet and forwards the IP traffic. The incoming IP
packets which are destined for the client are again encapsulated in
ICMP reply packets and sent back to the client. The IP traffic is sent
in the 'data' field of ICMP packets.
RFC 792, which is IETF's rules governing ICMP packets, allows for an
arbitrary data length for any type 0 (echo reply) or 8 (echo message)
ICMP packets.
So basically the client machine uses only the ICMP protocol to
communicate with the proxy server. Applications running on the client
machine are oblivious to this fact and work seamlessly.
also, as A.B. points out, you have a UDP-to-raw tunneling software at https://github.com/wangyu-/udp2raw-tunnel
Or in alternative, setup an OpenVPN solution. If you manage to talk outside run OpenVPN over port 53/UDP, or on the lack of that, run it over TCP. Mind you that doing a VPN over TCP will be slower than UDP, but it works.
As for the actual question of changing an IP field: You want to look at the mangle table in iptables, however: 1) I suspect your ISP is blocking that too 2) I know mangle supports modifying some IP fields, not sure about the one you need. See https://serverfault.com/questions/467756/what-is-the-mangle-table-in-iptables
More alternatives, you can try GRE tunnels (protocol 47), see https://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.tunnel.gre.html ( it is easier than trying to develop an application ). Some organizations block this. Basically it is encapsulating IP/ICMP/UDP over protocol 47.
Or if nothing else works, you can tunnel it via an IP tunnel over SSH (mind you tun over SSH, not TCP port tunneling). see Ip Tunnel Over Ssh With Tun http://www.marcfargas.com/posts/ip-tunnel-over-ssh-with-tun/ By the way, no technology of smart/adaptative/deep inspection traffic shapper/firewall that will detect and block all the methods on this thread will be able to block a TUN over SSH.
PS. It is hard to believe an ISP blocking UDP, and furthermore, NTP and DNS UDP ports.
answered Feb 27 at 13:15
Rui F RibeiroRui F Ribeiro
41.7k1483142
I doubt iptables alone will be enough, as TCP and UDP are fundamentally different protocols.
You can forget setting up an IPsec VPN with such scenario (ISP blocking all UDP ports).
Tunnel all the traffic via ICMP. (best old school solution I know of. Lots of organizations still do not filter out any kind of ICMP) see https://github.com/DhavalKapil/icmptunnel
'icmptunnel' works by encapsulating your IP traffic in ICMP echo
packets and sending them to your own proxy server. The proxy server
decapsulates the packet and forwards the IP traffic. The incoming IP
packets which are destined for the client are again encapsulated in
ICMP reply packets and sent back to the client. The IP traffic is sent
in the 'data' field of ICMP packets.
RFC 792, which is IETF's rules governing ICMP packets, allows for an
arbitrary data length for any type 0 (echo reply) or 8 (echo message)
ICMP packets.
So basically the client machine uses only the ICMP protocol to
communicate with the proxy server. Applications running on the client
machine are oblivious to this fact and work seamlessly.
also, as A.B. points out, you have a UDP-to-raw tunneling software at https://github.com/wangyu-/udp2raw-tunnel
Or in alternative, setup an OpenVPN solution. If you manage to talk outside run OpenVPN over port 53/UDP, or on the lack of that, run it over TCP. Mind you that doing a VPN over TCP will be slower than UDP, but it works.
As for the actual question of changing an IP field: You want to look at the mangle table in iptables, however: 1) I suspect your ISP is blocking that too 2) I know mangle supports modifying some IP fields, not sure about the one you need. See https://serverfault.com/questions/467756/what-is-the-mangle-table-in-iptables
More alternatives, you can try GRE tunnels (protocol 47), see https://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.tunnel.gre.html ( it is easier than trying to develop an application ). Some organizations block this. Basically it is encapsulating IP/ICMP/UDP over protocol 47.
Or if nothing else works, you can tunnel it via an IP tunnel over SSH (mind you tun over SSH, not TCP port tunneling). see Ip Tunnel Over Ssh With Tun http://www.marcfargas.com/posts/ip-tunnel-over-ssh-with-tun/ By the way, no technology of smart/adaptative/deep inspection traffic shapper/firewall that will detect and block all the methods on this thread will be able to block a TUN over SSH.
PS. It is hard to believe an ISP blocking UDP, and furthermore, NTP and DNS UDP ports.
answered Feb 27 at 13:15
Rui F RibeiroRui F Ribeiro
41.7k1483142
edited Feb 27 at 23:32
answered Feb 27 at 13:15
Rui F RibeiroRui F Ribeiro
41.7k1483142
answered Feb 27 at 13:15
Rui F RibeiroRui F Ribeiro
41.7k1483142
answered Feb 27 at 13:15
Rui F RibeiroRui F Ribeiro
41.7k1483142
41.7k1483142
I use openvpn. I've already tested UDP port 53, the packets don't arrive. I suspect, an intermediary DNS proxy could be in the background. I did not very deeply tested, exactly which UDP ports are allowed.
– peterh
Feb 27 at 13:31
OpenVPN run over TCP too, albeit slower.
– Rui F Ribeiro
Feb 27 at 13:32
1
Yes, I use OpenVPN over TCP (I think it is not important to answer the question). I want to use OpenVPN over UDP due to better performance.
– peterh
Feb 27 at 13:35
Quite by the contrary, if you state you have all UDP blocked, it might be your only chance to run OpenVPN.
– Rui F Ribeiro
Feb 27 at 13:36
2
github.com/wangyu-/udp2raw-tunnel : uses so-called FakeTCP mode for its tunnel to bypass firewalls. Simulates TCP without getting the tcp-over-tcp penality.
– A.B
Feb 27 at 23:23
|
show 13 more comments
I use openvpn. I've already tested UDP port 53, the packets don't arrive. I suspect, an intermediary DNS proxy could be in the background. I did not very deeply tested, exactly which UDP ports are allowed.
– peterh
Feb 27 at 13:31
OpenVPN run over TCP too, albeit slower.
– Rui F Ribeiro
Feb 27 at 13:32
1
Yes, I use OpenVPN over TCP (I think it is not important to answer the question). I want to use OpenVPN over UDP due to better performance.
– peterh
Feb 27 at 13:35
Quite by the contrary, if you state you have all UDP blocked, it might be your only chance to run OpenVPN.
– Rui F Ribeiro
Feb 27 at 13:36
2
github.com/wangyu-/udp2raw-tunnel : uses so-called FakeTCP mode for its tunnel to bypass firewalls. Simulates TCP without getting the tcp-over-tcp penality.
– A.B
Feb 27 at 23:23
I use openvpn. I've already tested UDP port 53, the packets don't arrive. I suspect, an intermediary DNS proxy could be in the background. I did not very deeply tested, exactly which UDP ports are allowed.
– peterh
Feb 27 at 13:31
I use openvpn. I've already tested UDP port 53, the packets don't arrive. I suspect, an intermediary DNS proxy could be in the background. I did not very deeply tested, exactly which UDP ports are allowed.
– peterh
Feb 27 at 13:31
OpenVPN run over TCP too, albeit slower.
– Rui F Ribeiro
Feb 27 at 13:32
OpenVPN run over TCP too, albeit slower.
– Rui F Ribeiro
Feb 27 at 13:32
1
1
Yes, I use OpenVPN over TCP (I think it is not important to answer the question). I want to use OpenVPN over UDP due to better performance.
– peterh
Feb 27 at 13:35
Yes, I use OpenVPN over TCP (I think it is not important to answer the question). I want to use OpenVPN over UDP due to better performance.
– peterh
Feb 27 at 13:35
Quite by the contrary, if you state you have all UDP blocked, it might be your only chance to run OpenVPN.
– Rui F Ribeiro
Feb 27 at 13:36
Quite by the contrary, if you state you have all UDP blocked, it might be your only chance to run OpenVPN.
– Rui F Ribeiro
Feb 27 at 13:36
2
2
github.com/wangyu-/udp2raw-tunnel : uses so-called FakeTCP mode for its tunnel to bypass firewalls. Simulates TCP without getting the tcp-over-tcp penality.
– A.B
Feb 27 at 23:23
github.com/wangyu-/udp2raw-tunnel : uses so-called FakeTCP mode for its tunnel to bypass firewalls. Simulates TCP without getting the tcp-over-tcp penality.
– A.B
Feb 27 at 23:23
|
show 13 more comments
This will popably not work. The Firewall surely will track the TCP setup packets (SYN,SYN-ACK,ACK) needed for a correct TCP Connection, which are missing if you just use altered UDP Packets.
What you could do is: Write a small Application which picks up UDP on the one side, connects to the other side via TCP, and another application which accepts the incoming TCP Connection and Forwards TCP traffic to UDP.
answered Feb 27 at 12:29
gerhard d.gerhard d.
1,271412
It could work, but I could change the VPN to use TCP with a single-line change in the vpn configuration. The problem is that exactly this is what I want to avoid - sending TCP packets over the (encrypted) TCP VPN connection triples the tcp handshake time, and this is exactly what I want to avoid.
– peterh
Feb 27 at 12:33
Are you sure that it would track?
– peterh
Feb 27 at 12:34
Well, i am not sure that it does, but it is very likely. You don't Need the vpn, just run a daemon here and there, connecting to each other. Do you Need multiple UDP Ports ? If not, just use the existing Connection to "tunnel" the udp data.
– gerhard d.
Feb 27 at 14:09
The goal of using UDP is exactly to spare the TCP handshake and ACKs. Using a TCP VPN could work, but it would be slow. I want to make it quick.
– peterh
Feb 27 at 14:16
@peterh You mean you need to optimize the initial TCP handshake of the VPN connection (latency of bringing up the VPN tunnel)? Because that's the only point where the extra TCP handshake matters. Tunneled TCP handshakes work just the same inside TCP or UDP tunnels. The performance disadvantages of tunneling in TCP are in congestion avoidance, retransmission, and a bit of extra bandwidth consumption.
– TooTea
Feb 27 at 14:23
add a comment |
This will popably not work. The Firewall surely will track the TCP setup packets (SYN,SYN-ACK,ACK) needed for a correct TCP Connection, which are missing if you just use altered UDP Packets.
What you could do is: Write a small Application which picks up UDP on the one side, connects to the other side via TCP, and another application which accepts the incoming TCP Connection and Forwards TCP traffic to UDP.
answered Feb 27 at 12:29
gerhard d.gerhard d.
1,271412
It could work, but I could change the VPN to use TCP with a single-line change in the vpn configuration. The problem is that exactly this is what I want to avoid - sending TCP packets over the (encrypted) TCP VPN connection triples the tcp handshake time, and this is exactly what I want to avoid.
– peterh
Feb 27 at 12:33
Are you sure that it would track?
– peterh
Feb 27 at 12:34
Well, i am not sure that it does, but it is very likely. You don't Need the vpn, just run a daemon here and there, connecting to each other. Do you Need multiple UDP Ports ? If not, just use the existing Connection to "tunnel" the udp data.
– gerhard d.
Feb 27 at 14:09
The goal of using UDP is exactly to spare the TCP handshake and ACKs. Using a TCP VPN could work, but it would be slow. I want to make it quick.
– peterh
Feb 27 at 14:16
@peterh You mean you need to optimize the initial TCP handshake of the VPN connection (latency of bringing up the VPN tunnel)? Because that's the only point where the extra TCP handshake matters. Tunneled TCP handshakes work just the same inside TCP or UDP tunnels. The performance disadvantages of tunneling in TCP are in congestion avoidance, retransmission, and a bit of extra bandwidth consumption.
– TooTea
Feb 27 at 14:23
add a comment |
This will popably not work. The Firewall surely will track the TCP setup packets (SYN,SYN-ACK,ACK) needed for a correct TCP Connection, which are missing if you just use altered UDP Packets.
What you could do is: Write a small Application which picks up UDP on the one side, connects to the other side via TCP, and another application which accepts the incoming TCP Connection and Forwards TCP traffic to UDP.
answered Feb 27 at 12:29
gerhard d.gerhard d.
1,271412
This will popably not work. The Firewall surely will track the TCP setup packets (SYN,SYN-ACK,ACK) needed for a correct TCP Connection, which are missing if you just use altered UDP Packets.
What you could do is: Write a small Application which picks up UDP on the one side, connects to the other side via TCP, and another application which accepts the incoming TCP Connection and Forwards TCP traffic to UDP.
answered Feb 27 at 12:29
gerhard d.gerhard d.
1,271412
answered Feb 27 at 12:29
gerhard d.gerhard d.
1,271412
answered Feb 27 at 12:29
gerhard d.gerhard d.
1,271412
answered Feb 27 at 12:29
gerhard d.gerhard d.
1,271412
1,271412
It could work, but I could change the VPN to use TCP with a single-line change in the vpn configuration. The problem is that exactly this is what I want to avoid - sending TCP packets over the (encrypted) TCP VPN connection triples the tcp handshake time, and this is exactly what I want to avoid.
– peterh
Feb 27 at 12:33
Are you sure that it would track?
– peterh
Feb 27 at 12:34
Well, i am not sure that it does, but it is very likely. You don't Need the vpn, just run a daemon here and there, connecting to each other. Do you Need multiple UDP Ports ? If not, just use the existing Connection to "tunnel" the udp data.
– gerhard d.
Feb 27 at 14:09
The goal of using UDP is exactly to spare the TCP handshake and ACKs. Using a TCP VPN could work, but it would be slow. I want to make it quick.
– peterh
Feb 27 at 14:16
@peterh You mean you need to optimize the initial TCP handshake of the VPN connection (latency of bringing up the VPN tunnel)? Because that's the only point where the extra TCP handshake matters. Tunneled TCP handshakes work just the same inside TCP or UDP tunnels. The performance disadvantages of tunneling in TCP are in congestion avoidance, retransmission, and a bit of extra bandwidth consumption.
– TooTea
Feb 27 at 14:23
add a comment |
It could work, but I could change the VPN to use TCP with a single-line change in the vpn configuration. The problem is that exactly this is what I want to avoid - sending TCP packets over the (encrypted) TCP VPN connection triples the tcp handshake time, and this is exactly what I want to avoid.
– peterh
Feb 27 at 12:33
Are you sure that it would track?
– peterh
Feb 27 at 12:34
Well, i am not sure that it does, but it is very likely. You don't Need the vpn, just run a daemon here and there, connecting to each other. Do you Need multiple UDP Ports ? If not, just use the existing Connection to "tunnel" the udp data.
– gerhard d.
Feb 27 at 14:09
The goal of using UDP is exactly to spare the TCP handshake and ACKs. Using a TCP VPN could work, but it would be slow. I want to make it quick.
– peterh
Feb 27 at 14:16
@peterh You mean you need to optimize the initial TCP handshake of the VPN connection (latency of bringing up the VPN tunnel)? Because that's the only point where the extra TCP handshake matters. Tunneled TCP handshakes work just the same inside TCP or UDP tunnels. The performance disadvantages of tunneling in TCP are in congestion avoidance, retransmission, and a bit of extra bandwidth consumption.
– TooTea
Feb 27 at 14:23
It could work, but I could change the VPN to use TCP with a single-line change in the vpn configuration. The problem is that exactly this is what I want to avoid - sending TCP packets over the (encrypted) TCP VPN connection triples the tcp handshake time, and this is exactly what I want to avoid.
– peterh
Feb 27 at 12:33
It could work, but I could change the VPN to use TCP with a single-line change in the vpn configuration. The problem is that exactly this is what I want to avoid - sending TCP packets over the (encrypted) TCP VPN connection triples the tcp handshake time, and this is exactly what I want to avoid.
– peterh
Feb 27 at 12:33
Are you sure that it would track?
– peterh
Feb 27 at 12:34
Are you sure that it would track?
– peterh
Feb 27 at 12:34
Well, i am not sure that it does, but it is very likely. You don't Need the vpn, just run a daemon here and there, connecting to each other. Do you Need multiple UDP Ports ? If not, just use the existing Connection to "tunnel" the udp data.
– gerhard d.
Feb 27 at 14:09
Well, i am not sure that it does, but it is very likely. You don't Need the vpn, just run a daemon here and there, connecting to each other. Do you Need multiple UDP Ports ? If not, just use the existing Connection to "tunnel" the udp data.
– gerhard d.
Feb 27 at 14:09
The goal of using UDP is exactly to spare the TCP handshake and ACKs. Using a TCP VPN could work, but it would be slow. I want to make it quick.
– peterh
Feb 27 at 14:16
The goal of using UDP is exactly to spare the TCP handshake and ACKs. Using a TCP VPN could work, but it would be slow. I want to make it quick.
– peterh
Feb 27 at 14:16
@peterh You mean you need to optimize the initial TCP handshake of the VPN connection (latency of bringing up the VPN tunnel)? Because that's the only point where the extra TCP handshake matters. Tunneled TCP handshakes work just the same inside TCP or UDP tunnels. The performance disadvantages of tunneling in TCP are in congestion avoidance, retransmission, and a bit of extra bandwidth consumption.
– TooTea
Feb 27 at 14:23
@peterh You mean you need to optimize the initial TCP handshake of the VPN connection (latency of bringing up the VPN tunnel)? Because that's the only point where the extra TCP handshake matters. Tunneled TCP handshakes work just the same inside TCP or UDP tunnels. The performance disadvantages of tunneling in TCP are in congestion avoidance, retransmission, and a bit of extra bandwidth consumption.
– TooTea
Feb 27 at 14:23
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f503320%2fhow-can-i-transform-udp-to-tcp-with-netfilter%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Have you tried contacting your ISP about them blocking UDP?
– Torin
Feb 27 at 12:25
@Torin Chanceless. ("Your call is very important for us. Please wait until our customer specialist...blahblah") It is a Big Company. If I could access this customer specialist, he wouldn't understand my problem. Then he would sent me to some level-0 support who will want me to plug in/plug out my cable, reboot my router, reboot my windows..................
– peterh
Feb 27 at 12:27
You'll probably need something better than
iptablesrules, as you'll need to fool all the middleboxes on the way which will track the TCP connection, so it least it should look like a proper TCP connection, even if there are no retransmission semantics. Have a look at raw sockets (man 7 raw), and be prepared to add a bit of source code to your VPN software.– dirkt
Feb 27 at 14:00
technically nftables can mangle "ip protocol udp" into "ip protocol 6". but you get what you asked then: except for the ports no information is the same. the checksum which isn't at the same place is now wrong, and if corrected (which might happen automatically) will overwrite some data, etc. couldn't get it to be accepted on the other side of the same wire after the reverse operation
– A.B
Feb 28 at 18:21