Udp2raw-tunnel – A UDP Tunnel which tunnels UDP via FakeTCP/UDP/ICMP Traffic by using Raw Socket [Bypass UDP FireWalls]

Udp2raw-tunnel - A UDP Tunnel which tunnels UDP via FakeTCP/UDP/ICMP Traffic by using Raw Socket [Bypass UDP FireWalls]

A UDP Tunnel which tunnels UDP via FakeTCP/UDP/ICMP Traffic by using Raw Socket, helps you Bypass UDP FireWalls (or Unstable UDP Environment). Its Encrypted, Anti-Replay and Multiplexed.It additionally acts as a Connection Stabilizer.

Support Platforms

A Linux host (together with desktop Linux, Android cellphone/pill, OpenWRT router, or Raspberry PI) with root entry.
For Winodws/MacOS, a digital picture with udp2raw pre-put in has been launched, you possibly can load it with Vmware/VirtualField.The digital picture has been set to auto receive ip, udp2raw will be run instantly after boot completed(make certain community mode of virtual machine has been set to bridged)(solely udp2raw must be run below a digital machine, all different packages run below Windows/MacOS as typical).


Send / Receive UDP Packet with pretend-tcp/icmp headers

Fake-tcp/icmp headers assist you bypass UDP blocking, UDP QOS or improper UDP NAT conduct on some ISPs. Raw packets with UDP headers are additionally supported.In UDP header mode, it behaves similar to a standard UDP tunnel, and you’ll simply make use of the opposite options.

Simulate TCP Handshake

Simulates the three-method handshake, together with seq and ack_seq. TCP choices MSS, sackOk, TS, TS_ack, wscale are additionally simulated. Real-time supply assured, no TCP over TCP drawback when using OpenVPN.

Encryption, Anti-Replay, No MITM

  • Encrypt your site visitors with AES-128-CBC.
  • Protect knowledge integrity by MD5 or CRC32.
  • Defense replay assault with an anti-replay window, much like IPSec and OpenVPN.
  • Authenticate mutually, no MITM assaults.

Failure Detection & Stabilization (Connection Recovery)

Connection failures are detected by heartbeats. If timed-out, the consumer will routinely change port quantity and reconnect. If reconnection is profitable, the earlier connection will likely be recovered, and all current UDP conversations will keep legitimate.

For instance, in the event you use UDP2RAW + OpenVPN, OpenVPN will not lose connection after any reconnect, even when the community cable is re-plugged or the WiFi entry level is modified.

Other Features

  • Multiplexing One consumer can deal with a number of UDP connections, all of which share the identical uncooked connection.
  • Multiple Clients One server can have a number of purchasers.
  • NAT Support All of the three modes work in NAT environments.
  • OpenVZ Support Tested on BandwagonHost.
  • OpenWRT Support No dependencies, straightforward to construct. Binary for ar71xx are included in launch.

UDP QoS Bypass UDP Blocking Bypass OpenVPN TCP over TCP drawback OpenVPN over ICMP UDP to ICMP tunnel UDP to TCP tunnel UDP over ICMP UDP over TCP

Getting Started

Download binary launch from https://github.com/wangyu-/udp2raw-tunnel/releases

Assume your UDP is blocked or being QOS-ed or simply poorly supported. Assume your server ip is, you’ve a service listening on udp port 7777.

# Run at server aspect:
./udp2raw_amd64 -s -l0.0.0.0:4096 -r  -a -k "passwd" --raw-mode faketcp

# Run at consumer aspect
./udp2raw_amd64 -c -l0.0.0.0:3333  -r44.55.66.77:4096 -a -k "passwd" --raw-mode faketcp

Server Output:

Client Output:

Now, an encrypted uncooked tunnel has been established between consumer and server by means of TCP port 4096. Connecting to UDP port 3333 on the consumer aspect is equal to connecting to port 7777 on the server aspect. No UDP site visitors will likely be uncovered.

to run on Android, see Android_Guide

Advanced Topic


model: Aug 18 2017 00:29:11
repository: https://github.com/wangyu-/udp2raw-tunnel

    run as consumer : ./this_program -c -l local_listen_ip:local_port -r server_ip:server_port  [options]
    run as server : ./this_program -s -l server_listen_ip:server_port -r remote_ip:remote_port  [options]

widespread choices, these choices have to be similar on each aspect:
    --raw-mode            <string>        avaliable values:faketcp(default), udp, icmp
    -k, --key              <string>        password to gen symetric key, default:"secret key"
    --cipher-mode         <string>        avaliable values:aes128cbc(default), xor, none
    --auth-mode           <string>        avaliable values:md5(default), crc32, easy, none
    -a, --auto-rule                        auto add (and delete) iptables rule
    -g, --gen-rule                         generate iptables rule then exit
    --disable-anti-replay                 disable anti-replay, not urged
consumer choices:
    --source-ip           <ip>            power supply-ip for uncooked socket
    --source-port         <port>          power supply-port for uncooked socket, tcp/udp solely
                                          this selection disables port altering whereas re-connecting
different choices:
    --log-degree           <quantity>        0:by no means    1:deadly   2:error   3:warn 
                                          4:information (default)     5:debug   6:hint
    --log-place                        allow file identify, perform identify, line quantity in log
    --disable-shade                       disable log shade
    --disable-bpf                         disable the kernel house filter, most time its not needed
                                          until you think there's a bug
    --sock-buf            <quantity>        buf dimension for socket, >=10 and <=10240, unit:kbyte, default:1024
    --seqmode             <quantity>        seq enhance mode for faketcp:
                                          0:dont enhance
                                          1:enhance each packet
                                          2:enhance randomly,  about each Three packets (default)
    --lower-degree         <string>        ship packet at OSI degree 2,  format:'if_name#dest_mac_adress'
    -h, --help                             print this assist message

This program sends packets via uncooked socket. In FakeTCP mode, Linux kernel TCP packet processing must be blocked by a iptables rule on each side, in any other case the kernel will routinely ship RST for an unrecongized TCP packet and you’ll maintain from stability / peformance issues. You can use -a choice to let this system routinely add / delete iptables rule on begin / exit. You may also use the -g choice to generate iptables rule and add it manually.

cipher-mode and auth-mode
It is usually recommended to make use of aes128cbc + md5 to acquire most safety. If you need to run this system on a router, you possibly can attempt xor + easy, which can idiot packet inspection by firewalls essentially the most of time, nevertheless it can’t defend you from severe assaults. Mode none is just for debugging goal. It will not be advisable to set the cipher-mode or auth-mode to none.

The FakeTCP mode doesn’t behave 100% like an actual tcp connection. ISPs could possibly distinguish the simulated tcp site visitors from the actual TCP site visitors (although it is pricey). seq-mode will help you modify the seq enhance conduct barely. If you expertise connection issues, attempt to change the worth.

Peformance Test

Test methodology:
iperf3 TCP via OpenVPN + udp2raw (iperf3 UDP mode will not be used due to a bug talked about on this situation: https://github.com/esnet/iperf/issues/296 . Instead, we package deal the TCP site visitors into UDP by OpenVPN to check the efficiency. Read Application for particulars.

iperf3 command:

iperf3 -c -P40 
iperf3 -c -P40 -R


  • Client Vultr $2.5/month-to-month plan (single core 2.4GHz cpu, 512MB RAM, Tokyo, Japan)
  • Server BandwagonHost $3.99/yearly plan (single core 2.0GHz cpu, 128MB RAM, Los Angeles, USA)

raw_mode: faketcp cipher_mode: xor  auth_mode: easy

(reverse velocity was simliar and never uploaded)

raw_mode: faketcp cipher_mode: aes128cbc  auth_mode: md5

(reverse velocity was simliar and never uploaded)


tunneling any site visitors via uncooked site visitors by using udp2raw +openvpn

  1. bypasses UDP block/UDP QOS
  2. no TCP ovr tcp drawback (tcp over tcp drawback http://sites.inka.de/bigred/devel/tcp-tcp.html , https://community.openvpn.net/openvpn/ticket/2 )
  3. openvpn over icmp additionally turns into a selection

extra particulars at openvpn+udp2raw_guide

velocity-up tcp connection via uncooked site visitors by using udp2raw+kcptun
kcptun is a tcp connection velocity-up program, it speeds-up tcp connection by using kcp protocol on-prime of udp.by using udp2raw, you should utilize kcptun whereas udp is QoSed or blocked. (kcptun, https://github.com/xtaci/kcptun)

velocity-up tcp connection via uncooked site visitors by using udp2raw+finalspeed
finalspeed is a tcp connection velocity-up program similiar to kcptun, it speeds-up tcp connection by using kcp protocol on-prime of udp or tcp.however its tcp mode doesnt assist openvz, you possibly can bypass this drawback in the event you use udp2raw+finalspeed collectively, and icmp mode additionally turns into avaliable.


Easier set up on ArchLinux

yaourt -S udp2raw-tunnel # or
pacaur -S udp2raw-tunnel



Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.