tfunnel is a fast, TPROXY-based VPN that enables unprivileged deployment by intercepting and forwarding TCP and UDP traffic through a remote proxy instance.
TPROXY-based VPN for fast and unprivileged deploy
tfunnel is used to transparently tunnel all TCP and UDP traffic from a client machine through a remote proxy without requiring privileged access on the proxy host. It is ideal for users needing a lightweight VPN solution that supports IPv6 and fast connection handling, especially when sshuttle's TPROXY method is insufficient or problematic.
The tfunnel client requires root privileges or specific Linux capabilities to intercept and redirect traffic. Users must manually configure source-based routing and iptables rules to mark and redirect packets, as tfunnel does not automate firewall setup. The connection between client and proxy can be any bidirectional channel, commonly SSH. This tool is a practical alternative to sshuttle's TPROXY method, which may be unreliable.
coproc tfunnel { tfunnel -p 12300; } ssh -p $SSH_PORT user@$SSH_HOST tfunnel >&"${tfunnel[1]}" <&"${tfunnel[0]}"
Starts the tfunnel client on port 12300 and connects it to the remote proxy instance over SSH using bash coproc.
socat EXEC:'tfunnel -p 12300' EXEC:'ssh -p $SSH_PORT user@$SSH_HOST tfunnel'
Links the tfunnel client and proxy instances over SSH using socat's EXEC target.
ip rule add fwmark 1 lookup 100
Adds a routing rule to lookup table 100 for packets marked with fwmark=1.
ip route add local default dev lo table 100
Routes all packets in table 100 to the local loopback device.
iptables-restore <<EOF *mangle :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :tfunnel-mark-proxied - [0:0] :tfunnel-output - [0:0] :tfunnel-prerouting - [0:0] -A PREROUTING -j tfunnel-prerouting -A OUTPUT -j tfunnel-output -A tfunnel-mark-proxied -d $SSH_HOST/32 -p tcp --dport $SSH_PORT -j RETURN -A tfunnel-mark-proxied -p tcp -j MARK --set-xmark 0x1/0x1 ... EOF
Sets up iptables mangle table rules to mark and redirect packets to the tfunnel client instance using TPROXY.