htun is a transparent tunnel for transporting IP traffic over HTTP or TCP.
It was developed with situations in mind where traffic to the internet is restricted. For instance, some networks don't allow traffic to the internet at all and require you to go through an HTTP proxy. htun enables you to get full internet access in those situations (all ports, all protocols). It also supports using a SOCKS proxy.
Obviously, performance takes a huge hit. So it is meant for some light browsing or downloading small files sporadically. Expect transfer rates to be cut by a factor of up to 100.
Also, it is not encrypted by default. It is recommended to put another tunnel on top, such as Wireguard.
Since python-pytun is required, which is a non-portable module, this will only run on Linux.
To run htun, you need Python3 and the following modules:
- urllib3==1.24
- python_pytun==2.2.1
- pytun==1.0.1
- SocksiPy_branch==1.01
Recommended:
- hexdump==3.3
The script needs to be run with root privileges both on the server and the client. On the server, run:
./htun.py --server
On the client, run:
./htun.py --uri <SERVER URI>
By default, it uses HTTP on port 80 and the IP addresses 10.13.37.1 and 10.13.37.2 for the client and the server, respectively.
For all options, run ./htun.py --help
:
usage: htun.py [-h] [--debug] [--client-addr CADDR] [--server-addr SADDR]
[--tun-netmask TMASK] [--tun-mtu TMTU] [--tun-timeout TIMEOUT]
[--route-subnet RSUBNET] [--proxy PROXY] [--username USERNAME]
[--password PASSWORD] [--listen-port LPORT] [--bind-ip BINDIP]
(--server [{http,tcp}] | --uri URI)
htun tunnels IP traffic transparently over HTTP or TCP (author: Adrian
Vollmer)
optional arguments:
-h, --help show this help message and exit
--debug, -d debug flag to true (default: False)
--client-addr CADDR, -c CADDR
tunnel local address (default: 10.13.37.1)
--server-addr SADDR, -s SADDR
tunnel destination address (default: 10.13.37.2)
--tun-netmask TMASK, -m TMASK
tunnel netmask (default: 255.255.255.0)
--tun-mtu TMTU tunnel MTU (default: 1500)
--tun-timeout TIMEOUT
r/w timeout in seconds (default: 1)
--route-subnet RSUBNET, -n RSUBNET
subnet to be routed via tunnel (default: None)
--proxy PROXY, -P PROXY
proxy URI (<proto>://<host>:<port>) (default: None)
--username USERNAME, -u USERNAME
username for HTTP proxy basic authentication (default:
None)
--password PASSWORD, -W PASSWORD
password for HTTP proxy basic authentication (default:
None)
--listen-port LPORT, -p LPORT
listen port of the server component (default: 80)
--bind-ip BINDIP, -b BINDIP
bind IP address of the server component (default:
0.0.0.0)
--server [SERVER] local port and bind address (http, tcp)
(default: http)
--uri URI remote URI (<proto>://<host>[:<port>]) (default: None)
To use a TCP tunnel on port 443, run
./htun.py --server tcp -p 443
on the server side and
./htun.py --uri tcp://<host>:443
on the client side. Now the client can reach the server via the IP address 10.13.37.2
To use HTTP over a SOCKS5 proxy on port 5000, run
./htun.py --server
on the server side and
./htun.py --uri http://<host> --proxy socks5://<proxy-host>:5000
on the client side.
Proxies using basic authentication are supported (but yet untested).
A proxy requiring NTLM authentication is not supported because
python-urllib3
does not support NTLM. It is suggested to use cntlm
as an
additional SOCKS proxy.
Performance over a TCP tunnel is much better than over an HTTP tunnel. Expect several orders of magnitude in degradation of the connection when using HTTP.
Example downloading 713k bytes without the tunnel:
$ curl https://example.com/example.png > /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 713k 100 713k 0 0 2680k 0 --:--:-- --:--:-- --:--:-- 2680k
Downloading the same file with an HTTP tunnel:
$ curl https://example.com/example.png > /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 713k 100 713k 0 0 12177 0 0:00:59 0:00:59 --:--:-- 16590
With a TCP tunnel it's at least around 3% of the original speed:
$ curl https://example.com/example.png > /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 713k 100 713k 0 0 37640 0 0:00:19 0:00:19 --:--:-- 41086
- Make performance improvements when using HTTP
- Experiment with threaded requests
Keep in mind that the administrator of the network most likely did not want you to bypass the restriction that were set up. The restriction is probably there for a reason and you need to respect that. Using this tool may violate terms and conditions or company rules and may possibly even get you in legal trouble and/or fired from your job.
Use this only if you know that you have permission to use it by everyone involved.
Adrian Vollmer, 2018