multitun: Tunnel arbitrary traffic through an innocuous WebSocket

multitun – Tunnel everything over a harmless looking WebSocket!

Multitun tunnels IPv4 over a WebSocket (RFC 6455), allowing bulk tunneling through one connection on, for example, port 80. One use for this is to bypass strict firewalls. Firewalls that allow web and HTML5 are assumed to allow WebSockets as well, and multitun traffic quietly slips past systems that do things like the deep-packet inspection to find conventional tunnels (e.g. ssh tunnel over port 80).

It users can access the server at a time and can see each other if you want (effectively creating a covert VPN over WebSockets.).

Only users with valid passwords can use the tunnel. It may be used in conjunction with other common tools to enable port forwarding and masquerading, and thus route arbitrary or all client traffic through the Multitun server.

It provides a simple web server to serve HTML to connecting clients that don’t know about or aren’t using the WebSocket tunnel.




  • Edit the configuration files on both the server and client sides
  • The program must have permission to make a TUN interface (e.g. run as root)
  • Run multitun -s to start the server, then run multitun without options to start the client
  • Make sure on the server side that the listen port is allowed through the host and network firewalls
  • Adjust the webdir parameter in multitun.conf to specify the directory containing HTML to serve browsers who access the server without WS.
  • If connections keep dropping, try running ping in the background for keep-alive
  • If you try to connect more than one client with the same TUN IP (as set in the configuration file), only the first one will connect
  • Clients can interact on the WebSocket net (ping each other, etc.)
  • If you have especially sensitive things to do, use reputable, time-tested crypto beneath multitun (e.g. run an ssh tunnel over multitun).


  • Simple usage, access ssh on your server using multitun:
    server# multitun -s
    client# multitun
    client# ssh
  • Use Linux as a NAT gateway for your host behind the firewall:Configure the server
    • Include the following in your multitun server iptables configuration. In this config, eth0 is the server external interface, tun1 is the server multitun interface, and is the multitun IP range.


    -A INPUT -s -j ACCEPT
    -A FORWARD –i tun1 -j ACCEPT

    • Enable IP forwarding:

    echo 1 > /proc/sys/net/ipv4/ip_forward

    Configure the client

    • Take care of routing:ip route add [server ext. ip] via [client gw ip] dev [client dev] proto static
      ip route del default
      ip route add default via [client multitun local ip] dev [client tun] proto static
  • You can man a covert VPN over WebSockets by doing this on the server:iptables -t nat -A POSTROUTING -s -o tun0 -j MASQUERADE
    (tun0 is the server TUN interface)


Copyright (C) 2014 covertcodes