What Is It?

First of all, I want to make clear that you are not allowed to use u2nl if your network administrator prohibits its use. u2nl is capable of subverting network security, so if your network administrator does not want you to make outbound connections to the internet to any host and any port, you are not allowed to use u2nl to accomplish this.

u2nl (pronounce: "u-tunnel", universal tunnel) is capable of tunneling TCP network connections from a Linux (2.4 and above, with netfilter) computer through a firewall without the need for a host behind the firewall that receives the tunnel. This is accomplished by using a https-proxy (a http proxy that understands the CONNECT command), that means such a proxy must be reachable by the firewalled host, and it must allow the connections to be tunneled (many https proxies limit the destination port to 443 (https)).

So if you want to make a connection from your local Linux computer (host A), you tunnel it through host B, which is a http proxy that understands the CONNECT command and also allows you to make arbitrary connections via that command (this is normally a misconfiguration by the admin of host B). To test this, simply telnet to the proxy and type "CONNECT host:port HTTP/1.0" followed by two times return, and check the response. u2nl can now automatically and transparently tunnel all connections from host A through the proxy B to the internet. Connections from hosts behind host A, for which host A acts as a gateway are also tunneled.


In order to use the transparent tunnel, you have to make sure that your Linux host forwards all connections to a port u2nl is listening on. Do something like the following (replace OUTPUT by PREROUTING if the Linux computer is only a gateway):

# iptables -t nat -A OUTPUT -p tcp -d ! <proxy host> -j REDIRECT --to-port <listen port>

Where <proxy host> is the ip address/hostname of the proxy host and <listen port> is the port (you choose it, something above 1024) u2nl will be listening on. Now start u2nl:

# u2nl <proxy host> <proxy port> <listen port>

Where <proxy port> is the port of the https proxy (normally 8080 or 80) and <listen port> is the (same as above) port u2nl will be listening on. The tunnel should work now.

Download and License

u2nl Version 1.4 (2010-08-15): u2nl-1.4.tar.gz (16 kB)
These files contain the source code and precompiled versions for x86 computers. You can use it, but be warned that I do not take any responsibilities caused by this binary (nor by any binary compiled from the source), it may not even run.

The program is freely distributable under the terms of the GNU General Public License


Christian Reitwießner had the initial idea and wrote the first code. Diego Woitasen contributed with a patch that fixed some bugs and added some features, Rutger Nijlunsing fixed an endianness-bug and Jacob Balazer found further bugs.