Installing and using Tundeep for network tunnelling and testing on Debian

Tundeep is a network tunnelling daemon written in C that runs in userspace using libpcap. Tundeep is used as a security testing tool allowing a tester to tunnel through the target network at layer 2. A TAP interface will be brought up on the tester’s machine for each level of the network allowing direct interaction with hosts on the network segment through a compromised client device.


Install the prerequisites using apt-get:if(typeof __ez_fad_position != ‘undefined’){__ez_fad_position(‘div-gpt-ad-howtoforge_com-medrectangle-3-0’)};

apt-get install make gcc libc6-dev libpcap-dev

Downloading and building Tundeep


tar -xzf tundeep-latest.tgz

cd tundeep_v0.2a_130916


The default make configuration is to build on Linux with all options supported. Makefile can be edited however to support Windows or disable options.

Running Tundeep

Tundeep settings are as follows:

Usage: tundeep <-i iface|[-t|-T] tapiface> <-h ip> <-p port> [-6] [-C] <-c|-s> [-x tapip] [-y tapmask] [-u tapmac] [-b bpf] [-d udp mode] [-e udp remote] [-K]

-6 IPv6 mode
-C compress mode
-K disable checksum
-a print all pcap devs
-b "bpf"
-i interface to bind to
-h IP to bind to/connect to
-p port to bind to/connect to
-c client mode
-s server mode
-d udp mode
-e udp peer
-t tap interface
-T ipv6 tap interface
-u tap mac
-x if -t mode, set iface ip, if -T mode, set iface ipv6 ip
-y if -t mode, set iface mask, if -T mode, set iface ipv6 prefixlen

DEBUG(2): Usage: Either -s or -c must be specified

On the compromised server, Tundeep can be started in TCP server mode on port 9999 as follows:if(typeof __ez_fad_position != ‘undefined’){__ez_fad_position(‘div-gpt-ad-howtoforge_com-medrectangle-4-0’)};

./tundeep -s -h -p 9999 -i eth1

On your client, Tundeep would be initialized as follows:

./tundeep -c -h SERVER-IP -p 9999 -t tap0

Tundeep also supports UDP peer mode (-d/-e) should additional speed or firewall evasion be required. Assuming a server IP of and client IP of

./tundeep -d -e -h -p 53 -i eth1

The client would run:

./tundeep -d -e -h -p 53 -t tap0

The client now presents a ‘tap0’ interface virtually placed on the server’s eth1 (private) interface

Further Options

  • BPF filters can be used (-b) (as with tcpdump) to selectively forward traffic over the link and avoid traffic loops.
  • Link Compression (-C) is supported to gzcompress data between Tundeep links
  • IP/MAC cloning (via -x/-u) should port security or ARP lockdown be in place.
  • IPv6 is supported to both tunnel an IPv6 network over IPv4 or vice versa.

    IO Digital Sec

    Tundeep documentation

About the Author

Leave a Reply