pwnat
Overview
pwnat (Peer-to-Peer With NAT) is a cross-platform peer-to-peer network tunneling utility that enables direct communication between clients and servers behind NAT devices without requiring port forwarding, UPnP, or external relay servers. It uses creative packet spoofing and asymmetric routing techniques to establish bidirectional tunnels through restrictive firewalls.
Key Features
- NAT Traversal: Establishes peer-to-peer connections across NAT boundaries
- No Port Forwarding Required: Works without manual router configuration
- Cross-Platform: Supports Linux, macOS, Windows, and BSD
- Bidirectional Communication: Enables full-duplex tunneling between peers
- Packet Spoofing: Uses ICMP and UDP techniques for traversal
- Low Overhead: Minimal bandwidth consumption for tunnel establishment
- Raw Socket Access: Requires elevated privileges for some operations
Installation
| Platform | Method | Command |
|---|---|---|
| Linux (Debian/Ubuntu) | apt-get | sudo apt-get install pwnat |
| Linux (Fedora/RHEL) | dnf | sudo dnf install pwnat |
| macOS | Homebrew | brew install pwnat |
| Windows | Binary | Download from GitHub releases |
| Source Build | Git | git clone https://github.com/samyk/pwnat && cd pwnat && make |
Basic Usage
Server Mode (Initiator)
Listen for incoming peer connections and establish tunnel:
# Start server listening on port 8000
sudo pwnat -s -p 8000
# Listen with verbose output
sudo pwnat -s -p 8000 -v
# Specify bind address
sudo pwnat -s -p 8000 -l 192.168.1.100Client Mode (Peer)
Connect to server peer through NAT:
# Connect to server behind NAT
sudo pwnat -c -s <SERVER_IP> -p 8000
# With local bind address
sudo pwnat -c -s <SERVER_IP> -p 8000 -l 192.168.1.50
# Verbose mode for debugging
sudo pwnat -c -s <SERVER_IP> -p 8000 -vCommand Reference
| Command | Description | Example |
|---|---|---|
-s | Start in server mode | pwnat -s |
-c | Start in client mode | pwnat -c -s 203.0.113.5 |
-p PORT | Specify port number | pwnat -s -p 9000 |
-l ADDRESS | Bind to local address | pwnat -s -l 192.168.1.100 |
-v | Verbose output | pwnat -s -v |
-h | Display help | pwnat -h |
-e PROG | Execute program | pwnat -c -s 203.0.113.5 -e /bin/bash |
Advanced Configuration
Establishing Tunnels with Program Execution
# Server mode: execute shell on successful connection
sudo pwnat -s -p 8000 -e '/bin/bash -i'
# Client mode: establish tunnel and execute local program
sudo pwnat -c -s 203.0.113.5 -p 8000 -e 'nc localhost 22'Using with SSH Tunneling
# Server: Listen and execute SSH shell
sudo pwnat -s -p 8000 -e '/bin/bash'
# Client: Connect through pwnat tunnel
sudo pwnat -c -s <SERVER_IP> -p 8000
# From another terminal, connect to local tunnel
ssh user@127.0.0.1UDP-Based Tunneling
# Server with UDP mode
sudo pwnat -s -p 8000 -u
# Client connecting via UDP
sudo pwnat -c -s 203.0.113.5 -p 8000 -uTechnical Details
How pwnat Works
- Endpoint Discovery: Client and server exchange packets with external relay
- Asymmetric Routing: Leverages different return paths for outbound/inbound traffic
- Packet Spoofing: Uses ICMP echo replies and UDP packets
- Tunnel Establishment: Creates bidirectional communication channel
- Data Forwarding: Routes traffic between local and remote endpoints
Network Architecture
┌─────────────────────────────────────────┐
│ Internet / WAN │
├──────────────────────────────────────────┤
│ Relay/Intermediate Router (Optional) │
├──────────────────────────────────────────┤
│ NAT Device │
│ ┌────────────────┐ ┌────────────┐ │
│ │ Server/Peer1 │◄────►│ Client/Peer2 │ │
│ └────────────────┘ └────────────┘ │
└──────────────────────────────────────────┘Practical Examples
Example 1: Simple Server-Client Tunnel
# Terminal 1 - Server behind NAT
sudo pwnat -s -p 5555 -v
# Terminal 2 - Client (different network)
sudo pwnat -c -s 203.0.113.10 -p 5555 -v
# Terminal 3 - Verify tunnel (after establishment)
netstat -tuln | grep 5555Example 2: Remote Shell Access
# Server side - bind shell
sudo pwnat -s -p 9000 -e 'nc -l -p 4444'
# Client side - establish tunnel
sudo pwnat -c -s <SERVER_EXTERNAL_IP> -p 9000
# Connect to remote shell
nc localhost 4444Example 3: File Transfer Service
# Server - setup HTTP file server through pwnat
sudo pwnat -s -p 8888 -e 'python3 -m http.server 7777'
# Client - access server's file share
sudo pwnat -c -s 203.0.113.5 -p 8888
# Download files
curl http://localhost:7777/Troubleshooting
Connection Fails with “Permission Denied"
# pwnat requires root/sudo for raw socket access
sudo pwnat -s -p 8000
# Verify sudoers (Linux)
sudo visudo
# Ensure user can run pwnat without password if needed"Unable to Establish Tunnel”
# Check network connectivity
ping <SERVER_IP>
# Verify firewall doesn't block ICMP
sudo ufw allow icmp
# Run with verbose debugging
sudo pwnat -c -s 203.0.113.5 -p 8000 -v -vHigh Latency or Packet Loss
# Monitor tunnel quality with verbose output
sudo pwnat -c -s 203.0.113.5 -p 8000 -v
# Check MTU size (may need adjustment)
ip link show | grep mtu
# Set MTU for tunnel interface
sudo ip link set mtu 1400Port Already in Use
# Check what's using the port
sudo netstat -tlnp | grep :8000
sudo lsof -i :8000
# Use different port
sudo pwnat -s -p 8001Security Considerations
- Elevation Required: pwnat needs root/administrator access for packet operations
- Firewall Rules: Verify firewall allows necessary ICMP and UDP traffic
- Encryption: pwnat creates tunnel but doesn’t encrypt traffic—use SSL/TLS over it
- Authentication: Implement additional authentication for production use
- Logging: Monitor tunnel establishment for unauthorized access attempts
- Network Topology: Test before deployment to ensure asymmetric routing works in your environment
Performance Optimization
Tuning for High Throughput
# Server with optimizations
sudo pwnat -s -p 8000 -b 65536
# Monitor performance
iftop -i eth0
nethogsReducing Latency
# Check current latency
ping -c 5 <REMOTE_IP>
# Adjust buffer sizes if needed
sysctl -w net.core.rmem_max=134217728
sysctl -w net.core.wmem_max=134217728Common Use Cases
| Use Case | Configuration | Command |
|---|---|---|
| Remote Access | Server listens, client initiates | pwnat -s -p 8000 / pwnat -c -s IP -p 8000 |
| File Transfer | With SCP/rsync | pwnat -s -p 2222 -e /usr/lib/openssh/sftp-server |
| Service Tunneling | Any TCP service | pwnat -s -p 8000 -e 'nc localhost 3000' |
| Mesh Networking | Multiple peer tunnels | Run multiple pwnat instances |
| Game Server | Peer-to-peer gaming | pwnat -s -p 9000 on both sides |
Comparison with Alternatives
| Tool | NAT Traversal | Relay Required | Encryption | Use Case |
|---|---|---|---|---|
| pwnat | Yes (asymmetric) | No | No | P2P tunneling |
| ngrok | Yes | Cloud relay | Yes | Quick tunneling |
| Tailscale | Yes | Cloud coordination | Yes | VPN mesh |
| SSH | Limited | Manual ports | Yes | Remote access |
| UPnP | Yes | Router support | No | Automatic forwarding |
Scripting Examples
Automated Tunnel Monitor
#!/bin/bash
REMOTE_IP="203.0.113.10"
REMOTE_PORT="8000"
INTERVAL=30
while true; do
if sudo pwnat -c -s $REMOTE_IP -p $REMOTE_PORT -v 2>&1 | grep -q "Established"; then
echo "[$(date)] Tunnel established successfully"
else
echo "[$(date)] Tunnel establishment failed"
fi
sleep $INTERVAL
doneBatch Tunnel Creation
#!/bin/bash
PEERS=("203.0.113.5" "203.0.113.6" "203.0.113.7")
BASE_PORT=8000
for i in "${!PEERS[@]}"; do
PORT=$((BASE_PORT + i))
sudo pwnat -c -s ${PEERS[$i]} -p $PORT &
echo "Started tunnel to ${PEERS[$i]} on port $PORT"
done
waitResources and Documentation
- GitHub Repository: https://github.com/samyk/pwnat
- Author: Samy Kamkar
- License: GPL-3.0
- Documentation: See README and inline comments in source code
- Community: GitHub issues for bug reports and feature requests
Version History
| Version | Release Date | Key Features |
|---|---|---|
| 0.7.2 | 2013 | UDP support, verbose logging |
| 0.7.1 | 2013 | Bug fixes, IPv4 support |
| 0.7 | 2012 | Initial stable release |
Legal and Ethical Use
pwnat is a legitimate tool for authorized network testing and research. Ensure you have proper authorization before establishing tunnels or bypassing network restrictions. Use responsibly for:
- Testing NAT traversal implementations
- Network research and education
- Authorized penetration testing
- Internal network connectivity
- Peer-to-peer application development
Unauthorized network access is illegal in most jurisdictions.