Tunneling Methods Between Two Servers

Overview

This document describes two practical methods for creating tunnels between two servers during network disruptions or restricted environments. These methods rely on alternative networking protocols when standard TCP/SSH communication is blocked.

---

Method 1: Tunnel Using Dokodemo-door (via Xray)

When standard ports like 80 and 443 are unreliable or blocked, alternative ports and tunneling protocols can be used to bypass restrictions.

Tools Used:

• Xray-core
• Dokodemo-door protocol

Concept:

Requests received on standard ports (e.g., 80, 443) can be forwarded to an external server using unblocked ports via the Dokodemo-door protocol. The external server then maps those requests back to their original ports and forwards them as usual.

Installation:

bash -c "$(curl -L https://github.com/XTLS/Xray-install/raw/main/install-release.sh)" @ install

Configuration:

nano /usr/local/etc/xray/config.json

Example config.json:

{
  "inbounds": [
    {
      "port": 80,
      "protocol": "dokodemo-door",
      "settings": {
        "address": "1.2.3.4",
        "port": 9090,
        "network": "tcp",
        "followRedirect": false
      },
      "sniffing": {
        "enabled": false
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom"
    }
  ]
}

---

Method 2: ICMP Tunneling Using PingTunnel

In cases where ICMP (ping) traffic is allowed but TCP/SSH is blocked, tunneling over ICMP can be an effective workaround.

OSI Layer Insight:

• See: Cloudflare OSI Model
• ICMP operates at Layer 3 (Network)
• TCP/SSH requires Layer 4 or higher

Tool Used:

• pingtunnel

Installation:

wget https://github.com/esrrhs/pingtunnel/releases/download/2.8/pingtunnel_linux_amd64.zip
unzip pingtunnel_linux_amd64.zip
mv pingtunnel /usr/local/bin/pt

---

Systemd Service Setup

Server (External):

# /etc/systemd/system/pingtunnel-server.service
[Unit]
Description=PingTunnel Server
After=network.target

[Service]
Type=simple
ExecStartPre=/bin/bash -c '[ ! -e /var/lock/pingtunnel-server.lock ] || exit 1'
ExecStart=/bin/bash -c 'touch /var/lock/pingtunnel-server.lock && pt -type server -key 200 -maxconn 1024 -maxprt 10 -maxprb 10 -nolog 1 -noprint 1'
ExecStopPost=/bin/bash -c 'rm -f /var/lock/pingtunnel-server.lock'
Restart=always
RestartSec=3

[Install]
WantedBy=multi-user.target

Client (Internal):

# /etc/systemd/system/pingtunnel-client.service
[Unit]
Description=PingTunnel Client
After=network.target

[Service]
ExecStartPre=/bin/bash -c '[ ! -e /var/lock/pingtunnel-client.lock ] || exit 1'
ExecStart=/bin/bash -c 'touch /var/lock/pingtunnel-client.lock && pt -type client -l :80 -s 156.244.5.78 -t 156.244.5.78:80 -tcp 1 -key 200 -timeout 30 -tcp_bs 524288 -tcp_mw 5000 -tcp_rst 300 -nolog 1 -noprint 1'
ExecStopPost=/bin/bash -c 'rm -f /var/lock/pingtunnel-client.lock'
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

Service Activation:

sudo systemctl daemon-reload
sudo systemctl enable pingtunnel-{server,client}.service 
sudo systemctl start pingtunnel-{server,client}.service
sudo systemctl restart pingtunnel-{server,client}.service
sudo systemctl status pingtunnel-{server,client}.service

⚠️ Parameters like buffer sizes and timeout are optimized after extensive testing but can be modified as needed.

---

ICMP Bandwidth Test

To verify the effective ICMP bandwidth between two servers, use nping.

Tool: nping

nping --icmp --data-length 1400 -c 1000 --delay 1ms <Another_Server_IP>

This helps determine how much data can realistically be transmitted over an ICMP-based tunnel.

---

Summary

• Dokodemo-door/Xray is useful when some TCP ports are still open.
• pingtunnel is a powerful fallback when only ICMP is available.
• Understanding network layers helps diagnose and work around severe restrictions.