Operation Modes

When a TCP SYN arrives at an entry node's TUN interface, the destination port's reachability on the target network isn't yet known. A decision has to be made before completing the handshake.

By default, the exit node is probed first. If the port is closed, it responds and a RST is sent back, preserving correct TCP semantics. Tools like nmap see closed for closed ports, not filtered.

The tradeoff is one round-trip per connection. For interactive sessions this is negligible. For high-rate scanning where throughput matters more than per-port accuracy, use --fast to skip the probe entirely.

Default

Before completing each TCP handshake, the exit node is probed to check port reachability. Closed ports return RSTs so tools like nmap work correctly without any special configuration.

wallhack

$ nmap 10.65.65.65
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   closed http
443/tcp  open   https

Fast (`--fast`)

Skips the probe, removing the per-connection round-trip overhead. The tradeoff: without the probe, RSTs can't be sent for closed ports, so nmap will report them as filtered rather than closed. Better suited to masscan-style tools where throughput matters more than accuracy.

wallhack --fast

$ nmap 10.65.65.65
PORT     STATE    SERVICE
22/tcp   open     ssh
80/tcp   filtered http
443/tcp  open     https

Operation Modes

Default

Fast (--fast)

Fast (`--fast`)