wallhack

Transport Modes

The choice is between UDP and TCP, based on what ports are open and what the network looks like.

Choosing a Transport

Use UDP (the default) for most pen test scenarios. Under the hood, QUIC gives each tunnel connection its own independent stream, so a dropped packet only stalls that one connection instead of the entire tunnel. Under real-world network conditions, TCP throughput collapses while UDP maintains usable speeds. See Benchmarks for the full data.

Use TCP when UDP is blocked, or when you need to traverse HTTP proxies, blend in with HTTPS traffic for DPI evasion, or front through a CDN. The TCP transport runs over WebSockets — tunnel traffic appears as standard HTTPS and is indistinguishable from a legitimate connection on port 443. On stable, low-latency networks with negligible packet loss, it also has a raw throughput advantage.

UDP (QUIC)

The default transport. Network conditions in penetration testing environments are rarely predictable. UDP handles this better because QUIC provides per-stream loss recovery — a dropped packet stalls only that connection, not the entire tunnel. Native stream multiplexing and built-in TLS 1.3. Append /udp to the address, or omit the suffix entirely.

wallhack entry --listen :443/udp

TCP (WebSockets)

Traffic is wrapped in WebSockets and appears as standard HTTPS to firewalls and Deep Packet Inspection (DPI) tools. Append /tcp to the address.

wallhack entry --listen :443/tcp

When an explicit HTTP or SOCKS5 proxy is required, set the standard environment variables before starting the exit node. Both HTTP CONNECT and SOCKS5 (socks5://) schemes are supported.

export HTTPS_PROXY=http://proxy.corp.internal:8080
wallhack exit --connect 192.168.1.5:443/tcp

NO_PROXY is also respected for comma-separated host exclusions.

CDN Fronting

Traffic can be proxied through a CDN worker such as a Cloudflare Worker. The traffic legitimately terminates at the CDN's infrastructure, making it significantly harder to attribute or block.

wallhack --cert cert.pem --key key.pem entry --listen :443/tcp