Setting up an Iodine server

iodineWhat is Iodine?

Basically it’s a server that allows you to tunnel traffic through DNS

Why would I want this?

There are multiple uses for this, the ones that come to mind are:

  • – Get free internet from paid wifi hotspots
  • – Access internet on mobile that has no data
  • – Exfiltrate data from behind a SOC, firewall or IDS

How to

This took me a while to figure out, although there are guides available they all seem to miss bits of information and need piecing together. Hopefully this will make things easier.

Things you will need:

  • – New Debian server (this guide is written from base debian with nothing installed)
  • – Domain name with access to change records

For this guide we have the domain “domain.tld” and the server has an external IP of “”.

First things first lets configure the DNS. You will need to create 2 records, one “A” record and one “NS” record (note the . after the tld – I recommend namecheap for this and have heard you can’t add the period with godaddy). Create them as follows:

	dns           IN  A 
	tunnel        IN  NS     dns.domain.tld.

Now wait for the domain to propagate. Once it has connect to the server install iodine, screen and start iodine in a screen session:

	apt-get install iodine screen
	screen -S iodine
	iodined -fP Password tunnel.domain.tld 

To exit the screen session press CTRL+A then CTRL+D, to re-attach to it type “screen -r”, to kill it from within the screen session type “exit”. Iodine can be stopped with CTRL+C.

On your client install iodine (apt-get install iodine) and run the following command:

	iodine -fP Password tunnel.domain.tld

If all went well you should now be connected to your iodine server. check “ifconfig” to confirm there is a DNS0 interface with an IP address in the 10.0.0.x range. also try pinging, you should get a response.

At this point you should also be able to run the official test without it giving errors.

Just a couple more things to do before it’s all ready to use. Time to get the tunneling of data working. Create iptables rules as follows and allow IP forwarding:

	iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
	iptables -t filter -A FORWARD -i eth0 -o dns0 -m state --state RELATED,ESTABLISHED -j ACCEPT
	iptables -t filter -A FORWARD -i dns0 -o eth0 -j ACCEPT
	echo 1 > /proc/sys/net/ipv4/ip_forward

Restart Iodine server and test again. If all went well I recommend making these permanent with the following:

	iptables-save > /etc/iptables.rules
	echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/60-ipv4-forward.conf

There are multiple ways to start the client from creating a SOCKS5 proxy via SSH to installing network-manager-iodine and network-manager-iodine-gnome. However I have found these to be clunky and not work great. I would recommend cloning the following git repository:

For this to work we need to create the following config file:



There are more configuration options for this script, I would recommend reading it’s source-code.

And that’s all. You should be able to run “./iodine-client-start” and have a working iodine tunnel. This can be tested by visiting ipchicken before connecting and after, you should see your IP address change.

Useful tip

A good way to check if things are working correctly is to start Iodined with debugging enabled -DDD on the server and keep that window open. you can then use dig to check it’s response from the client.

root[/opt/iodine-client-start]: dig -t TXT z123.tunnel.domain.tld


z123.tunnel.domain.tld.         0       IN      TXT     "tpjzwizro"

;; Query time: 56 msec
;; WHEN: Thu Mar 02 13:54:22 GMT 2017
;; MSG SIZE  rcvd: 65

The tunnel should respond with random data to any request starting with “z” (z123 in example above)


Tips on setting up iodine
Official set-up guide
Official test script
More help on setting up
Setting up with SSH tunnel
Flags for client / server
Useful debugging help

One thought on “Setting up an Iodine server

Leave a Reply