ligolo-ng
An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.
A fast network tunneling tool for penetration testers that lets you reach internal networks through a compromised host by creating a virtual network interface, so standard tools work without SOCKS proxy configuration.
Ligolo-ng is a network tunneling tool built for security professionals who need to reach internal networks during penetration tests. When a tester has compromised one machine inside a target network, they often need to communicate with other machines that are not directly reachable from the internet. Ligolo-ng solves this by creating what it calls a "tun" interface on the tester's machine, which acts like a virtual network card. Traffic sent through that interface gets forwarded through the compromised machine to the internal network, similar in concept to a VPN but designed for this specific testing scenario.
The tool has two pieces: an agent that runs on the compromised machine, and a relay server that runs on the tester's side. A key design choice is that the agent does not need administrator or root privileges on the compromised system, which makes it usable in more restricted environments. The relay server does need permission to create a network interface on the tester's machine, but that is a one-time setup step.
Compared to older approaches like SOCKS proxies or proxy chains, Ligolo-ng lets standard tools such as network scanners run directly without any special configuration. This is because the traffic appears to come from a real network interface rather than being funneled through an application-layer proxy. Performance in testing showed throughput above 100 Megabits per second.
Version 0.8 added a web interface and API that allow multiple testers to share one relay setup, a daemon mode so the relay can run as a background service, and automatic route configuration across Windows, Linux, macOS, and BSD. It also added "auto-bind" so tunnels re-establish themselves automatically when a specific agent reconnects, which is useful during long engagements where connections may drop.
The project is licensed under GPLv3. It supports TCP, UDP, and ICMP traffic. The README notes a few limitations around raw packet forwarding and recommends specific flags when using certain scanning tools to avoid misleading results.
Where it fits
- Reach internal network machines from your attack box after compromising a single internal host during a pentest
- Run standard scanning tools like nmap directly against an internal subnet without configuring SOCKS proxies
- Set up a persistent reverse tunnel that automatically re-establishes when a specific agent reconnects during a long engagement
- Share one relay server among multiple pentesters simultaneously through the built-in web interface