udpxd - A general purpose UDP relay/port forwarder/proxy


Usage: udpxd [-lbdfpvhV]

Options: --listen -l listen for incoming requests --bind -b bind ip used for outgoing requests specify port for promiscuous mode --to -t destination to forward requests to --daemon -d daemon mode, fork into background --pidfile -p pidfile, default: /var/run/ --user -u run as user (only in daemon mode) --chroot -c chroot to (only in daemon mode) --help -h -? print help message --version -V print program version --verbose -v enable verbose logging


udpxd can be used to forward or proxy UDP client traffic to another port on another system. It also supports binding to a specific ip address which will be used as the source for outgoing packets.

It listens on the ip address and port specified with -l and waits for incoming udp packets. If one arrives, it sends it to the destination specified with -t. Responses will be sent back accordingly.

If -b has not been specified, udpxd uses the operating systems default (e.g. routing) as the source where it sends requests packets out. If -b has been specified, then it binds to the given ip address and uses this as the source address.

In any case, udpxd behaves like a proxy. The receiving end (-t) only sees the source ip address of the outgoing interface of the system running udpxd or the address specified with -b.

The options -l and -t are mandatory.

If the option -d has been specified, udpxd forks into the background and becomes a daemon. It writes it pidfile to C, which can be changed with the -p option. If started as root, it also drops privileges to the user C or the user specified with -u and chroots to C or the directory specified with -c. udpxd will log to syslog facility if -v is specified and if running in daemon mode.

Caution: if not running in daemon mode, udpxd does not drop its privileges and will continue to run as root (if started as root).

Udpxd supports ip version 4 and 6, it doesn't support hostnames, -l, -t and -b must be ip addresses. In order to specify an ipv6 address and a port, use:

-l [::1]:53

that is, surround the ipv6 address with brackets.

Port forwardings can be mixed:

listen | forward to -------+----------- ipv4 | ipv4 ipv6 | ipv4 ipv4 | ipv6 ipv6 | ipv6


Let's say you operate a multihomed unix system named 'foo' with two interfaces: eth0 on the inside, eth1 on the outside:

foo: eth0: eth1:

And let's say, you have a client in network who whiches to reach an ntp server in network; and you dont operate a firewall, nat or routing on 'foo'. Run udpxd like this:

udpxd -l -t

Now, if a client with the source ip address sends a ntp request to, udpxd will forward that packet to with the source ip address (because this is where the route points to: eth0). Responses from the ntp server will reach udpxd, which in turn sends them back to the client, where they arrive with the source address (and port) where udpxd is listening.

As you can see, udpxd can be used to implement hiding nat for udp services in user space.

Another example would be, if 'foo' has multiple ip addresses on eth0 (aliases) and you don't want to use the primary address of the interface for outgoing packets.

foo, again: eth0:, eth0:

In order to use as the source ip address, use the -b parameter:

  udpxd -l -t -b

In this case for the client everything looks as before, but the ntp server on the other end will see ntp requests coming from instead.

Here we listen on the ip v6 loopback address and forward traffic to another ip v6 destination address:

udpxd -l [::1]:53 -t [2001:4860:4860::8888]:53

Or, we could listen on an ip v4 address and forward to an ip v6 address:

udpxd -l -t [2001:4860:4860::8888]:53


/var/run/ created if running in daemon mode (-d).


In order to report a bug, unexpected behavior, feature requests or to submit a patch, please open an issue on github:


This software is licensed under the GNU GENERAL PUBLIC LICENSE version 3.

Copyright (c) 2015-2017 by T. v. Dein.

This software uses uthash (bundled), which is Copyright (c) 2003-2013 by Troy D. Hanson.


T.v.Dein tom AT vondein DOT org