From d2715ce00ef624cceb91c2638613d6a307e54dda Mon Sep 17 00:00:00 2001
From: Moriarteh <Moriarteh@users.noreply.github.com>
Date: Sun, 22 Mar 2026 14:07:52 +0000
Subject: [PATCH 1/2] Fix telnet never connecting on Windows (the SYN-ACK
 mystery)

Turns out, binding to 127.0.0.1 specifically can fail on Windows
if anything decides to get between you and your own computer.
Npcap (hello Wireshark users) is a known offender, but firewalls
and other network drivers can pull the same trick.

The fix: bind to 0.0.0.0 instead, which sidesteps whatever is
lurking on the loopback interface. But since we don't actually
want the whole neighbourhood connecting to our kOS terminal,
non-loopback connections are rejected when the user configured
loopback mode.

Works with or without Npcap. Works on systems that were never
broken. Mostly just works, which is a nice change for networking.
---
 src/kOS/UserIO/TelnetMainServer.cs | 29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/src/kOS/UserIO/TelnetMainServer.cs b/src/kOS/UserIO/TelnetMainServer.cs
index cace40b8e..1f721d226 100644
--- a/src/kOS/UserIO/TelnetMainServer.cs
+++ b/src/kOS/UserIO/TelnetMainServer.cs
@@ -245,9 +245,16 @@ public void StartListening()
             // refresh the port information, don't need to refresh address because it's refreshed every Update
             port = SafeHouse.Config.TelnetPort; 
 
-            server = new TcpListener(bindAddr, port);
+            // Bind to IPAddress.Any instead of the specific bindAddr when using loopback.
+            // On Windows, Npcap (installed by Wireshark/Nmap) installs a "Npcap Loopback Adapter"
+            // that intercepts traffic bound specifically to the loopback interface (127.0.0.1),
+            // causing TCP connections to time out with no SYN-ACK. Binding to IPAddress.Any
+            // routes through the normal network stack and avoids this issue.
+            // Non-loopback addresses are used as-is since users explicitly chose them.
+            var listenAddr = IPAddress.IsLoopback(bindAddr) ? IPAddress.Any : bindAddr;
+            server = new TcpListener(listenAddr, port);
             server.Start();
-            SafeHouse.Logger.Log(string.Format("{2} TelnetMainServer started listening on {0} {1}", bindAddr, port, KSPLogger.LOGGER_PREFIX));
+            SafeHouse.Logger.Log(string.Format("{2} TelnetMainServer started listening on {0} (requested {1}) port {3}", listenAddr, bindAddr, KSPLogger.LOGGER_PREFIX, port));
             isListening = true;
         }
 
@@ -333,10 +340,24 @@ public void Update()
                 return;
 
             TcpClient incomingClient = server.AcceptTcpClient();
-            
+
             string remoteIdent = ((IPEndPoint)(incomingClient.Client.RemoteEndPoint)).Address.ToString();
             SafeHouse.Logger.Log(string.Format("{0} telnet server got an incoming connection from {1}", KSPLogger.LOGGER_PREFIX, remoteIdent));
-            
+
+            // When the user configured loopback mode, reject connections from non-loopback addresses.
+            // We bind to IPAddress.Any to work around Npcap intercepting the loopback interface,
+            // but we still enforce the user's intent to only allow local connections.
+            if (IPAddress.IsLoopback(bindAddr))
+            {
+                var remoteAddr = ((IPEndPoint)(incomingClient.Client.RemoteEndPoint)).Address;
+                if (!IPAddress.IsLoopback(remoteAddr))
+                {
+                    SafeHouse.Logger.Log(string.Format("{0} Rejected non-loopback connection from {1} (server is in loopback mode)", KSPLogger.LOGGER_PREFIX, remoteIdent));
+                    incomingClient.Close();
+                    return;
+                }
+            }
+
             TelnetSingletonServer newServer = new TelnetSingletonServer(this, incomingClient, ++howManySpawned);
             telnets.Add(newServer);
             newServer.StartListening();

From 1f48a04315ef24eb04e08097b97af0e32336265e Mon Sep 17 00:00:00 2001
From: Moriarteh <Moriarteh@users.noreply.github.com>
Date: Sun, 22 Mar 2026 14:28:17 +0000
Subject: [PATCH 2/2] Add CHANGELOG entry for telnet loopback fix (#3171)

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2c28bd592..6606a5741 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@
 
 ### Bug Fixes
 
+- Fixed telnet server failing to accept connections on Windows when loopback interface is intercepted by third-party software (e.g. Npcap/Wireshark) (#3171)
 - Fixed numeric formatting patters (thanks @sisve) [commit](https://github.com/KSP-KOS/KOS/commit/5780b75ff90e238c441ab71d366391b051e8bd14)
 - Fixed many documentation issues (thanks @sisve) [commit1](https://github.com/KSP-KOS/KOS/commit/727d345679fe992077fa5604c27b43c34a80fbe7) [commit2](https://github.com/KSP-KOS/KOS/commit/afabb19e860adc67ad63f939a3d624e9344ad7b8) [commit3](https://github.com/KSP-KOS/KOS/commit/110b209ad89225bf447caa079334c434df0e9746)
 - Fixed `GetSignalDelayToSatellite` for RemoteTech (thanks @KerbalOne) [commit](https://github.com/KSP-KOS/KOS/commit/b76759f24ba43e7cb2d82437c2251caf7d3a582f)