[Awesome Software - Virtual Security Network] sshuttle: where transparent proxy meets VPN meets ssh

sshuttle

As far as I know, sshuttle is the only program that solves the following common case:

  • Your client machine (or router) is Linux, FreeBSD, or MacOS.

  • You have access to a remote network via ssh.

  • You don’t necessarily have admin access on the remote network.

  • The remote network has no VPN, or only stupid/complex VPN protocols (IPsec, PPTP, etc). Or maybe you are the admin and you just got frustrated with the awful state of VPN tools.

  • You don’t want to create an ssh port forward for every single host/port on the remote network.

  • You hate openssh’s port forwarding because it’s randomly slow and/or stupid.

  • You can’t use openssh’s PermitTunnel feature because it’s disabled by default on openssh servers; plus it does TCP-over-TCP, which has terrible performance.

Obtaining sshuttle

Ubuntu 16.04 or later:

1
$ apt-get install sshuttle

Debian stretch or later:

1
$ apt-get install sshuttle

Arch Linux:

1
$ pacman -S sshuttle

Fedora:

1
$ dnf install sshuttle

openSUSE:

1
$ zypper in sshuttle

Gentoo:

1
$ emerge -av net-proxy/sshuttle

NixOS:

1
$ nix-env -iA nixos.sshuttle

From PyPI:

1
$ sudo pip install sshuttle

Clone:

1
2
3
4
5
$ git clone https://github.com/sshuttle/sshuttle.git

$ cd sshuttle

$ sudo ./setup.py install

FreeBSD:

1
2
3
4
5
# ports
$ cd /usr/ports/net/py-sshuttle && make install clean

# pkg
$ pkg install py36-sshuttle

macOS, via MacPorts:

1
2
$ sudo port selfupdate
$ sudo port install sshuttle

It is also possible to install into a virtualenv as a non-root user.

From PyPI:

1
2
3
4
5
$ virtualenv -p python3 /tmp/sshuttle

$. /tmp/sshuttle/bin/activate

$ pip install sshuttle

Clone:

1
2
3
4
5
6
7
8
9
$ virtualenv -p python3 /tmp/sshuttle

$ . /tmp/sshuttle/bin/activate

$ git clone https://github.com/sshuttle/sshuttle.git

$ cd sshuttle

$ ./setup.py install

Homebrew:

1
$ brew install sshuttle

Nix:

1
$ nix-env -iA nixpkgs.sshuttle

(Optionally) After installation

Add to sudoers file:

1
$ sshuttle --sudoers

Usages

Forward all traffic:

1
$ sshuttle -r [email protected] 0.0.0.0/0

Use the sshuttle -r parameter to specify a remote server.

By default sshuttle will automatically choose a method to use. Override with the sshuttle --method parameter.

There is a shortcut for 0.0.0.0/0 for those that value their wrists:

1
$ sshuttle -r [email protected] 0/0

For ‘My VPN broke and need a temporary solution FAST to access local IPv4 addresses’:

1
$ sshuttle --dns -NHr [email protected] 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16

If you would also like your DNS queries to be proxied through the DNS server of the server you are connect to:

1
$ sshuttle --dns -r [email protected] 0/0

The above is probably what you want to use to prevent local network attacks such as Firesheep and friends. See the documentation for the sshuttle --dns parameter.

(You may be prompted for one or more passwords; first, the local password to become root using sudo, and then the remote ssh password. Or you might have sudo and ssh set up to not require passwords, in which case you won’t be prompted at all.)

References

[1] sshuttle/sshuttle: Transparent proxy server that works as a poor man’s VPN. Forwards over ssh. Doesn’t require admin. Works with Linux and MacOS. Supports DNS tunneling. - https://github.com/sshuttle/sshuttle

[2] sshuttle: where transparent proxy meets VPN meets ssh — sshuttle 1.0.5 documentation - https://sshuttle.readthedocs.org/