What is sshuttle? Basically, it’s a Python app that uses SSH to create a quick and dirty VPN between your Linux, BSD, or Mac OS X machine and a remote system that has SSH access and Python. Written by Avery Pennarun and licensed under the GPLv2, sshuttle is a transparent proxy server that lets users fake a VPN with minimal hassle.
WARNING: On MacOS 10.6 (at least up to 10.6.6), your network will stop responding about 10 minutes after the first time you start sshuttle, because of a MacOS kernel bug relating to arp and the net.inet.ip.scopedroute sysctl. To fix it, just switch your wireless off and on. Sshuttle makes the kernel setting it changes permanent, so this won’t happen again, even after a reboot.
sshuttle: where transparent proxy meets VPN meets ssh
As far as I know, sshuttle is the only program that resolves the following common issues:
- Your client machine (or router) is Linux, FreeBSD, or MacOS.
- You have access to a remote network via ssh.
- You don’t necessarily have admin access on the remote network.
- The remote network has no VPN, or only stupid/complex VPN protocols (IPsec, PPTP, etc). Or maybe you are the admin and you just got frustrated with the awful state of VPN tools.
- You don’t want to create an ssh port forward for every single host/port on the remote network.
- You hate openssh’s port forwarding because it’s randomly slow and/or stupid.
- You can’t use openssh’s PermitTunnel feature because it’s disabled by default on openssh servers; plus it does TCP-over-TCP, which has terrible performance (see below).
Prerequisites
- sudo, su, or logged in as root on your client machine. (The server doesn’t need admin access.)
- If you use Linux on your client machine: iptables installed on the client, including at least the iptables DNAT, REDIRECT, and ttl modules. These are installed by default on most Linux distributions. (The server doesn’t need iptables and doesn’t need to be Linux.)
- If you use MacOS or BSD on your client machine: Your kernel needs to be compiled with IPFIREWALL_FORWARD (MacOS has this by default) and you need to have ipfw available. (The server doesn’t need to be MacOS or BSD.)
This is how you use it:
Run
git clone git://github.com/apenwarr/sshuttle
on your client machine. You’ll need root or sudo access, and python needs to be installed.
The most basic use of sshuttle looks like:
./sshuttle -r username@sshserver 0.0.0.0/0 -vv
There is a shortcut for 0.0.0.0/0 for those that value their wrists
./sshuttle -r username@sshserver 0/0 -vv
If you would also like your DNS queries to be proxied through the DNS server of the server you are connect to:
./sshuttle --dns -vvr username@sshserver 0/0
The above is probably what you want to use to prevent local network attacks such as Firesheep and friends. OR if you have MacOS and want to try the GUI version:
make open ui-macos/Sshuttle*.app
(You may be prompted for one or more passwords; first, the local password to become root using either sudo or su, and then the remote ssh password. Or you might have sudo and ssh set up to not require passwords, in which case you won’t be prompted at all.) That’s it! Now your local machine can access the remote network as if you were right there. And if your “client” machine is a router, everyone on your local network can make connections to your remote network. You don’t need to install sshuttle on the remote server; the remote server just needs to have python available. sshuttle will automatically upload and run its source code to the remote python interpreter.
This creates a transparent proxy server on your local machine for all IP addresses that match 0.0.0.0/0. (You can use more specific IP addresses if you want; use any number of IP addresses or subnets to change which addresses get proxied. Using 0.0.0.0/0 proxies everything, which is interesting if you don’t trust the people on your local network.) Any TCP session you initiate to one of the proxied IP addresses will be captured by sshuttle and sent over an ssh session to the remote copy of sshuttle, which will then regenerate the connection on that end, and funnel the data back and forth through ssh.
Fun, right? A poor man’s instant VPN, and you don’t even have to have admin access on the server.