sshuttle v1.1 releases: Transparent proxy server
by do son · Published · Updated
sshuttle: where transparent proxy meets VPN meets ssh
sshuttle is the only program that solves the following common case:
- Your client machine (or router) is Linux, FreeBSD, or MacOS.
- You have access to a remote network via ssh.
- You don’t necessarily have admin access on the remote network.
- The remote network has no VPN, or only stupid/complex VPN protocols (IPsec, PPTP, etc). Or maybe you are the admin and you just got frustrated with the awful state of VPN tools.
- You don’t want to create an ssh port forward for every single host/port on the remote network.
- You hate openssh’s port forwarding because it’s randomly slow and/or stupid.
- You can’t use openssh’s PermitTunnel feature because it’s disabled by default on openssh servers; plus it does TCP-over-TCP, which has terrible performance (see below).
sshuttle is not exactly a VPN and not exactly port forwarding. It’s kind of both, and kind of neither.
It’s like a VPN since it can forward every port on an entire network, not just ports you specify. Conveniently, it lets you use the “real” IP addresses of each host rather than faking port numbers on localhost.
On the other hand, the way it works is more like ssh port forwarding than a VPN. Normally, a VPN forwards your data one packet at a time, and doesn’t care about individual connections; ie. it’s “stateless” with respect to the traffic. sshuttle is the opposite of stateless; it tracks every single connection.
You could compare sshuttle to something like the old Slirp program, which was a userspace TCP/IP implementation that did something similar. But it operated on a packet-by-packet basis on the client-side, reassembling the packets on the server-side. That worked okay back in the “real live serial port” days because serial ports had predictable latency and buffering.
But you can’t safely just forward TCP packets over a TCP session (like ssh) because TCP’s performance depends fundamentally on packet loss; it must experience packet loss in order to know when to slow down! At the same time, the outer TCP session (ssh, in this case) is a reliable transport, which means that what you forward through the tunnel never experiences packet loss. The ssh session itself experiences packet loss, of course, but TCP fixes it up and ssh (and thus you) never know the difference. But neither does your inner TCP session, and extremely screwy performance ensues.
sshuttle assembles the TCP stream locally, multiplexes it statefully over an ssh session, and disassembles it back into packets at the other end. So it never ends up doing TCP-over-TCP. It’s just data-over-TCP, which is safe.
- Support the sudo
use_ptyoption which is now the default in some operating systems. See #712.
- Support doas as well as sudo. See #708.
- Readme: add instructions for installing via MacPorts by @herbygillot in #576
- Ignore quotes in config file passed to sshuttle with @ by @skuhl in #579
- Refactor debug, log and Fatal messages. by @skuhl in #581
- Improve error messages related to sshuttle server. by @skuhl in #580
- tproxy: Skip firewall chains if packets have local destination. by @skuhl in #578
- remove py35 from tox.ini by @masahitojp in #584
- feat: remove mock from test dependencies. by @masahitojp in #585
- chore: remove attrs from requirements-test.txt by @masahitojp in #586
- Bump pytest-cov from 2.10.1 to 2.11.0 by @dependabot-preview in #588
- Bump pytest-cov from 2.11.0 to 2.11.1 by @dependabot-preview in #590
- –latency-buffer-size now impacts server’s buffer. by @skuhl in #587
- Bump pytest from 6.2.1 to 6.2.2 by @dependabot-preview in #592
- Allow comments in configuration file by @khink in #602
- firewall: Allow overriding the TTL by @vkareh in #606
- Bump setuptools-scm from 5.0.1 to 5.0.2 by @dependabot-preview in #608
- Make exit code indicate a problem when pidfile is not writable. by @skuhl in #609
- Bump pyflakes from 2.2.0 to 2.3.0, flake8 from 3.8.4 to 3.9.0 by @brianmay in #614
- Bump setuptools-scm from 5.0.2 to 6.0.1 by @dependabot-preview in #616
- Fix firewall setup/teardown failure on xtable lock by @patrislav1 in #617
- Fix DnsProxy by @patrislav1 in #618
- Bump pyflakes from 2.3.0 to 2.3.1 by @dependabot-preview in #620
- Update README.rst by @necrose99 in #622
- Bump pytest from 6.2.2 to 6.2.3 by @dependabot-preview in #623
- Create Dependabot config file by @dependabot-preview in #624
- Bump flake8 from 3.9.0 to 3.9.1 by @dependabot in #627
- README.rst: fix Gentoo entry syntax by @thesamesam in #630
- Bump pytest from 6.2.3 to 6.2.4 by @dependabot in #633
- Warn about adding sshuttle to sudoers. by @skuhl in #635
- Bump flake8 from 3.9.1 to 3.9.2 by @dependabot in #636
- Bump actions/checkout from 2 to 2.3.4 by @dependabot in #638
- Bump actions/setup-python from 2 to 2.2.2 by @dependabot in #639
- Bump pytest-cov from 2.11.1 to 2.12.0 by @dependabot in #640
- Flush systemd DNS cache on startup and exit. by @skuhl in #634
- Fix: Allow –to-ns and –ns-host without –dns. by @skuhl in #643
- Fix –tmark option by @skuhl in #644
- Remove dead code in hostwatch.py by @skuhl in #645
- Update documentation by @skuhl in #647
- Fix #637: sudoers-add should always write to /etc/sudoers.d/… by @skuhl in #648
- Add IPv6 support to nat (iptables) method. by @skuhl in #646
- Bump pytest-cov from 2.12.0 to 2.12.1 by @dependabot in #649
- Improve hostwatch robustness and documentation by @skuhl in #650
- replace psutil with os by @kylekyle in #656
- Remove psutil from requirements.txt by @kylekyle in #657
- Print pfctl error message when it returns non-zero. by @skuhl in #658
- Remove ttl hack & require -r option. by @skuhl in #661
- Print server’s python version earlier by @skuhl in #667
- Improve error message when sudo’s use_pty option is enabled. by @skuhl in #668
- Bump setuptools-scm from 6.0.1 to 6.1.1 by @dependabot in #672
- Bump pytest from 6.2.4 to 6.2.5 by @dependabot in #674
- Bump setuptools-scm from 6.1.1 to 6.3.1 by @dependabot in #675
- add openSUSE install instructions by @balping in #676
- Bump setuptools-scm from 6.3.1 to 6.3.2 by @dependabot in #678
- Simple maintenance improvements by @a1346054 in #682
- Bump pytest-cov from 2.12.1 to 3.0.0 by @dependabot in #683
- Bump flake8 from 4.0.0 to 4.0.1 by @dependabot in #687
- Bump actions/checkout from 2.3.4 to 2.3.5 by @dependabot in #689
- pythonpackage.yml: Add Python 3.10 to the testing by @cclauss in #694
- Bump actions/checkout from 2.3.5 to 2.4.0 by @dependabot in #695
- Bump actions/setup-python from 2.2.2 to 2.3.0 by @dependabot in #700
- Bump actions/setup-python from 2.3.0 to 2.3.1 by @dependabot in #702
- Make ipfw method work by @JohnHay in #705
- Minor improvement to tproxy documentation. by @skuhl in #709
- Improve error message if tproxy method is used without running as root. by @skuhl in #710
- Fix defunct process after flushing DNS cache. by @skuhl in #711
- Fix sshuttle when using sudo’s use_pty option. by @skuhl in #712
- Allow use of sudo or doas. by @skuhl in #708
- Bump setuptools-scm from 6.3.2 to 6.4.0 by @dependabot in #714
- Bump setuptools-scm from 6.4.0 to 6.4.1 by @dependabot in #717
- Bump setuptools-scm from 6.4.1 to 6.4.2 by @dependabot in #718
- Bump sphinx from 4.3.2 to 4.4.0 by @dependabot in #713
- Revert “Bump sphinx from 4.3.2 to 4.4.0” by @brianmay in #719
sudo pip install sshuttle
git clone https://github.com/sshuttle/sshuttle.git
sudo ./setup.py install
Forward all traffic:
sshuttle -r username@sshserver 0.0.0.0/0
- Use the sshuttle -r parameter to specify a remote server.
- By default, sshuttle will automatically choose a method to use. Override with the sshuttle –method parameter.
- There is a shortcut for 0.0.0.0/0 for those that value their wrists:
sshuttle -r username@sshserver 0/0
If you would also like your DNS queries to be proxied through the DNS server of the server you are connected to:
sshuttle –dns -r username@sshserver 0/0
The above is probably what you want to use to prevent local network attacks such as Firesheep and friends. See the documentation for the sshuttle –dns parameter.
Copyright 2016, Brian May