SSHuttle
Transparent proxy server that works as a poor man’s VPN. Forwards over ssh. Doesn’t require admin. Works with Linux and MacOS. Supports DNS tunneling.
Usage
Usage: sshuttle [-l [ip:]port] -r [user@]sshserver[:port] <subnets...>
| Option | Description |
|---|---|
-h, --help | show this help message and exit |
-l, --listen [IP:]PORT | transproxy to this IP address and port number |
-H, --auto-hosts | continuously scan for remote hostnames and update local /etc/hosts as they are found |
-N, --auto-nets | automatically determine subnets to route |
--dns | capture local DNS requests and forward to the remote DNS server |
--ns-hosts IP[,IP] | capture and forward DNS requests made to the following servers (comma separated) |
--to-ns IP[:PORT] | the DNS server to forward requests to; defaults to servers in /etc/resolv.conf on remote side if not given |
--method TYPE | auto, nft, nat, tproxy, pf, ipfw |
--python PATH | path to python interpreter on the remote server |
-r, --remote [USERNAME[:PASSWORD]@]ADDR[:PORT] | ssh hostname (and optional username and password) of remote sshuttle server |
-x, --exclude IP/MASK[:PORT[-PORT]] | exclude this subnet (can be used more than once) |
-X, --exclude-from PATH | exclude the subnets in a file (whitespace separated) |
-v, --verbose | increase debug message verbosity (can be used more than once) |
-V, --version | print the sshuttle version number and exit |
-e, --ssh-cmd CMD | the command to use to connect to the remote [ssh] |
--no-cmd-delimiter | do not add a double dash before the python command |
--remote-shell PROGRAM | alternate remote shell program instead of default POSIX shell; use cmd or powershell for Windows |
--seed-hosts HOSTNAME[,HOSTNAME] | comma-separated list of hostnames for initial scan (may be used with or without --auto-hosts) |
--no-latency-control | sacrifice latency to improve bandwidth benchmarks |
--latency-buffer-size SIZE | size of latency control buffer |
--wrap NUM | restart counting channel numbers after this number (for testing) |
--disable-ipv6 | disable IPv6 support |
-D, --daemon | run in the background as a daemon |
-s, --subnets PATH | file where the subnets are stored, instead of on the command line |
--syslog | send log messages to syslog (default if you use --daemon) |
--pidfile PATH | pidfile name (only if using --daemon) [./sshuttle.pid] |
--user USER | apply all the rules only to this Linux user |
--group GROUP | apply all the rules only to this Linux group |
--firewall | (internal use only) |
--hostwatch | (internal use only) |
--sudoers-no-modify | print sudo config for passwordless sshuttle; INSECURE, can allow running arbitrary root commands |
--sudoers-user SUDOERS_USER | set the user/group for passwordless operation (with %group); used only with --sudoers-no-modify |
--no-sudo-pythonpath | do not set PYTHONPATH when invoking sudo |
-t, --tmark [MARK] | tproxy optional traffic mark in hexadecimal (default ‘0x01’) |
--namespace NAMESPACE | run inside of a net namespace with the given name |
--namespace-pid NAMESPACE_PID | run inside the net namespace of the given process ID |
Examples
Forward all traffic:
sshuttle -r username@sshserver 0.0.0.0/0
Use the sshuttle -r parameter to specify a remote server. On some systems, you may also need to use the sshuttle -x parameter to exclude sshserver or sshserver:22 so that your local machine can communicate directly to sshserver without it being redirected by sshuttle.
By default sshuttle will automatically choose a method to use. Override with the sshuttle --method parameter.
There is a shortcut for 0.0.0.0/0 for those that value their wrists:
sshuttle -r username@sshserver 0/0
For ‘My VPN broke and need a temporary solution FAST to access local IPv4 addresses’:
sshuttle --dns -NHr username@sshserver 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
If you would also like your DNS queries to be proxied through the DNS server of the server you are connect to:
sshuttle --dns -r username@sshserver 0/0
The above is probably what you want to use to prevent local network attacks such as Firesheep and friends. See the documentation for the sshuttle --dns parameter.