sshuttle: poor man’s VPN

p2p_network_compWhat if you are at a public WiFi hub and want to ensure that your data cannot be sniffed? If you are connecting to the open hotspots and transferring data over the ether, there are high chances that someone might be able to decode it. sshuttle comes to your rescue.

sshuttle is a python utility specifically designed for situations where you have a regular user (non-root works) access to a remote server via ssh. The remote server doesn’t need to have any VPN software on it. sshuttle is (also) not openssh port forwarding (which is turned off by default on servers and is quite slow due to TCP-over-TCP data transfers).

sshuttle behaves like a VPN and works like a port-forwarding solution. It can forward every port on a network in one go. The working principle in author’s own words: sshuttle assembles the TCP stream locally, multiplexes it statefully over an ssh session, and disassembles it back into packets at the other end. So it never ends up doing TCP-over-TCP. It’s just data-over-TCP, which is safe.


sshuttle has the following prerequisites:

  1. root access on client device
  2. iptables installed on the client, including at least the iptables DNAT, REDIRECT, and ttl modules. These are available by default on most Linux distributions.
  3. the remote server needs to have python available. sshuttle will automatically upload and run its source code to the remote python interpreter.

To install sshuttle on Ubuntu, run:

$ sudo apt-get install sshuttle


To start sshuttle on the client, run:

$ sudo sshuttle -r username@sshserver 0/0 -vv

This will automatically route all your TCP data over the secure tunnel. In addition, to route DNS queries through the DNS server of the proxy, run:

$ sudo sshuttle --dns -vvr username@sshserver 0/0

For more help and options, run:

$ man sshuttle

Leave a Reply

Your email address will not be published. Required fields are marked *