How to create a VPN in 5 minutes with sshuttle?

shuttle allows you to create a transparent proxy over the SSH protocol that can be used as a VPN, you just need to have Python installed on both the server and the client and have root permissions on the client.

It is recommended to use sshuttle if:

  • Your client machine (or router) is Linux, FreeBSD, or MacOS.
  • You have access to a remote network via ssh.
  • You don’t necessarily have admin access on the remote network.

Related post:


# sshuttle [options] -r [remote-user@]ssh-server[:port] <networks …>

networks: A list of destination whose traffic should be routed through the VPN, in the format a.b.c.d[/suffix][from_port[-to_port]]. Valid examples are:

  • y (one IP address).
  • (a 24-bit subnet, i.e. with a netmask).
  • 0/0 match all IPv4 addresses.
  • ::/0 ::/0 matches all IPv6 addresses.

Any of the above examples is also valid if you add a port or range of ports:

  • will only route traffic destined for port 8000 of
  • it will route all traffic going to any IP in the subnet and to any port between 8000 and 9000 (including both).

A DNS name can be provided instead of an IP address. If the hostname resolves to multiple IP addresses, all IP addresses are included. If a suffix is provided with a hostname, the width applies to all IP addresses in the hostnames (either IPv4 or IPv6).

If a DNS name resolves to IPv4 and IPv6 addresses at the same time then the network suffix cannot be added. Valid examples:


By default, traffic routed to localhost ( is excluded.


# sudo pip install sshuttle


In all examples replace: remote-user with a real username and remote-ssh-server with the name or the IP of your SSH server.

1. Route all traffic through the VPN

Route all the traffic including the one that is routed to our local IP, note the subnet 0/0.

# sudo sshuttle -r remote-user@remote-ssh-server 0/0

2. Route all traffic through the VPN except local IP

Route all traffic except our computer that has IP, this way if we have a local web server receiving connections at it works normally.

# sudo sshuttle -r remote-user@remote-ssh-server 0/0 -x

3. Route all traffic through the VPN except our LAN

Route all traffic except our LAN, useful if you want to run sshtule on your LAN router, it is assumed that the local area network is in the segment:

# sudo sshuttle -r remote-user@remote-ssh-server 0/0 -x

3. Route all traffic through the VPN except Docker subnets

In the following example we exclude all the subnets created by Docker containers, as there can be several, it is preferable to create the excluded-nets.txt file and add the subnets to the file, in this way our “dockerized” services work normally.

Assuming that these are the docker subnets:

$ cat excluded-nets.txt

we execute the following command:

# sudo sshuttle -r remote-user@remote-ssh-server 0/0 -X excluded-nets.txt

4. Route all traffic through the VPN except remote-ssh-server

If we make an SSH connection to the remote-ssh-server it will also be routed through the created VPN, the best thing to do is to exclude the remote-ssh-server so that the connection can be direct.

# sudo sshuttle -r remote-user@remote-ssh-server 0/0 -x servidor-ssh-remoto

5. Route all traffic that is directed to a specific destination.

It is also possible to route the traffic that is directed to a specific destination. To do this, execute:

# sudo sshuttle -r remote-user@remote-ssh-server destination

destination can be a name, an IP address, or a network segment.


YouTube video

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.