shuttle allows you to create a transparent proxy over the SSH protocol that can be used as a VPN, you just need to have Python installed on both the server and the client and have root permissions on the client.
It is recommended to use sshuttle if:
- Your client machine (or router) is Linux, FreeBSD, or MacOS.
- You have access to a remote network via ssh.
- You don’t necessarily have admin access on the remote network.
# sshuttle [options] -r [remote-user@]ssh-server[:port] <networks …>
networks: A list of destination whose traffic should be routed through the VPN, in the format a.b.c.d[/suffix][from_port[-to_port]]. Valid examples are:
- 184.108.40.206 y 220.127.116.11/32 (one IP address).
- 18.104.22.168/24 (a 24-bit subnet, i.e. with a 255.255.255.0 netmask).
- 0/0 match all IPv4 addresses.
- ::/0 ::/0 matches all IPv6 addresses.
Any of the above examples is also valid if you add a port or range of ports:
- 22.214.171.124:8000 will only route traffic destined for port 8000 of 126.96.36.199.
- 188.8.131.52/24:8000-9000 it will route all traffic going to any IP in the 184.108.40.206/24 subnet and to any port between 8000 and 9000 (including both).
A DNS name can be provided instead of an IP address. If the hostname resolves to multiple IP addresses, all IP addresses are included. If a suffix is provided with a hostname, the width applies to all IP addresses in the hostnames (either IPv4 or IPv6).
If a DNS name resolves to IPv4 and IPv6 addresses at the same time then the network suffix cannot be added. Valid examples:
By default, traffic routed to localhost (127.0.0.1) is excluded.
# sudo pip install sshuttle
In all examples replace: remote-user with a real username and remote-ssh-server with the name or the IP of your SSH server.
1. Route all traffic through the VPN
Route all the traffic including the one that is routed to our local IP, note the subnet 0/0.
# sudo sshuttle -r remote-user@remote-ssh-server 0/0
2. Route all traffic through the VPN except local IP
Route all traffic except our computer that has IP 192.168.100.2, this way if we have a local web server receiving connections at 192.168.100.2 it works normally.
# sudo sshuttle -r remote-user@remote-ssh-server 0/0 -x 192.168.100.2
3. Route all traffic through the VPN except our LAN
Route all traffic except our LAN, useful if you want to run sshtule on your LAN router, it is assumed that the local area network is in the segment: 192.168.100.0/24
# sudo sshuttle -r remote-user@remote-ssh-server 0/0 -x 192.168.100.0/24
3. Route all traffic through the VPN except Docker subnets
In the following example we exclude all the subnets created by Docker containers, as there can be several, it is preferable to create the excluded-nets.txt file and add the subnets to the file, in this way our “dockerized” services work normally.
Assuming that these are the docker subnets:
$ cat excluded-nets.txt 172.19.0.1/16 172.25.0.1/16 172.18.0.1/16 172.17.0.1/16 172.24.0.1/16
we execute the following command:
# sudo sshuttle -r remote-user@remote-ssh-server 0/0 -X excluded-nets.txt
4. Route all traffic through the VPN except remote-ssh-server
If we make an SSH connection to the remote-ssh-server it will also be routed through the created VPN, the best thing to do is to exclude the remote-ssh-server so that the connection can be direct.
# sudo sshuttle -r remote-user@remote-ssh-server 0/0 -x servidor-ssh-remoto
5. Route all traffic that is directed to a specific destination.
It is also possible to route the traffic that is directed to a specific destination. To do this, execute:
# sudo sshuttle -r remote-user@remote-ssh-server destination
destination can be a name, an IP address, or a network segment.