antipaucity

fighting the lack of good ideas

sshuttle – a simple transparent proxy vpn over ssh

I found out about sshuttle from a random tweet that happened to catch my eye.

Here’s the skinny (from the readme):

  • Your client machine (or router) is Linux, FreeBSD, or MacOS.
  • You have access to a remote network via ssh.
  • You don’t necessarily have admin access on the remote network.
  • The remote network has no VPN, or only stupid/complex VPN protocols (IPsec, PPTP, etc). Or maybe you are the admin and you just got frustrated with the awful state of VPN tools.
  • You don’t want to create an ssh port forward for every single host/port on the remote network.
  • You hate openssh’s port forwarding because it’s randomly slow and/or stupid.
  • You can’t use openssh’s PermitTunnel feature because it’s disabled by default on openssh servers; plus it does TCP-over-TCP, which has terrible performance.

Here’s how I set it up on my Mac

Install homebrew:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"

Install sshuttle (as a regular user):

brew install sshuttle

Test the connection to a server you have:

sudo sshuttle -r <user>@host.tld -x host.tld 0/0 -vv

I also made sure that my target server could be connected-to via certificate for my local root user – but you can use a password if you prefer.

Check your IP address:

curl https://ipv4.cf

Once you make sure the connection works, Ctrl-C to end the session.

Then setup an alias in your shell’s .profile (for me, it’s .bash_profile):

alias vpn='sudo sshuttle -r <user>@domain.tld -x domain.tld 0/0'

Other things you can do

According to the full docs, there are a lot more things you can do with sshuttle – including running it on your router, thereby VPN’ing your whole LAN through an endpoint! You can also run it in server mode.

This is a super useful little utility!

how did i never know about .ssh/config?

I’m sure folks have tried to explain this to me before, but it wasn’t until today that it finally clicked – using .ssh/config will save you a world of hurt when managing various systems from a Linux host (I imagine it works on other platforms, too – but I’ve only started using it on CentOS).

Following directions I found here, I started a config file on a server I use as a jump box. In it I have an entry for my web server, and I’ll be adding other frequently-accessed servers to it as time goes on.

Thanks, nerderati, man pages … and whomever else tried to explain this to me before but I didn’t grok.

system-wide proxying with os x (yosemite)

Perhaps you’re at a coffee shop, and want to ensure your communication is secure.

Or maybe you are out of the country, and need access to something like annualcreditreport.com.

What’s a body to do?

If you have a Mac, set up a system-wide proxy setting for a new Location, of course!

This is a very simple thing to do, but does require you have access to an SSH server somewhere.

Steps:

  • Create a new Location in your Network Preferences (name it something ‘obvious’ like “Proxy” or “Untrusted”Locations
  • Remove services you don’t need (most likely you only need WiFi) Services
  • Go to Advanced -> Proxies
  • Enable SOCKS Proxy and set server to ‘localhost’ with ‘9999’ as the port proxies
  • Start a port-forwarded SSH session in Terminal :: ssh -D 9999 user@remotehost
  • Click OK in the Proxies setting window
  • Click Apply in the Network preferences panel

That’s it. You do need to remember to create the port-forwarded SSH connection, or your web browsers and such will fail to connect properly.

You can change Location easily via ->Location.

Tested on OS X Yosemite. It should work elsewhere, but I only have a 10.10 machine to work with.