Howto use ssh as VPN tunnel

SSH is typically used to log into a remote machine and execute commands, but it also supports tunneling, forwarding TCP ports and X11 connections.

What is SSH Tunneling?

A tunneling protocol may, for example, allow a foreign protocol to run over a network that does not support that particular protocol, such as running IPv6 over IPv4.

SSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection. It can be used to add encryption to legacy applications. … It also provides a way to secure the data traffic of any given application using port forwarding, basically tunneling any TCP/IP port over SSH.


sshuttle is not exactly a VPN, and not exactly port forwarding. It’s kind of both, and kind of neither.

It’s like a VPN, since it can forward every port on an entire network, not just ports you specify. Conveniently, it lets you use the “real” IP addresses of each host rather than faking port numbers on localhost.

On the other hand, the way it works is more like ssh port forwarding than a VPN. Normally, a VPN forwards your data one packet at a time, and doesn’t care about individual connections; ie. it’s “stateless” with respect to the traffic. sshuttle is the opposite of stateless; it tracks every single connection.


“` sudo pip install sshuttle“`


“`$ sshuttle –dns -v -r <remote-host> 0/0“`


* This will forward all connections including DNS requests…


usage: sshuttle [-l [ip:]port] [-r [user@]sshserver[:port]] <subnets...>

positional arguments:
 capture and forward traffic to these subnets
 (whitespace separated)

optional arguments:
 -h, --help show this help message and exit
 -l [IP:]PORT, --listen [IP:]PORT
 transproxy to this ip address and port number
 -H, --auto-hosts continuously scan for remote hostnames and update
 local /etc/hosts as they are found
 -N, --auto-nets automatically determine subnets to route
 --dns capture local DNS requests and forward to the remote
 DNS server
 --ns-hosts IP[,IP] capture and forward DNS requests made to the following
 --to-ns IP[:PORT] the DNS server to forward requests to; defaults to
 servers in /etc/resolv.conf on remote side if not
 --method TYPE auto, nat, nft, tproxy, pf, ipfw
 --python PATH path to python interpreter on the remote server
 ssh hostname (and optional username) of remote
 sshuttle server
 -x IP/MASK[:PORT[-PORT]], --exclude IP/MASK[:PORT[-PORT]]
 exclude this subnet (can be used more than once)
 -X PATH, --exclude-from PATH
 exclude the subnets in a file (whitespace separated)
 -v, --verbose increase debug message verbosity
 -V, --version print the sshuttle version number and exit
 -e CMD, --ssh-cmd CMD
 the command to use to connect to the remote [ssh]
 --seed-hosts HOSTNAME[,HOSTNAME]
 comma-separated list of hostnames for initial scan
 (may be used with or without --auto-hosts)
 --no-latency-control sacrifice latency to improve bandwidth benchmarks
 --wrap NUM restart counting channel numbers after this number
 (for testing)
 --disable-ipv6 disable IPv6 support
 -D, --daemon run in the background as a daemon
 -s PATH, --subnets PATH
 file where the subnets are stored, instead of on the
 command line
 --syslog send log messages to syslog (default if you use
 --pidfile PATH pidfile name (only if using --daemon) [./]
 --user USER apply all the rules only to this linux user
 --firewall (internal use only)
 --hostwatch (internal use only)
 --no-sudo-pythonpath do not set PYTHONPATH when invoking sudo

Leave a Reply

Your email address will not be published. Required fields are marked *