Securely Tunnelling Traffic with 'sshuttle' (with examples)
sshuttle
is a user-friendly network tool that enables users to create a transparent proxy server, effectively routing traffic through an SSH connection. It allows secure tunnelling without needing special setups or root access on the remote SSH server. This makes it an invaluable tool for securely encrypting and routing network traffic, especially from environments with restrictive firewalls.
Use case 1: Forward all IPv4 TCP traffic via a remote SSH server
Code:
sshuttle --remote=username@sshserver 0.0.0.0/0
Motivation:
In scenarios where you need to secure your internet traffic or bypass restrictive network environments, forwarding all IPv4 TCP traffic through a remote SSH server using sshuttle
helps in maintaining both security and privacy. This could be particularly useful for users working remotely who need to ensure their data integrity while using insecure public Wi-Fi networks.
Explanation:
--remote=username@sshserver
: Specifies the SSH server and the user to connect with. Replaceusername
with your actual SSH username andsshserver
with the SSH server’s address.0.0.0.0/0
: This notation implies that all IPv4 addresses should be routed through the proxy, effectively capturing all IPv4 network traffic initiated by the machine.
Example Output:
Upon successful execution, sshuttle
sets up a route for all IPv4 traffic via the remote SSH server. You might see log messages detailing which connections are being proxied.
Use case 2: Also forward all DNS traffic to the server’s default DNS resolver
Code:
sshuttle --dns --remote=username@sshserver 0.0.0.0/0
Motivation:
Forwarding DNS requests through the SSH server enhances security by ensuring that DNS queries, which can often reveal the sites you’re visiting, are encrypted. This prevents DNS leakage and provides an additional layer of anonymity.
Explanation:
--dns
: This flag tellssshuttle
to forward DNS requests as well. By doing this, your DNS queries get resolved by the server’s DNS resolver, ensuring they are not exposed to the local network.--remote=username@sshserver
: As before, this specifies whom and where to connect for creating the proxy.0.0.0.0/0
: Directs all IPv4 traffic to be routed through this setup.
Example Output:
The output remains similar to the previous use case, with added DNS requests routing. sshuttle
displays logs indicating DNS queries being proxied.
Use case 3: Forward all traffic except that which is bound for a specific subnet
Code:
sshuttle --remote=username@sshserver 0.0.0.0/0 --exclude 192.168.0.1/24
Motivation:
Excluding a specific subnet can be beneficial in a corporate setting where you need to maintain access to local resources without routing that traffic through a remote proxy. For instance, local file servers or printers within your network don’t require secure tunnelling.
Explanation:
--remote=username@sshserver
: Directs which SSH server to use for the proxy.0.0.0.0/0
: Ensures all other IPv4 traffic is forwarded via the proxy.--exclude 192.168.0.1/24
: This option excludes traffic destined for the specified local subnet. Replace192.168.0.1/24
with the relevant subnet that you do not want to proxy.
Example Output:
You will observe log outputs from sshuttle
that capture traffic headed to other networks while skipping what’s bound for the excluded subnet.
Use case 4: Use the tproxy method to forward all IPv4 and IPv6 traffic
Code:
sshuttle --method=tproxy --remote=username@sshserver 0.0.0.0/0 ::/0 --exclude=your_local_ip_address --exclude=ssh_server_ip_address
Motivation:
Utilizing the tproxy
method is useful for advanced users who wish to route both IPv4 and IPv6 traffic simultaneously. This method allows for more comprehensive network tunnelling and is ideal in environments that support both protocols.
Explanation:
--method=tproxy
: Implies using transparent proxy mode, which captures and redirects packets at a lower level, allowing both IPv4 and IPv6 traffic to be managed.--remote=username@sshserver
: Directs which SSH server to employ for tunnelling.0.0.0.0/0
: Routes all IPv4 traffic.::/0
: Captures all IPv6 traffic as well.--exclude=your_local_ip_address
: Ensures that local traffic (e.g., within your private network) bypasses the proxy.--exclude=ssh_server_ip_address
: Prevents routing traffic to and from the SSH server within the proxy, preserving the connection.
Example Output:
The sshuttle
tool will log connections being established and detail how traffic for both IPv4 and IPv6 is handled, excluding specified addresses.
Conclusion:
sshuttle
serves as a powerful utility for users seeking a simple yet effective method to encrypt and proxy their network traffic through SSH connections. Whether safeguarding DNS queries, handling IPv6 traffic, or excluding specific subnets, sshuttle
provides versatile solutions for various network management needs.