How to use the command sshuttle (with examples)
SSHuttle is a transparent proxy server that tunnels traffic over an SSH connection. It allows users to forward all IPv4 and IPv6 traffic, as well as DNS traffic, via a remote SSH server without requiring root or any special setup on the remote SSH server.
Use case 1: Forward all IPv4 TCP traffic via a remote SSH server
Code:
sshuttle --remote=username@sshserver 0.0.0.0/0
Motivation:
Forwarding all IPv4 TCP traffic via a remote SSH server can be useful in scenarios where you want to securely route your internet traffic through another server to ensure privacy and security. This can be especially helpful when you’re connected to an untrusted network, such as public Wi-Fi hotspots.
Explanation:
--remote=username@sshserver
: Specifies the remote SSH server to connect to. Replaceusername
with your username andsshserver
with the hostname or IP address of the SSH server.0.0.0.0/0
: Represents all IPv4 traffic. This ensures that all IPv4 traffic from your local machine is forwarded through the remote SSH server.
Example output:
Connected.
Use case 2: Also forward all DNS traffic to the server’s default DNS resolver
Code:
sshuttle --dns --remote=username@sshserver 0.0.0.0/0
Motivation:
In addition to forwarding all IPv4 TCP traffic, you may want to forward DNS traffic as well. This ensures that DNS queries made by your local machine are also securely tunneled through the remote SSH server, preventing any potential eavesdropping or DNS spoofing attacks.
Explanation:
--dns
: Enables DNS traffic forwarding.--remote=username@sshserver
: Specifies the remote SSH server to connect to.0.0.0.0/0
: Represents all IPv4 traffic.
Example output:
Connected.
Use case 3: Forward all traffic except that which is bound for a specific subnet
Code:
sshuttle --remote=username@sshserver 0.0.0.0/0 --exclude 192.168.0.1/24
Motivation:
There may be certain IP subnets or specific addresses that you want to exclude from being forwarded through the remote SSH server. This can be useful if you have certain local network resources that you don’t want to go through the SSH tunnel.
Explanation:
--remote=username@sshserver
: Specifies the remote SSH server to connect to.0.0.0.0/0
: Represents all IPv4 traffic.--exclude 192.168.0.1/24
: Excludes the IP subnet 192.168.0.0/24 from being forwarded. Replace it with the specific subnet you want to exclude.
Example output:
Connected.
Use case 4: Use the tproxy method to forward all IPv4 and IPv6 traffic
Code:
sshuttle --method=tproxy --remote=username@sshserver 0.0.0.0/0 ::/0 --exclude=your_local_ip_address --exclude=ssh_server_ip_address
Motivation:
Using the tproxy method allows for transparent proxying of both IPv4 and IPv6 traffic. This can be useful if you want to forward all internet traffic, regardless of the IP version, through the remote SSH server.
Explanation:
--method=tproxy
: Specifies the use of the tproxy method, which enables transparent proxying for both IPv4 and IPv6 traffic.--remote=username@sshserver
: Specifies the remote SSH server to connect to.0.0.0.0/0
: Represents all IPv4 traffic.::/0
: Represents all IPv6 traffic.--exclude=your_local_ip_address
: Excludes your local IP address from being forwarded.--exclude=ssh_server_ip_address
: Excludes the IP address of the SSH server from being forwarded.
Example output:
Connected.
Conclusion:
SSHuttle is a powerful command that enables users to easily create a transparent proxy server over an SSH connection. It provides flexibility in forwarding specific types of traffic or excluding certain IP subnets. By understanding the different use cases presented in this article, you can take full advantage of SSHuttle and ensure secure and private communication over SSH.