1
Fork 0
blog/_posts/2011-01-22-poor-mans-vpn.md

48 lines
2 KiB
Markdown
Raw Normal View History

2017-07-09 12:18:22 +00:00
extends: post.liquid
2011-08-25 10:20:25 +00:00
title: sshuttle - poor man's vpn
2017-07-09 12:18:22 +00:00
date: 22 Jan 2011 00:00:00 +0100
path: /:year/:month/:day/poor-mans-vpn
2017-12-19 21:26:32 +00:00
route: blog
2011-08-25 10:20:25 +00:00
---
> [sshuttle](https://github.com/apenwarr/sshuttle) is a transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin access. Works with Linux and MacOS, now including 10.6
2011-09-02 19:43:39 +00:00
It's as simple as
2011-08-25 10:20:25 +00:00
2011-09-02 19:43:39 +00:00
$ ./sshuttle -r username@sshserver 0.0.0.0/0 -vv
and everything is tunneled through the ssh connection.
2011-08-25 10:20:25 +00:00
All you need is iptables, root access on the local machine and a python binary on server side. No root, no iptables, no extra program running on your server.
2011-09-02 19:43:39 +00:00
2011-08-25 10:20:25 +00:00
Of course you may tunnel just some IPs. Just change the argument to whatever ip network you need.
2011-09-02 19:43:39 +00:00
2011-08-25 10:20:25 +00:00
$ dig www.youtube.com
[ ... find youtube's ip ... ]
2011-09-02 19:43:39 +00:00
$ ./sshuttle -r username@sshserver 74.125.39.0/24 -vv
and every request to Youtube gets tunneled. Great for "This video is not available in your country"-videos if you've got ssh access to a server with an US IP.
2011-08-25 10:20:25 +00:00
I use it for exactly that case: tunneling Youtube requests to view videos. But sometimes, when I exit sshuttle it fails before removing the iptable rules.
2011-09-02 19:43:39 +00:00
As sshuttle is just some python code wrapped around the iptables cli, I figured out what I needed to remove:
2011-08-25 10:20:25 +00:00
$ iptables -t nat -D OUTPUT -j sshuttle-12300
$ iptables -t nat -D PREROUTING -j sshuttle-12300
$ iptables -t nat -F sshuttle-12300
$ iptables -t nat -X sshuttle-12300
2011-09-02 19:43:39 +00:00
2011-08-25 10:20:25 +00:00
Maybe you have to change the "12300" to something else, use the following command to figure this out:
2011-09-02 19:43:39 +00:00
2011-08-25 10:20:25 +00:00
$ iptables -t nat -L
2011-09-02 19:43:39 +00:00
2011-08-25 10:20:25 +00:00
(or just read the verbose output)
2011-09-02 19:43:39 +00:00
2011-08-25 10:20:25 +00:00
For more info about how it works and so on read the [README](https://github.com/apenwarr/sshuttle/blob/master/README.md).
2011-09-02 19:43:39 +00:00
2011-08-25 10:20:25 +00:00
Don't forget to read the help if you've got an unusual setup or other problems (some weird path to the python binary on the server, auto-updating hosts file needed, different subnets and excluded subnets, ...):
2011-09-02 19:43:39 +00:00
2011-08-25 10:20:25 +00:00
$ ./sshuttle -h
2011-09-02 19:43:39 +00:00
2011-08-25 10:20:25 +00:00
Works pretty good and it's secure, so use it!