Great Shuttle Service

Charly's Column – sshuttle

Article from Issue 210/2018

When he doesn't want to deal with OpenVPN version conflicts or congestion control problems during TCP tunneling, Charly catches a ride on sshuttle.

In untrustworthy networks, I let OpenVPN tunnel my laptop. There are certainly alternatives, and I would like to present a particularly simple one: sshuttle [1]. As the name suggests, the tool relies on SSH. The tunnel's endpoint is a leased root server, just like with OpenVPN. Sshuttle is very frugal. It only needs SSH access with user privileges on the server; root privileges are not necessary. Additionally, Python must be installed on the server – that's it.

This is because sshuttle loads and executes the required Python code on the server after the SSH connection is established. It also avoids version conflicts between server and client software. The following command is all it takes to set up the tunnel:

sudo sshuttle -r <User>@<Server>:<Port> 0/0

You can leave out the port number if it is the SSH standard port 22. The 0/0 means that Linux should direct all connections into the tunnel. However, this means that I cannot reach other devices in the local network. To keep the local LAN still visible, I define it as an exception using the -x parameter:

sudo sshuttle -r --dns <User>@<Server> 0/0 -x

--dns is included here. This means that DNS queries also run through the tunnel, which does not happen automatically. This is sshuttle's Achilles heel: It only transports TCP; ICMP and UDP do not pass through the tunnel, apart from DNS.

Congestion Alert

Whereas other VPN technologies work at packet level and rely on TUN/TAP devices, sshuttle works at session level. It assembles the TCP stream locally, multiplexes it over the SSH connection, while keeping the status, and splits it into packets again on the destination side.

This avoids the TCP-over-TCP problem which plagues other tools such as OpenVPN: TCP has an overload control (congestion control). The protocol defines a performance limit on the basis of dropped packets. If you tunnel TCP over TCP, you lose congestion control for the inner connection, which can lead to bizarre error patterns. Sshuttle is immune to the problem.

Verbose parameters can help if you do need to troubleshoot. Figure 1 shows a connection setup with -v. With the verbose option, sshuttle is very long-winded, so I recommend redirecting the output to a file that can be evaluated in peace. My conclusions: Sshuttle is an excellent and simple VPN for people who can do without UDP and ICMP.

Figure 1: Sshuttle builds a VPN for a server. Because of -v, the messages are more extensive than without.

The Author

Charly Kühnast manages Unix systems in the data center in the Lower Rhine region of Germany. His responsibilities include ensuring the security and availability of firewalls and the DMZ.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly's Column – Reverse SSH Tunnel

    This month, Charly Kühnast draws attention to a widely unknown weather phenomenon: The instability of rarely used tunnels leading to a Raspberry Pi. Read on for greater insights.

  • Tempus Fugit

    Charly Kühnast, sys admin columnist for 15 years, is searching for lost microseconds.

  • OpenVPN

    Firewalls sometimes prohibit everything but everyday surfing, leaving users with no hope of running IRC or streaming servers through the firewall, unless they use a virtual private networking tool like OpenVPN.

  • Charly's Birds

    Charly ran a first-generation Rasp Pi for years in the birdhouse in his garden, but the Rasp Pi eventually fell foul of marauding wasps. Now Charly has replaced it with an RPi3 featuring a NoIR cam and motion detection.

  • Charly's Column – httpstat

    Httpstat is a special stopwatch you can use to discover how long web servers take to serve up a static or dynamic HTML page. Visible performance lags indicate optimization potential for the server.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More