Saturday, October 5, 2013

Create another encrypted VPN using sshuttle!

Create another encrypted VPN using sshuttle!

What is sshuttle? Well from their website, it is a "Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling."

With our last write up using OpenVPN, not all of your traffic is sent over the tunnel.  Such things like DNS lookups and a lot of command-line tools will just ignore the proxy. You’re also encapsulating TCP-over-TCP, which could cause performance problems.

Using sshuttle solves a lot of common problems with encrypting your traffic, and it does so in a very efficient way.  There’s no need for a complicated pre-existing infrastructure. All you need is Python 2.x installed on your local machine and a remote machine you can SSH into that also has Python installed. You don’t even have to be an administrator/root on the remote machine.


First thing is to install sshuttle and Python.  I found both within the Ubuntu Software Center.  You can also build sshuttle from source.  And download Python from  That's all there is to it! Now you're ready to connect to your remote server.  Before you connect if you want to check your current external IP address, go to  We'll check it again after we connect to your server.

The basic command to achieve our goal looks like this in a terminal:
$ sudo sshuttle --dns -r 0/0

If you have a different username or port on the remote server than you do on your local machine you can also use something like this example:
$ sudo sshuttle --dns -r 0/0

Let's check your IP address again and see if you're now tunneling through your server.

To stop forwarding traffic, just press Ctrl-c back in the terminal. We can do a bit better though by forking the process into the background so we don’t tie up our terminal session. These are the aliases I use to make setting up and tearing down the tunnel easier.  I opened and edited my .bashrc in my home folder:
alias tunnel='sudo sshuttle --dns --daemon --pidfile=/tmp/ 0/0'
alias tunnelx='[[ -f /tmp/ ]] && sudo kill $(cat /tmp/ && echo "Disconnected."'

Known Bugs
You may see a bunch of “warning: closed channel …” messages when running sshuttle (either on STDOUT or in your system.log), but these warnings are safe to ignore. The developer knows about the issue and is thinking of the best way to suppress/eliminate the condition.


The next things are accomplished as root.  Be careful running as root!
$ sudo su
Enter your password and you should now be root and ready to create your RSA key pair.  Type:
# ssh-keygen -t rsa
It'll ask you where to save your public/private RSA key pair.  The default is /root/.ssh/id_rsa just press enter here.  It will then ask you to enter a passphrase.  The password you enter here will need to be entered every time you use the RSA key but fortunately, you can set NO passphrase by pressing Enter. However, the upside is that you only have to remember this one passphrase for all the systems you access via RSA authentication and you can change the passhrase later with "ssh-keygen -p".  This process creates two files, id_rsa and  The is your public key and the one we will be moving to the server.  Type the following to transfer your public key to the server:
# scp .ssh/
We'll also have to copy id_rsa to your home folder so you can log into your server without having to be root.  NOTE: This is not the So lets move that over doing the following replacing USER with your username:
# cp .ssh/id_rsa /home/USER/.ssh/
# exit
Next, connect to the remote host through SSH, don't use sshuttle at this point. RSA authentication won't be available just yet, so you'll have to use the old method to login. Once you are connected, add the new hostkey to the file /root/.ssh/authorized_keys if you have root access or .  If the .ssh directory doesn't exist, create it.  You can check if the  directory exists by using the ls -la command.  If you need to create it use mkdir .ssh now that it created type the following commands:
$ cat >> .ssh/authorized_keys
The two right-angles will add the contents of file to the authorized_keys file, so in case the file already exists, you won't have to worry about the existing content being modified. You are all set. To test the RSA authentication, initiate a ssh connection. If everything worked out well, you should be either asked for the passpharase (if you entered one), or get directly logged in. If you are prompted for the SSH password or get an error message, retry the above command using -v in order to turn verbose mode on and to be able to track down and correct the problem. If you didn't have any problems you can now disconnect your SSH and start using sshuttle without it asking you for a password!

Creative Commons License
Create another encrypted VPN using sshuttle! by Randy Rowland is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.