Using Sshuttle in Daily Work

2012年6月19日 | 分类: 翻墙相关 | 标签: , ,

I was first introduced to sshuttle by Sooyoung (@5ooyoung) in Favorite Medium as a workaround to The Great Firewall in China.

Since then, it has become my light-weight network tunneling tool in daily work.

Install sshuttle

The installation is easy now. You can install it through Mac OSX Homebrew, or Ubuntu apt-get.

1
brew install sshuttle 

I use sshuttle to..

1. Tunnel all traffic

This is the first command I learned. It forwards all TCP traffic and DNS requests to a remote SSH server.

1
sshuttle --dns -vr ssh_server 0/0 

Just like ssh, you can use any server specified in ~/.ssh/config. The -v flag means verbose mode.

Besides TCP and DNS, currently sshuttle does not forward other requests such as UDP, ICMP ping etc.

2. Tunnel all traffic, but exclude some

You can exclude certain TCP traffic using -x option.

1
sshuttle --dns -vr ssh_server -x 121.9.204.0/24 -x 61.135.196.21 0/0 

For instance, when I am in China, I don’t want to tunnel Youku.com traffic to a foreign server, because its movie streaming service is only available within China.

In this case, I use -x option to exclude Youku.com IP addresses.

3. Tunnel only certain traffic

To tunnel only certain TCP traffic, specify the IP addresses or IP ranges that need tunneling.

1
sshuttle -vr ssh_server 121.9.204.0/24 61.135.196.21 

This command comes in handy, whenever I need to test an app feature (e.g. Netflix movie streaming) which only available in certain countries, or to bypass ISP faulty caches.

4. VPN to office network

I seldom do VPN, but all you need is the remote SSH server with -NH flags turned on.

1
sshuttle -NHvr office_ssh_server 

-N flag tells sshuttle to figure out by itself the IP subnets to forward, and -H flag to scan for hostnames within remote subnets and store them temporarily in /etc/hosts.

IP addresses.. troublesome?

Well, I try not to deal with IP addresses manually. So I wrote a few sshuttle helpers (tnl, tnlbut, tnlonly, vpnto) that allow me to use domain names instead of IP addresses:

Tunnel all traffic

1
tnl 

Tunnel all traffic, but exclude some

1
tnlbut youku.com weibo.com 

Tunnel only certain traffic

1
tnlonly netflix.com movies.netflix.com 

VPN to office network

1
vpnto office_ssh_server 

The script is available on my GitHub repo. You can load it into your ~/.bashrc. To override the default tunneling SSH server in the script:

1
TNL_SERVER=user@another_server tnl 

原文:http://teohm.github.com/blog/2012/04/01/using-sshuttle-in-daily-work/

我曾在“sshuttle: 穷人的VPN”、“关闭ssh tunnel的shell帐号如果做代理”和“Elitter – 提供免费shell账户、web主机和DNS服务”提到过Sshuttle这个程序,本文更为详细,有兴趣的看看。

  1. mac
    2012年6月20日13:18

    这个以前也用过,好用。