Using Sshuttle in Daily Work

2012年6月19日 | 分类: 翻墙相关 | 标签: , ,

I was first introduced to sshuttle by Sooyoung (@5ooyoung) in Favorite Medium as a workaround to The Great Firewall in China.

Since then, it has become my light-weight network tunneling tool in daily work.

Install sshuttle

The installation is easy now. You can install it through Mac OSX Homebrew, or Ubuntu apt-get.

brew install sshuttle 

I use sshuttle to..

1. Tunnel all traffic

This is the first command I learned. It forwards all TCP traffic and DNS requests to a remote SSH server.

sshuttle --dns -vr ssh_server 0/0 

Just like ssh, you can use any server specified in ~/.ssh/config. The -v flag means verbose mode.

Besides TCP and DNS, currently sshuttle does not forward other requests such as UDP, ICMP ping etc.

2. Tunnel all traffic, but exclude some

You can exclude certain TCP traffic using -x option.

sshuttle --dns -vr ssh_server -x -x 0/0 

For instance, when I am in China, I don’t want to tunnel traffic to a foreign server, because its movie streaming service is only available within China.

In this case, I use -x option to exclude IP addresses.

3. Tunnel only certain traffic

To tunnel only certain TCP traffic, specify the IP addresses or IP ranges that need tunneling.

sshuttle -vr ssh_server 

This command comes in handy, whenever I need to test an app feature (e.g. Netflix movie streaming) which only available in certain countries, or to bypass ISP faulty caches.

4. VPN to office network

I seldom do VPN, but all you need is the remote SSH server with -NH flags turned on.

sshuttle -NHvr office_ssh_server 

-N flag tells sshuttle to figure out by itself the IP subnets to forward, and -H flag to scan for hostnames within remote subnets and store them temporarily in /etc/hosts.

IP addresses.. troublesome?

Well, I try not to deal with IP addresses manually. So I wrote a few sshuttle helpers (tnl, tnlbut, tnlonly, vpnto) that allow me to use domain names instead of IP addresses:

Tunnel all traffic


Tunnel all traffic, but exclude some


Tunnel only certain traffic


VPN to office network

vpnto office_ssh_server 

The script is available on my GitHub repo. You can load it into your ~/.bashrc. To override the default tunneling SSH server in the script:

TNL_SERVER=user@another_server tnl 


我曾在“sshuttle: 穷人的VPN”、“关闭ssh tunnel的shell帐号如果做代理”和“Elitter – 提供免费shell账户、web主机和DNS服务”提到过Sshuttle这个程序,本文更为详细,有兴趣的看看。

  1. mac