sshuttle

TLDR

Tunnel all traffic

$ sshuttle -r [user@host] 0/0

Tunnel specific network

$ sshuttle -r [user@host] [192.168.0.0/24]

Tunnel multiple networks

$ sshuttle -r [user@host] [10.0.0.0/8] [172.16.0.0/12]

Exclude addresses

$ sshuttle -r [user@host] 0/0 -x [192.168.1.0/24]

Tunnel with DNS

$ sshuttle --dns -r [user@host] 0/0

Auto-detect networks (from server routes)

$ sshuttle -r [user@host] --auto-nets

Verbose mode

$ sshuttle -v -r [user@host] [10.0.0.0/8]

SYNOPSIS

sshuttle [-r server] [--dns] [-x exclude] [options] subnets

sshuttle creates a VPN-like tunnel over SSH. It transparently redirects traffic through a remote server without configuring VPN software.
Unlike VPNs, sshuttle requires only SSH access. No server-side installation is needed beyond Python. It works where VPN ports are blocked.
Subnet specifications determine what traffic is tunneled. 0/0 tunnels everything. Specific subnets route only matching traffic.
DNS tunneling prevents leaks. Remote DNS resolution hides query patterns from local networks.
The tool uses iptables/pf to redirect traffic. Root access is needed locally for routing setup. The remote needs only SSH access.
Auto-nets reads the remote routing table to tunnel all its accessible networks.

PARAMETERS

-r SERVER

Remote server (user@host).

--dns

Tunnel DNS queries.

-x SUBNET

Exclude subnet.

-l ADDR

Listen address.

--auto-nets

Auto-detect server networks.

--auto-hosts

Scan for hosts.

-N

Auto-detect DNS server.

-e CMD

SSH command.

-v

Verbose.

--daemon

Run as daemon.

--pidfile FILE

PID file.

--method METHOD

NAT method (auto, nat, tproxy).

CAVEATS

Requires root locally. Not a full VPN (no UDP by default). Latency added by SSH. Some applications may not work through tunnel.

HISTORY

sshuttle was created by Avery Pennarun around 2010. It was described as a "poor man's VPN" that works wherever SSH works.