I know there are quite a few people who will be as happy to know this as I was. Thanks to a helpful contributor known only as dkf, I've now added the magic incantation (namely, sysctl -w net.inet.ip.scopedroute=0) that's needed to make ipfw transparent proxying work on MacOS 10.6 Snow Leopard. I don't know what it does, and I don't care! All I know is that sshuttle restores it on exit to whatever its previous value was :)
This means you, as well as I, can now use a Macbook to VPN into any network that gives you ssh access. That's a lot more helpful than always having to do it from a Linux VM.
Why sshuttle is awesome
For those who are just joining us, sshuttle provides VPN-like connectivity using a plain ssh connection, without needing root access (and thus the admin's permission) on the server side. Basically, it makes a transparent proxy server on your client that automatically forwards through an ssh tunnel.
Compared to ssh's built-in port forwarding and tunneling and socks mode, sshuttle is better because:
- it auto-discovers hostnames from the server side and puts them in your /etc/hosts while the tunnel is running.
- it auto-discovers network routes from the server so you don't have to specify them on the client.
- it works even if you don't know how to configure socks, and with programs that don't support socks, and you don't have to remember to turn socks on and off when your tunnel comes and goes.
- you can easily run more than one tunnel at once to more than one remote server (as long as the remote subnets use different IP addresses, of course).
- the remote admin can't disable it in the sshd configuration.
- there's a workaround for ssh's tendency to use megabyte-sized tx/rx socket buffers, which result in horrible latency. So you can download a large file *and* have interactive traffic on the same tunnel, and performance doesn't suck.
- it doesn't have the random freeze-up bugs that ssh port forwarding does. (Though maybe that's specific to Debian's ssh, and maybe it only happens to me. Nobody has ever corroborated my story that ssh port forwarding freezes ALL THE TIME.)
- you get exactly the same level of transport security and key management as ssh (ie. a lot), because it uses ssh.
- you don't have to install anything on the server (as long as you have sshd, a shell account, and python). It installs a temporary copy of itself on the server ("internet worm technology"), whenever you connect. There's never a client/server version mismatch.
- it's astonishingly easy to configure; you don't even need to 'make install'.
- it elegantly avoids the infamous tcp-over-tcp problem that most tcp-based SSL VPNs have, while still being able to use chained ciphers that udp-based VPNs can't (at least not without incurring a lot of overhead).
- almost all of it does not run as root (including 100% of the server side).
October 1, 2010 17:55
Although the tour has already begun, I suppose some of my faithful (ha!) readers may be interested to know where this trip has yet to go:
- Theodore Roosevelt Park, ND ("I grow very fond of this place, and it certainly has a desolate, grim beauty of its own, that has a curious fascination for me." - T.R.)
- Black Hills Park, SD (including Mount Rushmore, apparently)
- Yellowstone Park (home of Old Faithful)
- Salt Lake City
- Provo and Orem, UT (founding places of Novell and Wordperfect)
- Bonneville Salt Flats (where the land vehicle world speed record is held: faster than Mach 1!)
- Grand Canyon, AZ
- Las Vegas
- Los Angeles
- San Diego
- Somewhere in Mexico (maybe)
- Mountain View (for GitTogether 2010)
- San Francisco
- Victoria and/or Vancouver
- Saltspring Island
Also if you want a postcard, let me know. No guarantee about which of the
above places it will come from. I'm not that good.
October 11, 2010 14:15
- The way you know your processes are working is when you overhear
employee number 5 saying, "thank God I got a job early on in this company,
because there's no way I could get one now."
I remember hearing that a few times at NITI. It seems like good advice. So
is the rest of the article.
October 17, 2010 00:47