Keep it beautiful
Everything here is my opinion. I do not speak for your employer.
October 2010
November 2010

2010-10-01 »

sshuttle now works on MacOS

I know there are quite a few people who will be as happy to know this as I was. Thanks to a helpful contributor known only as dkf, I've now added the magic incantation (namely, sysctl -w net.inet.ip.scopedroute=0) that's needed to make ipfw transparent proxying work on MacOS 10.6 Snow Leopard. I don't know what it does, and I don't care! All I know is that sshuttle restores it on exit to whatever its previous value was :)

This means you, as well as I, can now use a Macbook to VPN into any network that gives you ssh access. That's a lot more helpful than always having to do it from a Linux VM.

Why sshuttle is awesome

For those who are just joining us, sshuttle provides VPN-like connectivity using a plain ssh connection, without needing root access (and thus the admin's permission) on the server side. Basically, it makes a transparent proxy server on your client that automatically forwards through an ssh tunnel.

Compared to ssh's built-in port forwarding and tunneling and socks mode, sshuttle is better because:

  • it auto-discovers hostnames from the server side and puts them in your /etc/hosts while the tunnel is running.
  • it auto-discovers network routes from the server so you don't have to specify them on the client.
  • it works even if you don't know how to configure socks, and with programs that don't support socks, and you don't have to remember to turn socks on and off when your tunnel comes and goes.
  • you can easily run more than one tunnel at once to more than one remote server (as long as the remote subnets use different IP addresses, of course).
  • the remote admin can't disable it in the sshd configuration.
  • there's a workaround for ssh's tendency to use megabyte-sized tx/rx socket buffers, which result in horrible latency. So you can download a large file and have interactive traffic on the same tunnel, and performance doesn't suck.
  • it doesn't have the random freeze-up bugs that ssh port forwarding does. (Though maybe that's specific to Debian's ssh, and maybe it only happens to me. Nobody has ever corroborated my story that ssh port forwarding freezes ALL THE TIME.)

And although ssh forwarding also has the following, not every VPN package does. It's worth pointing out that sshuttle is awesome because:

  • you get exactly the same level of transport security and key management as ssh (ie. a lot), because it uses ssh.
  • you don't have to install anything on the server (as long as you have sshd, a shell account, and python). It installs a temporary copy of itself on the server ("internet worm technology"), whenever you connect. There's never a client/server version mismatch.
  • it's astonishingly easy to configure; you don't even need to 'make install'.
  • it elegantly avoids the infamous tcp-over-tcp problem that most tcp-based SSL VPNs have, while still being able to use chained ciphers that udp-based VPNs can't (at least not without incurring a lot of overhead).
  • almost all of it does not run as root (including 100% of the server side).

You can download sshuttle 0.40 from github. Enjoy!

I'm CEO at Tailscale, where we make network problems disappear.

Why would you follow me on twitter? Use RSS.

apenwarr on gmail.com