Provided by: sshuttle_0.54-1_all bug


       sshuttle - a transparent proxy-based VPN using ssh


       sshuttle [options...] [-r [username@]sshserver[:port]] <subnets...>


       sshuttle allows you to create a VPN connection from your machine to any remote server that
       you can connect to via ssh, as long as that server has python 2.3 or higher.

       To work, you must have root access on the local machine, but you can have a normal account
       on the server.

       It's  valid  to  run  sshuttle  more  than once simultaneously on a single client machine,
       connecting to a different server every time, so you can be on more than one VPN at once.

       If run on a router, sshuttle can forward traffic for your entire subnet to the VPN.


              a list of subnets to route over  the  VPN,  in  the  form  a.b.c.d[/width].   Valid
              examples  are  (a  single IP address), (equivalent to,
     (a 24-bit subnet, ie.  with a  netmask),  and  0/0  (`just
              route everything through the VPN').

       -l, —listen=[ip:]port
              use  this  ip  address  and  port number as the transparent proxy port.  By default
              sshuttle finds  an  available  port  automatically  and  listens  on  IP
              (localhost),  so  you  don't  need to override it, and connections are only proxied
              from the local  machine,  not  from  outside  machines.   If  you  want  to  accept
              connections  from other machines on your network (ie.  to run sshuttle on a router)
              try enabling IP Forwarding in your kernel, then using --listen

       -H, —auto-hosts
              scan for remote hostnames and  update  the  local  /etc/hosts  file  with  matching
              entries  for as long as the VPN is open.  This is nicer than changing your system's
              DNS (/etc/resolv.conf) settings, for several reasons.  First, hostnames  are  added
              without  domain  names attached, so you can ssh thatserver without worrying if your
              local domain matches the remote one.  Second, if you sshuttle into  more  than  one
              VPN  at a time, it's impossible to use more than one DNS server at once anyway, but
              sshuttle correctly merges /etc/hosts entries between all running copies.  Third, if
              you're  only  routing a few subnets over the VPN, you probably would prefer to keep
              using your local DNS server for everything else.

       -N, —auto-nets
              in addition to the subnets provided on the  command  line,  ask  the  server  which
              subnets  it thinks we should route, and route those automatically.  The suggestions
              are taken automatically from the server's routing table.

       —dns   capture local DNS requests and forward to the remote DNS server.

              specify the name/path of the  remote  python  interpreter.   The  default  is  just
              python,  which  means  to use the default python interpreter on the remote system's

       -r, —remote=[username@]sshserver[:port]
              the remote hostname and optional username and ssh port number to use for connecting
              to   the   remote   server.    For   example,,,
    , or

       -x, —exclude=subnet
              explicitly exclude this subnet from forwarding.  The format of this option  is  the
              same  as  the  <subnets>  option.   To exclude more than one subnet, specify the -x
              option more than once.  You can say something  like  0/0 -x  to  forward
              everything except the local subnet over the VPN, for example.

       -v, —verbose
              print  more  information about the session.  This option can be used more than once
              for increased verbosity.  By default, sshuttle prints only error messages.

       -e, —ssh-cmd
              the command to use to connect to the remote server.  The default is just ssh.   Use
              this  if your ssh client is in a non-standard location or you want to provide extra
              options to the ssh command, for example, -e 'ssh -v'.

              a comma-separated list of hostnames to use  to  initialize  the  --auto-hosts  scan
              algorithm.  --auto-hosts does things like poll local SMB servers for lists of local
              hostnames, but can speed things up if you use this option to give it a few names to
              start from.

              sacrifice  latency  to  improve  bandwidth  benchmarks.  ssh uses really big socket
              buffers, which can overload the connection if you start doing large file transfers,
              thus  making  all  your other sessions inside the same tunnel go slowly.  Normally,
              sshuttle tries to avoid this problem using a “fullness check” that  allows  only  a
              certain amount of outstanding data to be buffered at a time.  But on high-bandwidth
              links, this can leave a  lot  of  your  bandwidth  underutilized.   It  also  makes
              sshuttle  seem  slow  in bandwidth benchmarks (benchmarks rarely test ping latency,
              which is what sshuttle is trying to control).  This  option  disables  the  latency
              control feature, maximizing bandwidth usage.  Use at your own risk.

       -D, —daemon
              automatically  fork  into  the  background  after  connecting to the remote server.
              Implies --syslog.

              after connecting, send all log messages to the syslog(3) service instead of stderr.
              This is implicit if you use --daemon.

              when   using  --daemon,  save  sshuttle's  pid  to  pidfilename.   The  default  is
     in the current directory.

              (internal use only) run the sshuttle server on  stdin/stdout.   This  is  what  the
              client runs on the remote end.

              (internal  use  only)  run the firewall manager.  This is the only part of sshuttle
              that must run as root.   If  you  start  sshuttle  as  a  non-root  user,  it  will
              automatically  run  sudo  or  su  to  start  the  firewall manager, but the core of
              sshuttle still runs as a normal user.

              (internal use only) run the hostwatch daemon.  This process runs on the server side
              and  collects  hostnames  for the --auto-hosts option.  Using this option by itself
              makes it a lot easier to debug and test the --auto-hosts feature.


       Test locally by proxying all local connections, without using ssh:

              $ sshuttle -v 0/0

              Starting sshuttle proxy.
              Listening on ('', 12300).
              [local sudo] Password:
              firewall manager ready.
              c : connecting to server...
               s: available routes:
              c : connected.
              firewall manager: starting transproxy.
              c : Accept: ->
              c : Accept: ->
              firewall manager: undoing changes.
              c : Keyboard interrupt: exiting.
              c : SW#8: deleting
              c : SW#6: deleting

       Test connection to a remote server, with automatic hostname and subnet guessing:

              $ sshuttle -vNHr

              Starting sshuttle proxy.
              Listening on ('', 12300).
              firewall manager ready.
              c : connecting to server...
               s: available routes:
              c : connected.
              c : seed_hosts: []
              firewall manager: starting transproxy.
              hostwatch: Found: testbox1:
              hostwatch: Found: mytest2:
              hostwatch: Found: domaincontroller:
              c : Accept: ->
              firewall manager: undoing changes.
              c : Keyboard interrupt: exiting.
              c : SW#6: deleting


       When it starts, sshuttle creates an ssh session to the server specified by the -r  option.
       If  -r  is  omitted,  it will start both its client and server locally, which is sometimes
       useful for testing.

       After connecting to the remote server, sshuttle uploads its (python) source  code  to  the
       remote  end and executes it there.  Thus, you don't need to install sshuttle on the remote
       server, and there are never sshuttle version conflicts between client and server.

       Unlike most VPNs, sshuttle forwards sessions,  not  packets.   That  is,  it  uses  kernel
       transparent  proxying  (iptables REDIRECT  rules  on  Linux,  or ipfw fwd rules on BSD) to
       capture outgoing TCP sessions, then creates entirely separate  TCP  sessions  out  to  the
       original destination at the other end of the tunnel.

       Packet-level  forwarding (eg.  using the tun/tap devices on Linux) seems elegant at first,
       but it results in several problems, notably the `tcp over tcp' problem.  The tcp  protocol
       depends  fundamentally  on  packets  being  dropped  in  order to implement its congestion
       control agorithm; if you pass tcp packets through a tcp-based tunnel (such  as  ssh),  the
       inner  tcp packets will never be dropped, and so the inner tcp stream's congestion control
       will be completely broken, and performance will  be  terrible.   Thus,  packet-based  VPNs
       (such  as  IPsec  and openvpn) cannot use tcp-based encrypted streams like ssh or ssl, and
       have to implement their own encryption from scratch,  which  is  very  complex  and  error

       sshuttle's  simplicity  comes  from  the  fact  that  it  can  safely use the existing ssh
       encrypted tunnel without incurring a performance penalty.  It does  this  by  letting  the
       client-side  kernel  manage the incoming tcp stream, and the server-side kernel manage the
       outgoing tcp stream; there is no need for congestion control to be shared between the  two
       separate streams, so a tcp-based tunnel is fine.


       On  MacOS 10.6 (at least up to 10.6.6), your network will stop responding about 10 minutes
       after the first time you start sshuttle, because of a MacOS kernel bug relating to arp and
       the  net.inet.ip.scopedroute  sysctl.   To  fix  it, just switch your wireless off and on.
       Sshuttle makes the kernel setting it changes permanent, so this won't happen  again,  even
       after a reboot.


       ssh(1), python(1)


       Avery Pennarun <>.