VPN too complicated? Use a IP-over-SSH tunnel instead

11 July 2012

Some times you find yourself in a place where your Mac is safely tucked away behind a firewall. That’s great, but sometimes it is annoying as hell, because you need to access resources over FTP or contact people who’re on IRC.

The normal solution would be to setup a VPN with one of your servers elsewhere and connect to the outside world that way. Unfortunately, in all their wisdom, sys admins have probably closed up the proper ports to access your VPN server as well.

As a last resort you might consider setting up a SSH Tunnel for a specific service like this:

ssh -N user@server -L 3306:

But, this only works for a single port, and thus application. It may help, but it can become tedious pretty quickly. You also have to rewrite any configuration you had for connection to a remote host to use your localhost, most likely on some strange port.

Luckily for us, there’s this awesome tool called sshuttle.

Sshuttle allows you to setup what’s called IP-over-SSH. Basically it runs a local proxy server to a remote server over SSH and changes the routing for your machine to send everything through that proxy.

Besides giving you access to all the services you need, you also encrypt (e.g. hide) all your traffic from the prying eyes of any sys admins on the local network.

Installing sshuttle on your Mac is a breeze

brew install sshuttle

Then you can setup an IP-over-SSH connection to any remote server you have SSH access to. You’ll need your local admin password in order to setup routing properly.

sshuttle -r username@server 0/0 -vv

This routes all traffic over the tunnel towards server. Use on of those online ip checkers to see that you’re actually using your server’s IP address.

In the future you may want to change the -vv verbose option out and swap in -D to run in daemon mode.

The one thing this does not do is DNS. DNS is still done using your locally configured DNS server, mostly for speed.

Not to worry, you can go ‘full stealth’ with the --dns options, which also routes DNS over to the remote server:

sshuttle --dns -r username@server 0/0 -vv

To stop using your IP-over-SSH connection, simply press CTRL-C twice and sshuttle should restore your normal networking connections.

If sshuttle does not restore the connection properly, you can do so manually:

sudo ipfw -q -f flush

I’ve already create a few aliases in my ~/.zshrc:

alias tunnel='sshuttle -r ariejan@server 0/0 -vv'
alias tunnel_dns='sshuttle --dns -r ariejan@server 0/0 -vv'
alias reset_tunnel='sudo ipfw -q -f flush'

So, no need to setup complicated VPN contraptions, just use plain old SSH and off you go.

Bonus: you can also connect to a non-standard SSH port, in case port 22 has been blocked in the firewall as well:

sshuttle --dns -r username@server:port 0/0 -vv