sshuttle — VPN Over SSH Without Root on the Remote Server

Introduction

sshuttle turns any SSH server into a VPN gateway. It works by setting up local firewall rules that transparently redirect traffic through an SSH tunnel, assembling packets on the remote side. No VPN software, configuration, or root access is needed on the remote server.

What sshuttle Does

• Creates a transparent proxy that routes TCP traffic over an existing SSH connection
• Supports full tunnel (all traffic) or split tunnel (specific subnets only)
• Handles DNS forwarding to prevent leaks when tunneling all traffic
• Works with any standard SSH server — no special software on the remote end
• Automatically configures local iptables/pf rules and cleans up on exit

Architecture Overview

sshuttle runs a small Python assembler on the remote host via SSH. Locally, it configures the firewall (iptables on Linux, pf on macOS) to intercept outgoing packets for the specified subnets. Intercepted TCP connections are multiplexed over the SSH channel, reassembled on the remote side, and forwarded as normal connections. This avoids the overhead of a full IP-over-TCP tunnel.

Self-Hosting & Configuration

• Requires Python 3 and root/sudo locally for firewall manipulation
• No installation or root needed on the remote server — only a working SSH account
• Use --dns flag to also forward DNS queries through the tunnel
• Exclude specific subnets with -x to keep local network traffic direct
• Supports SSH config files, ProxyJump, and custom SSH options via -e

Key Features

• Zero setup on the remote server — works with any SSH access
• Transparent routing at the firewall level, no SOCKS proxy config needed
• Split tunneling for selective subnet routing
• DNS leak prevention with --dns flag
• Lightweight Python implementation with no compiled dependencies

Comparison with Similar Tools

• WireGuard — faster and handles UDP; requires server-side installation and key exchange
• OpenVPN — full-featured VPN with broader protocol support; requires server setup and certificates
• Tailscale — mesh VPN with identity-based access; requires account signup and client on both ends
• SSH SOCKS proxy — simpler but requires per-application proxy configuration; sshuttle is transparent

FAQ

Q: Does sshuttle tunnel UDP traffic? A: No. sshuttle tunnels TCP and optionally DNS. For full UDP support, use a dedicated VPN like WireGuard.

Q: Will it work on macOS? A: Yes. sshuttle supports macOS using the built-in pf firewall. Install via Homebrew.

Q: Does the remote server need root access? A: No. sshuttle only needs a regular SSH login on the remote side. Root is needed locally to set up firewall rules.

Q: Can I use it with SSH key authentication? A: Yes. It respects your SSH config, keys, and agent forwarding just like a normal SSH connection.

Sources

• https://github.com/apenwarr/sshuttle
• https://sshuttle.readthedocs.io