惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

SecWiki News
SecWiki News
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
V
Visual Studio Blog
博客园 - 叶小钗
S
SegmentFault 最新的问题
IT之家
IT之家
大猫的无限游戏
大猫的无限游戏
博客园_首页
Apple Machine Learning Research
Apple Machine Learning Research
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
月光博客
月光博客
酷 壳 – CoolShell
酷 壳 – CoolShell
腾讯CDC
D
Darknet – Hacking Tools, Hacker News & Cyber Security
V
V2EX
阮一峰的网络日志
阮一峰的网络日志
L
Lohrmann on Cybersecurity
量子位
C
Cyber Attacks, Cyber Crime and Cyber Security
T
Tor Project blog
J
Java Code Geeks
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
博客园 - 三生石上(FineUI控件)
Attack and Defense Labs
Attack and Defense Labs
AI
AI
The Cloudflare Blog
T
Tailwind CSS Blog
S
Schneier on Security
爱范儿
爱范儿
PCI Perspectives
PCI Perspectives
Stack Overflow Blog
Stack Overflow Blog
S
Secure Thoughts
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
The Exploit Database - CXSecurity.com
博客园 - 【当耐特】
V2EX - 技术
V2EX - 技术
S
Securelist
P
Proofpoint News Feed
T
Threat Research - Cisco Blogs
Help Net Security
Help Net Security
C
Cisco Blogs
N
News and Events Feed by Topic
人人都是产品经理
人人都是产品经理
B
Blog RSS Feed
K
Kaspersky official blog
T
The Blog of Author Tim Ferriss
G
Google Developers Blog
S
Security Affairs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Simon Willison's Weblog
Simon Willison's Weblog

TerminalBytes

Reverse Engineering the iPod Classic Sanctuary: the browser-based Kindle jailbreak | TerminalBytes Steam Machine alternatives: mini PCs that game for less | TerminalBytes Oracle Cloud free tier 2026: 4 OCPU/24GB cut to 2 OCPU/12GB | TerminalBytes Run Gemma 4 on a mini PC, no GPU required My Arduino spins faster when Claude burns more tokens Kindle dashboard: 3 ways to build one in 2026 Best mini PC for local LLMs in 2026 (Strix Halo era) You Don't Need a Mac Mini to Run OpenClaw The Self-Hosting Revolution Powered by Mini PCs SoundLeaf: Beautiful iOS Client App for Audiobookshelf My iPhone 8 Refuses to Die: Now It's a Solar-Powered Vision OCR Server Homelab: Hosting multiple Game Servers on a Single Mini PC Reviving an Old Kindle Paperwhite 7th Gen The Ultimate Guide to Running a Minecraft Server on a Mini PC Best Mini PCs for Home Lab 2025: NUC vs Beelink vs ThinkCentre Setting Up a Robust PostgreSQL High-Availability Cluster on Azure How to Create Your Own Free VPN Server Using Oracle Cloud (2025 Guide) Set Up a Free Minecraft PE Server Using Oracle Cloud in 2025 Kubernetes at Home - From Docker Compose to K3s Prompt Engineering for ChatGPT and GPT-4 (Practical Guide) Create Your Own Minecraft PE Server for Free Scalable Node.js Backend Without Express, Koa, or Hapi How to Use GeForce Now in India (VPN and Cloud Workarounds) Azure AD as an Identity Provider for AWS Cognito Free WordPress Blog with Custom Domain on Google Cloud Raspberry Pi Temperature and Humidity Monitor with Grafana Raspberry Pi Setup Without a Monitor, Keyboard, or Mouse 6 Common Linux Commands for System Monitoring Basic Linux Commands for File Manipulation and Compression Basic Linux Commands For Text Manipulation Top 10 Linux Commands Of All Time
sshuttle - A Free VPN Over SSH for Cheap, Private Browsing
Hemant Kumar · 2020-04-23 · via TerminalBytes

So here’s the thing. I’ve paid for VPN subscriptions before. ExpressVPN, Mullvad, the usual suspects. They’re fine, but every time I look at the renewal email I think about the fact that I’m paying $10 a month to route my traffic through a company that, ultimately, I have to trust on faith. Worse, when I just need a tunnel for a single afternoon, paying for a year of a VPN feels silly.

sshuttle is the tool I reach for instead. It turns any SSH server you already have into a working VPN. Five minutes to set up, $0/month if you have an existing VPS, and you’re routing your traffic through a machine you actually control.

sshuttle VPN over SSH terminal demo showing public IP changing

TL;DR: install sshuttle on your laptop, run sshuttle -r user@your-vps 0.0.0.0/0 --dns, done. Your laptop’s traffic now exits at the VPS.

What sshuttle actually does (and what it doesn’t)

sshuttle is a transparent proxy that runs on your laptop, captures outbound TCP connections (and optionally DNS), and forwards them through an SSH tunnel to a remote machine where they exit to the internet. From a user perspective, it behaves like a VPN: every site you visit sees the IP address of the SSH server, not your laptop. The connection itself is encrypted because it’s riding over SSH.

What it isn’t: a layer-3 VPN. sshuttle doesn’t route arbitrary IP traffic, it specifically forwards TCP and DNS. UDP and ICMP don’t go through the tunnel by default (recent versions can forward UDP with --udp, but it’s slower than a real VPN). For 95% of normal use (HTTPS, SSH, IMAP, DNS), this is invisible. For online gaming, voice calls, or BitTorrent, you’ll want a real VPN like WireGuard.

What you get in exchange for the limitations:

  • Zero server-side install. As long as Python 3 is on the remote, sshuttle works. No daemon to set up, no firewall holes to punch.
  • No root on the remote. sshuttle only needs root locally to install the routing rules; the remote side runs as whatever user you SSH in as.
  • Cross-platform clients: Linux, macOS, FreeBSD. Windows works via WSL.
  • Per-subnet routing. You can tunnel only specific subnets (e.g. just your office network), leaving the rest of your traffic on the local route.

The full list of advantages and the source code is on the sshuttle GitHub repo, maintained by Avery Pennarun and a healthy crowd of contributors.

Installing sshuttle on your laptop

The package is in every major distro and on Homebrew. Pick whichever line matches your OS.

# Ubuntu / Debian
sudo apt install sshuttle

# macOS
brew install sshuttle

# Arch Linux
sudo pacman -S sshuttle

# Fedora
sudo dnf install sshuttle

# NixOS
nix-env -iA nixos.sshuttle

# Or via pip if you want the latest from PyPI
sudo pip3 install sshuttle

# From source (if you want the bleeding edge)
git clone https://github.com/sshuttle/sshuttle.git
cd sshuttle
sudo ./setup.py install

Verify the install: sshuttle --version. The remote side needs nothing pre-installed beyond Python 3 (which ships on every modern Linux server, every macOS, and every BSD). sshuttle ships its server-side code over the SSH connection on first run.

Connecting and routing all traffic

The simplest, most useful command is this:

sshuttle -r user@your-vps-ip 0.0.0.0/0 --dns

What each part means:

  • -r user@your-vps-ip: the SSH connection string. Just like ssh user@host. If you have a ~/.ssh/config entry for the host, you can use the short name.
  • 0.0.0.0/0: the subnet to route through the tunnel. 0.0.0.0/0 means “everything”, i.e. full VPN mode. You can pass multiple subnets to route only specific traffic.
  • --dns: also tunnel DNS queries. Without this, your laptop’s DNS still goes through your local resolver (your ISP), which leaks the names of every site you visit. Almost always include this flag.

You’ll be prompted for sudo because sshuttle needs root locally to install routing rules. Once the tunnel is up, run curl ifconfig.me and you should see your VPS’s public IP, not your laptop’s.

# Before sshuttle is running
$ curl -s ifconfig.me
203.0.113.42      # ← your home IP

# After sshuttle is connected
$ curl -s ifconfig.me
198.51.100.7      # ← your VPS's IP

To stop the tunnel, hit Ctrl-C in the terminal where it’s running. sshuttle cleans up its routing rules on exit.

The flags I actually use

The man page has dozens of flags. These are the four I touch regularly.

# Verbose output (great for debugging)
sshuttle -r user@vps 0.0.0.0/0 --dns -v

# Run in the background (daemon mode)
sshuttle -D -r user@vps 0.0.0.0/0 --dns

# Tunnel only specific subnets (everything else stays on your local route)
sshuttle -r user@vps 10.0.0.0/8 192.168.50.0/24

# Exclude a subnet (useful if you want everything BUT your local LAN tunneled)
sshuttle -r user@vps 0.0.0.0/0 -x 192.168.0.0/16 --dns

The -x (exclude) flag is the one I use most. With 0.0.0.0/0 -x 192.168.0.0/16, all my internet traffic goes through the VPS but my laptop can still reach my home server, printer, and Pi at their LAN addresses. Without this, those local devices become unreachable while the VPN is active.

For daemon mode, -D runs sshuttle in the background and writes its PID to /var/run/sshuttle.pid. To stop it: sudo kill $(cat /var/run/sshuttle.pid).

Making it one keystroke: an alias

If you use the same VPN endpoint regularly, dropping the full command into your shell config is the obvious quality-of-life upgrade.

# In ~/.zshrc or ~/.bashrc
alias vpn='sudo sshuttle -r user@vps 0.0.0.0/0 -x 192.168.0.0/16 --dns -v'

Now vpn (and your sudo password) is all it takes to get tunneled. I’ve had this aliased on every laptop I’ve owned for the last four years.

A second alias I keep, for travel: a “vpn-status” check that confirms my exit IP and DNS are actually going through the tunnel.

alias vpn-status='echo "Public IP: $(curl -s ifconfig.me)"; echo "DNS resolver: $(dig +short whoami.akamai.net @resolver1.opendns.com)"'

If the public IP is the VPS’s and the DNS resolver IP is also from the VPS region, the tunnel is working as expected.

Where to host the SSH endpoint

You need a server somewhere. Three sensible options.

A free-tier cloud VM. AWS, Google Cloud, and Oracle Cloud all offer always-free instances with enough monthly bandwidth (15GB-100GB) to use sshuttle casually. I’ve covered the Google Cloud free-tier setup before; the same VM you use for a blog can double as your VPN endpoint.

A cheap VPS. LowEndBox tracks deals across small VPS providers; you can find KVM instances with 1GB RAM, 2TB bandwidth, and a public IPv4 for around $25/year. That’s $2/month for a machine you fully control. Pay with crypto if you care about not being linkable to the IP.

Your own home server. The catch here is that your “VPN” is just routing your laptop’s traffic through your home internet, which doesn’t help if you’re trying to bypass geo-blocking or hide your home IP. But if your goal is access to your home network from a coffee shop, this is the perfect setup. SSH home, sshuttle your laptop’s traffic to your home LAN, done.

I love sshuttle, but it’s not a universal answer.

Use a real VPN if: you need UDP forwarding for games or VoIP; you need split-tunneling controlled by a config file rather than command-line subnets; you’re routing a whole household’s traffic, not a single laptop; or you’re operating somewhere sshuttle’s SSH-based traffic patterns might be flagged (some restrictive networks DPI-detect long-lived SSH sessions).

Use Tor if: anonymity is the actual goal. sshuttle hides your traffic from your local network, but the VPS operator (and your VPS provider) can still see what you’re doing. Tor adds layers of indirection that no VPN replaces.

Use a proxy if: you only need to tunnel a single application. Most browsers, IDEs, and dev tools accept SOCKS proxies natively. ssh -D 1080 user@vps opens a SOCKS5 proxy on localhost:1080 with no extra software. Set your browser to use it. Done.

For everything else, like the “I’m at a coffee shop and want my traffic to exit somewhere I trust” case, sshuttle is hard to beat.

Frequently asked questions

Is sshuttle as secure as a real VPN?

For confidentiality against a local network attacker, yes; SSH’s encryption is well-established and the tunnel is end-to-end. For privacy from the SSH server’s operator (you, presumably), exactly as much as your VPS provider lets it be. WireGuard or OpenVPN run in kernel space and have a smaller attack surface than sshuttle’s userspace approach, but neither difference matters for typical “I want to use public Wi-Fi safely” use cases.

Does it work on Windows?

Not natively. The userspace approach to packet capture relies on Linux/macOS-specific networking primitives. The official answer is “use WSL2 with the Linux build”. For native Windows VPN, look at WireGuard or Tailscale instead.

Can I run sshuttle on a phone?

No, and this is the gap that keeps me using a real VPN occasionally. If your goal is mobile-device coverage, run WireGuard on the same VPS and let the phone speak that protocol. Use sshuttle for the laptop, WireGuard for the phone, both pointing at the same server. That’s my actual setup.

Why doesn’t my LAN work after I connect sshuttle?

Because 0.0.0.0/0 includes your local LAN subnet, so traffic to your home printer or NAS goes out the tunnel and gets dropped. Add -x 192.168.0.0/16 (or whatever your home subnet is) to exclude it.

How much bandwidth does sshuttle add?

The SSH overhead is roughly 5-10% on top of your traffic, mostly from packet framing. The bigger limit in practice is your VPS’s network speed and bandwidth allowance. A $25/year VPS with 2TB monthly bandwidth handles weeks of full-time use without coming close to the cap. If you’re heavy on streaming video, double-check the VPS’s listed transfer cap before you commit to a year.

Will my ISP know I’m using a VPN?

They’ll see SSH traffic going to your VPS’s IP. They won’t see what’s inside the tunnel. To a casual observer (and most ISPs at typical residential service levels), the traffic looks like a long-running SSH session, which is unremarkable for anyone who works in tech. Sophisticated DPI can flag long-lived encrypted tunnels, but even then they can’t see the content. If your threat model is “ISP shouldn’t see which sites I visit”, sshuttle solves it; if it’s “ISP shouldn’t even know I’m tunneling”, you want something obfuscated like Shadowsocks or a Tor bridge.

If sshuttle got you most of the way, the headless Raspberry Pi setup shows you how to turn a $35 Pi into your own home-side endpoint, and the common Linux commands for system monitoring cover what to run on the VPS when something feels slow.

  • tb

Last updated: September 2024