Sshuttle
Sshuttle creates a transparent proxy server over SSH connection, allowing access to remote networks as if they were local.Used for internal network pivoting and access without traditional VPN setup.
Installation
# Debian/Ubuntu
sudo apt install sshuttle
# Kali Linux (pre-installed)
which sshuttle
# macOS
brew install sshuttle
# Python pip (universal)
sudo pip install sshuttle
# Build from source
git clone https://github.com/sshuttle/sshuttle.git
cd sshuttle && python setup.py installBasic Usage
| Command | Description |
|---|---|
sshuttle -r user@host 10.0.0.0/8 | Tunnel 10.0.0.0/8 subnet via SSH |
sshuttle -r user@host 0.0.0.0/0 | Tunnel all traffic (full VPN) |
sshuttle -r user@host -x host.local 10.0.0.0/8 | Exclude specific IP |
sshuttle --help | Show help information |
Common Subnet Routes
# Class A private network
sshuttle -r user@host 10.0.0.0/8
# Class B private network
sshuttle -r user@host 172.16.0.0/12
# Class C private network
sshuttle -r user@host 192.168.0.0/16
# All traffic (requires sudo)
sudo sshuttle -r user@host 0.0.0.0/0
# Multiple subnets
sshuttle -r user@host 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
# Specific network with DNS
sshuttle -r user@host --dns 10.0.0.0/8Advanced Options
# Enable DNS resolution
sshuttle -r user@host --dns 10.0.0.0/8
# Custom SSH port
sshuttle -r user@host:2222 10.0.0.0/8
# SSH with key file
sshuttle -r user@host -e ssh -i /path/to/key 10.0.0.0/8
# SSH with specific options
sshuttle -r user@host -e 'ssh -o StrictHostKeyChecking=no' 10.0.0.0/8
# Verbose output
sshuttle -r user@host -v 10.0.0.0/8
# Very verbose
sshuttle -r user@host -vv 10.0.0.0/8
# Debug mode
sshuttle -r user@host -d 10.0.0.0/8Traffic Control
# Exclude specific hosts
sshuttle -r user@host -x 8.8.8.8 10.0.0.0/8
# Exclude multiple hosts
sshuttle -r user@host -x 8.8.8.8 -x 1.1.1.1 10.0.0.0/8
# Exclude local network
sshuttle -r user@host -x 192.168.1.0/24 10.0.0.0/8
# Exclude and include
sshuttle -r user@host -x 10.1.0.0/16 10.0.0.0/8
# Don't use /etc/hosts
sshuttle -r user@host --no-latency-control 10.0.0.0/8
# Latency optimization (slower)
sshuttle -r user@host --latency-control 10.0.0.0/8DNS Configuration
# Use SSH host DNS
sshuttle -r user@host --dns 10.0.0.0/8
# Specify nameserver
sshuttle -r user@host --dns-server 10.1.1.1 10.0.0.0/8
# Use remote DNS with fallback
sshuttle -r user@host --dns --dns-server 8.8.8.8 10.0.0.0/8
# Don't touch /etc/resolv.conf
sshuttle -r user@host -n 10.0.0.0/8Python and Method Selection
# Use Python 3
sshuttle -r user@host --python python3 10.0.0.0/8
# Use specific method (tun, nat, pf, ipfw)
sshuttle -r user@host -M tun 10.0.0.0/8
# Method nat (Linux)
sshuttle -r user@host -M nat 10.0.0.0/8
# Method pf (macOS/BSD)
sshuttle -r user@host -M pf 10.0.0.0/8
# List available methods
sshuttle --help | grep -i methodPractical Pentesting Scenarios
Access Internal Network
# Access 192.168.0.0/16 via jumpbox
sshuttle -r jumpbox 192.168.0.0/16
# Now browse internal servers transparently
firefox http://192.168.1.50Full Network Access with DNS
# Route all traffic and use remote DNS
sudo sshuttle -r user@jumphost --dns 0.0.0.0/0
# Can now access internal hosts by name
ssh user@internal-host.localMultiple Network Pivoting
# Access multiple internal networks through single pivot
sshuttle -r attacker@compromised 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
# All three subnets now accessible transparentlyBypass Egress Filtering
# Routes restricted traffic through SSH tunnel
sshuttle -r user@host 8.8.8.0/24 1.1.1.0/24
# Traffic appears to come from target instead of attackerTroubleshooting
# Connection refused
sshuttle -r user@host -vv 10.0.0.0/8
# Check SSH connectivity first
ssh -v user@host echo "test"
# Verify routing
ip route | grep 10.
# Flush rules if stuck
sudo sshuttle -r user@host -x host 10.0.0.0/8 --stop
# Kill stuck process
pkill -f sshuttle
# Check iptables (Linux)
sudo iptables -L -t nat
# Check open connections
sudo netstat -tulpn | grep sshuttleAdvanced Networking
Custom SSH Options
# SSH with proxy jump
sshuttle -r user@final-host -e 'ssh -J user@jumphost' 10.0.0.0/8
# SSH with specific cipher (slow networks)
sshuttle -r user@host -e 'ssh -c aes128-ctr' 10.0.0.0/8
# Disable host key checking
sshuttle -r user@host -e 'ssh -o StrictHostKeyChecking=no' 10.0.0.0/8
# Compression enabled
sshuttle -r user@host -e 'ssh -C' 10.0.0.0/8Performance Tuning
# Reduce latency overhead
sshuttle -r user@host --latency-control 10.0.0.0/8
# Faster but higher latency
sshuttle -r user@host --no-latency-control 10.0.0.0/8
# Set buffer size
sshuttle -r user@host --syslog 10.0.0.0/8Daemonizing
# Run in background
sshuttle -r user@host -D 10.0.0.0/8
# With process ID output
sshuttle -r user@host -D -v 10.0.0.0/8
# Stop daemon
sshuttle -r user@host --stop
# Check running instances
ps aux | grep sshuttleLimitations
- Requires SSH access to remote host
- No UDP support (DNS works via TCP)
- Requires root/admin privileges (on most OSes)
- Higher latency than native VPN
- Single threaded by default
- Not suitable for high-bandwidth requirements
Last updated: March 2026