------------------------------------------------------------------------------- SSHuttle - psuedo VPN server via ssh link. This does NOT use any 'tun' device or 'route' tables It works by setting up firewall redirections to the running program. Which then sends 'sessions' to the remote ssh account side of the program. This in many ways makes this networking solution easier, though also more difficult to change on the fly. For example to setup a connection to only send packages for subnets 172.16.0.0 and 10.0.0.0 to the remote service and to redirect DNS requests to the internal network... The 192.168.0.0 subnet is the local subnet containing a local DNS (router) SSH_CMD=ssh # the ssh command to use SSH_ACCT=remote_ssh_acct # ssh account to tunnel though DNS_HOST=192.168.1.1 # DNS requests that normall go here DNS_DEST=172.16.1.10 # to rediret to this DNS NETWORKS='172.16.0.0/12 10.0.0.0/8' # Griffith Networks only PIDFILE=$HOME/.shuttle.pid # sshuttle daemon pid in this file echo "Starting sshuttle psuedo-VPN" sshuttle -D --pidfile="$PIDFILE" \ --dns --ns-hosts="$DNS_HOST" --to-ns="$DNS_DEST" \ --ssh-cmd=$SSH_CMD --remote="$SSH_ACCT" \ $NETWORKS ------------------------------------------------------------------------------- How it works... SSHuttle will ssh to the given machine and send it a python script to run to handle the remote end. Psuedo-code ssh command used (quote escapes removed)... ssh remote_ssh_account -- ' /bin/sh -c ' P=python3; $P -V 2>/dev/null || P=python; exec "$P" -c ' import sys, os; verbosity=0; sys.stdin = os.fdopen(0, "rb"); exec(compile(sys.stdin.read(1486), "assembler.py", "exec"))' ' ' You can see these being setup using a --verbose option instead of -D It creates a local port '12300' to recieve the requests which it then sends down the SSH link to the remote python program. tcp ip daddr 172.16.0.0/12 redirect to :12300 tcp ip daddr 10.0.0.0/8 redirect to :12300 And a port 12299 for the DNS handler udp ip daddr 192.168.1.1 udp dport 53 redirect to :12299 udp ip daddr 127.0.0.53 udp dport 53 redirect to :12299 More precisely.... iptables -t nat -N sshuttle-12300 iptables -t nat -F sshuttle-12300 iptables -t nat -I OUTPUT 1 -j sshuttle-12300 iptables -t nat -I PREROUTING 1 -j sshuttle-12300 iptables -t nat -A sshuttle-12300 -j RETURN -m ttl --ttl 63 iptables -t nat -A sshuttle-12300 -j REDIRECT \ --dest 192.168.1.1/32 -p udp --dport 53 --to-ports 12299 iptables -t nat -A sshuttle-12300 -j REDIRECT \ --dest 127.0.0.53/32 -p udp --dport 53 --to-ports 12299 iptables -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL iptables -t nat -A sshuttle-12300 -j RETURN \ --dest 127.0.0.1/32 -p tcp iptables -t nat -A sshuttle-12300 -j REDIRECT \ --dest 172.16.0.0/12 -p tcp --to-ports 12300 iptables -t nat -A sshuttle-12300 -j REDIRECT \ --dest 10.0.0.0/8 -p tcp --to-ports 12300 And take down is easy with... iptables -t nat -D OUTPUT -j sshuttle-12300 iptables -t nat -D PREROUTING -j sshuttle-12300 iptables -t nat -F sshuttle-12300 iptables -t nat -X sshuttle-12300 -------------------------------------------------------------------------------