@@ -26,89 +26,6 @@ common case:
2626 TCP-over-TCP, which has terrible performance (see below).
2727
2828
29- Client side Requirements
30- ------------------------
31-
32- - sudo, or root access on your client machine.
33- (The server doesn't need admin access.)
34- - Python 2.7 or Python 3.5.
35-
36- +-------+--------+------------+-----------------------------------------------+
37- | OS | Method | Features | Requirements |
38- +=======+========+============+===============================================+
39- | Linux | NAT | * IPv4 TCP + iptables DNAT, REDIRECT, and ttl modules. |
40- + +--------+------------+-----------------------------------------------+
41- | | TPROXY | * IPv4 TCP + Linux with TPROXY support. |
42- | | | * IPv4 UDP + Python 3.5 preferred (see below). |
43- | | | * IPv6 TCP + Python 2 may require PyXAPI _ (see below). |
44- | | | * IPv6 UDP + |
45- +-------+--------+------------+-----------------------------------------------+
46- | MacOS | PF | * IPv4 TCP + You need to have the pfctl command. |
47- +-------+--------+------------+-----------------------------------------------+
48-
49- .. _PyXAPI : http://www.pps.univ-paris-diderot.fr/~ylg/PyXAPI/
50-
51- Server side Requirements
52- ------------------------
53- Python 2.7 or Python 3.5.
54-
55-
56- Additional Suggested Software
57- -----------------------------
58-
59- - You may want to use autossh, available in various package management
60- systems
61-
62-
63- Additional information for TPROXY
64- ---------------------------------
65- TPROXY is the only method that supports full support of IPv6 and UDP.
66-
67- Full UDP or DNS support with the TPROXY method requires the ``recvmsg() ``
68- syscall. This is not available in Python 2, however is in Python 3.5 and
69- later. Under Python 2 you might find it sufficient installing PyXAPI _ to get
70- the ``recvmsg() `` function.
71-
72- There are some things you need to consider for TPROXY to work:
73-
74- - The following commands need to be run first as root. This only needs to be
75- done once after booting up::
76-
77- ip route add local default dev lo table 100
78- ip rule add fwmark 1 lookup 100
79- ip -6 route add local default dev lo table 100
80- ip -6 rule add fwmark 1 lookup 100
81-
82- - The ``--auto-nets `` feature does not detect IPv6 routes automatically. Add IPv6
83- routes manually. e.g. by adding ``'::/0' `` to the end of the command line.
84-
85- - The client needs to be run as root. e.g.::
86-
87- sudo SSH_AUTH_SOCK="$SSH_AUTH_SOCK" $HOME/tree/sshuttle.tproxy/sshuttle --method=tproxy ...
88-
89- - You may need to exclude the IP address of the server you are connecting to.
90- Otherwise sshuttle may attempt to intercept the ssh packets, which will not
91- work. Use the ``--exclude `` parameter for this.
92-
93- - Similarly, UDP return packets (including DNS) could get intercepted and
94- bounced back. This is the case if you have a broad subnet such as
95- ``0.0.0.0/0 `` or ``::/0 `` that includes the IP address of the client. Use the
96- ``--exclude `` parameter for this.
97-
98- - You need the ``--method=tproxy `` parameter, as above.
99-
100- - The routes for the outgoing packets must already exist. For example, if your
101- connection does not have IPv6 support, no IPv6 routes will exist, IPv6
102- packets will not be generated and sshuttle cannot intercept them::
103-
104- telnet -6 www.google.com 80
105- Trying 2404:6800:4001:805::1010...
106- telnet: Unable to connect to remote host: Network is unreachable
107-
108- Add some dummy routes to external interfaces. Make sure they get removed
109- however after sshuttle exits.
110-
111-
11229Obtaining sshuttle
11330------------------
11431
@@ -122,145 +39,9 @@ Obtaining sshuttle
12239 ./setup.py install
12340
12441
125- Usage
126- -----
127-
128- - Forward all traffic::
129-
130- sshuttle -r username@sshserver 0.0.0.0/0
131-
132- - By default sshuttle will automatically choose a method to use. Override with
133- the ``--method= `` parameter.
134-
135- - There is a shortcut for 0.0.0.0/0 for those that value
136- their wrists::
137-
138- sshuttle -r username@sshserver 0/0
139-
140- - If you would also like your DNS queries to be proxied
141- through the DNS server of the server you are connect to::
142-
143- sshuttle --dns -r username@sshserver 0/0
144-
145- The above is probably what you want to use to prevent
146- local network attacks such as Firesheep and friends.
147-
148- (You may be prompted for one or more passwords; first, the local password to
149- become root using sudo, and then the remote ssh password. Or you might have
150- sudo and ssh set up to not require passwords, in which case you won't be
151- prompted at all.)
152-
153-
154- Usage Notes
155- -----------
156-
157- That's it! Now your local machine can access the remote network as if you
158- were right there. And if your "client" machine is a router, everyone on
159- your local network can make connections to your remote network.
160-
161- You don't need to install sshuttle on the remote server;
162- the remote server just needs to have python available.
163- sshuttle will automatically upload and run its source code
164- to the remote python interpreter.
165-
166- This creates a transparent proxy server on your local machine for all IP
167- addresses that match 0.0.0.0/0. (You can use more specific IP addresses if
168- you want; use any number of IP addresses or subnets to change which
169- addresses get proxied. Using 0.0.0.0/0 proxies *everything *, which is
170- interesting if you don't trust the people on your local network.)
171-
172- Any TCP session you initiate to one of the proxied IP addresses will be
173- captured by sshuttle and sent over an ssh session to the remote copy of
174- sshuttle, which will then regenerate the connection on that end, and funnel
175- the data back and forth through ssh.
176-
177- Fun, right? A poor man's instant VPN, and you don't even have to have
178- admin access on the server.
179-
180-
181- Support
182- -------
183-
184- Mailing list:
185-
186- * Subscribe by sending a message to <
[email protected] >
187- * List archives are at: http://groups.google.com/group/sshuttle
188-
189- Issue tracker and pull requests at github:
190-
191- * https://github.com/sshuttle/sshuttle
192-
193-
194- Theory of Operation
195- -------------------
196-
197- sshuttle is not exactly a VPN, and not exactly port forwarding. It's kind
198- of both, and kind of neither.
199-
200- It's like a VPN, since it can forward every port on an entire network, not
201- just ports you specify. Conveniently, it lets you use the "real" IP
202- addresses of each host rather than faking port numbers on localhost.
203-
204- On the other hand, the way it *works * is more like ssh port forwarding than
205- a VPN. Normally, a VPN forwards your data one packet at a time, and
206- doesn't care about individual connections; ie. it's "stateless" with respect
207- to the traffic. sshuttle is the opposite of stateless; it tracks every
208- single connection.
209-
210- You could compare sshuttle to something like the old `Slirp
211- <http://en.wikipedia.org/wiki/Slirp> `_ program, which was a userspace TCP/IP
212- implementation that did something similar. But it operated on a
213- packet-by-packet basis on the client side, reassembling the packets on the
214- server side. That worked okay back in the "real live serial port" days,
215- because serial ports had predictable latency and buffering.
216-
217- But you can't safely just forward TCP packets over a TCP session (like ssh),
218- because TCP's performance depends fundamentally on packet loss; it
219- *must * experience packet loss in order to know when to slow down! At
220- the same time, the outer TCP session (ssh, in this case) is a reliable
221- transport, which means that what you forward through the tunnel *never *
222- experiences packet loss. The ssh session itself experiences packet loss, of
223- course, but TCP fixes it up and ssh (and thus you) never know the
224- difference. But neither does your inner TCP session, and extremely screwy
225- performance ensues.
226-
227- sshuttle assembles the TCP stream locally, multiplexes it statefully over
228- an ssh session, and disassembles it back into packets at the other end. So
229- it never ends up doing TCP-over-TCP. It's just data-over-TCP, which is
230- safe.
23142
23243
233- Useless Trivia
234- --------------
235- This section written by Avery Pennarun <
[email protected] >.
23644
237- Back in 1998 (12 years ago! Yikes!), I released the first version of `Tunnel
238- Vision <http://alumnit.ca/wiki/?TunnelVisionReadMe> `_, a semi-intelligent VPN
239- client for Linux. Unfortunately, I made two big mistakes: I implemented the
240- key exchange myself (oops), and I ended up doing TCP-over-TCP (double oops).
241- The resulting program worked okay - and people used it for years - but the
242- performance was always a bit funny. And nobody ever found any security flaws
243- in my key exchange, either, but that doesn't mean anything. :)
24445
245- The same year, dcoombs and I also released Fast Forward, a proxy server
246- supporting transparent proxying. Among other things, we used it for
247- automatically splitting traffic across more than one Internet connection (a
248- tool we called "Double Vision").
24946
250- I was still in university at the time. A couple years after that, one of my
251- professors was working with some graduate students on the technology that would
252- eventually become `Slipstream Internet Acceleration
253- <http://www.slipstream.com/> `_. He asked me to do a contract for him to build
254- an initial prototype of a transparent proxy server for mobile networks. The
255- idea was similar to sshuttle: if you reassemble and then disassemble the TCP
256- packets, you can reduce latency and improve performance vs. just forwarding
257- the packets over a plain VPN or mobile network. (It's unlikely that any of my
258- code has persisted in the Slipstream product today, but the concept is still
259- pretty cool. I'm still horrified that people use plain TCP on complex mobile
260- networks with crazily variable latency, for which it was never really
261- intended.)
26247
263- That project I did for Slipstream was what first gave me the idea to merge
264- the concepts of Fast Forward, Double Vision, and Tunnel Vision into a single
265- program that was the best of all worlds. And here we are, at last, 10 years
266- later. You're welcome.
0 commit comments