sshuttle – Poor Man’s VPN via SSH (Great for Pivoting!)

I've recently been using sshuttle again, and I wanted to share how easy it is.

sshuttle - Introduction

Per the GitHub repository, sshuttle is a, "Transparent proxy server that works as a poor man's VPN. Forwards over ssh.".

This has been a great tool for not only a pseudo-VPN, but also to greatly simplify network pivoting.


First, to install the application, clone the repository.

root@kali:~/tools# git clone
Cloning into 'sshuttle'...
remote: Counting objects: 2612, done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 2612 (delta 2), reused 4 (delta 2), pack-reused 2602
Receiving objects: 100% (2612/2612), 1.09 MiB | 0 bytes/s, done.
Resolving deltas: 100% (1618/1618), done.
Checking connectivity... done.
root@kali:~/tools# cd sshuttle
root@kali:~/tools/sshuttle# ls
bandit.yml  LICENSE      README.rst        run  tox.ini
CHANGES.rst  docs  requirements.txt  setup.cfg  sshuttle

Next, run the Python setup and allow it to complete.

root@kali:~/tools/sshuttle# python install
running install
running bdist_egg
running egg_info


Processing dependencies for sshuttle==0.78.4.dev47+g884bd6d
Finished processing dependencies for sshuttle==0.78.4.dev47+g884bd6d


With sshuttle installed, execution is also incredibly simple.

For basic proxy execution, you just need to specify the remote user/server with -r and then the subnet (in this case, for all traffic).

root@kali:~/tools/sshuttle# sshuttle -r 0/0
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:BMLJjcXWsYSzkeBeW17+bWZx9hoa2ylQVpS8NnywqWQ.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ',' (ECDSA) to the list of known hosts.'s password: 
client: Connected.

With the client connected, all of our traffic is now being invisibly proxied.

To test this, I just ran a quick HTTP methods check.

root@kali:~/tools/sshuttle# nmap -sT --script http-methods -p 80 -Pn

Starting Nmap 7.25BETA2 ( ) at 2018-03-16 11:33 PDT
Nmap scan report for (
Host is up (0.00051s latency).
80/tcp open  http
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS

Nmap done: 1 IP address (1 host up) scanned in 0.80 seconds

As you can see in my access.log, these requests were coming from ( instead of my home IP address. - - [16/Mar/2018:18:34:41 +0000] "OPTIONS / HTTP/1.1" 200 181 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine;" - - [16/Mar/2018:18:34:41 +0000] "IRBT / HTTP/1.1" 501 490 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine;"

I also like to include the --dns flag if I'm using it as a VPN, as this forwards all DNS requests to the remote server. This is great to prevent some local network attacks.

For more information about more flags, you can visit the documentation.


Ssshuttle is a great application, and I was glad to see that it got forked and updated from apenwarr's original version.

I used it a lot in my OSCP labs as well, to make some pivoting exercises a little easier.

For another example of pivoting with it, I recommend the following blog post.

doyler on Githubdoyler on Twitter
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

As an Amazon Associate I earn from qualifying purchases.

Common passed on this blog, I made it to a jam.


Filed under Security Not Included

4 Responses to sshuttle – Poor Man’s VPN via SSH (Great for Pivoting!)

  1. james

    Your nmap command is leading to a false positive

  2. hy

    Setting Bittorrent over SSH is not secure, is sshuttle secure?

    • SShuttle is no different from SSH tunneling, it just functions as an easier, transparent proxy. If you are torrenting, then I’d recommend a real VPN though.

Leave a Reply

Your email address will not be published. Required fields are marked *

ERROR: si-captcha.php plugin: GD image support not detected in PHP!

Contact your web host and ask them to enable GD image support for PHP.

ERROR: si-captcha.php plugin: imagepng function not detected in PHP!

Contact your web host and ask them to enable imagepng for PHP.

This site uses Akismet to reduce spam. Learn how your comment data is processed.