Sshuttle: VPN Over SSH Without Root on the Server

TL;DR — Quick Summary

Sshuttle creates a VPN-like tunnel over SSH without server configuration. Route all traffic or specific subnets through any SSH server. No root needed on remote.

Sshuttle turns any SSH server into a VPN endpoint. No server configuration, no VPN software to install, no certificates to manage. If you can SSH to a machine, you can tunnel your traffic through it.

Installation

# Debian/Ubuntu
sudo apt install sshuttle

# macOS
brew install sshuttle

# Arch
sudo pacman -S sshuttle

# pip (any platform)
pip install sshuttle

# Fedora
sudo dnf install sshuttle

Basic Usage

# Route specific subnet through SSH server
sshuttle -r user@server 10.0.0.0/8

# Route ALL traffic (full VPN)
sshuttle -r user@server 0/0

# Route all traffic + DNS
sshuttle -r user@server 0/0 --dns

# Route multiple subnets
sshuttle -r user@server 10.0.0.0/8 192.168.1.0/24

# Exclude subnets (avoid routing SSH connection itself)
sshuttle -r user@server 0/0 -x server.ip.address/32

Common Use Cases

Access Office Network Remotely

# Route office subnet through jump box
sshuttle -r admin@jumpbox.company.com 10.10.0.0/16
# Now you can access 10.10.x.x servers as if you were in the office

Secure Public WiFi

# Route everything through your home server
sshuttle -r user@home-server.duckdns.org 0/0 --dns
# All traffic now exits from your home connection

Access Cloud VPC Resources

# Route AWS VPC subnet through bastion host
sshuttle -r ec2-user@bastion.example.com 172.16.0.0/12
# Access RDS, ElasticSearch, etc. that are in private subnets

Bypass Geo-Restrictions

# Route through a server in the target country
sshuttle -r user@us-server.example.com 0/0 --dns

Advanced Options

# Use specific SSH key
sshuttle -r user@server 0/0 -e 'ssh -i ~/.ssh/custom_key'

# Use non-standard SSH port
sshuttle -r user@server:2222 0/0

# Verbose output for debugging
sshuttle -vvr user@server 0/0

# Daemon mode (background)
sshuttle -D -r user@server 0/0 --pidfile /tmp/sshuttle.pid

# Auto-sudo (don't prompt for password)
sshuttle --auto-sudo -r user@server 0/0

Comparison

Feature	sshuttle	SSH -D (SOCKS)	OpenVPN	WireGuard
Server setup	None	None	Complex	Moderate
Server root needed	No	No	Yes	Yes
Local root needed	Yes	No	Yes	Yes
Transparent routing	Yes	No (SOCKS)	Yes	Yes
UDP support	No	No	Yes	Yes
DNS tunneling	Yes (—dns)	No	Yes	Yes
Performance	Good	Good	Better	Best
Use case	Quick access	Single app	Production	Production

Limitations

TCP only: sshuttle routes TCP traffic. UDP (including DNS by default) is not tunneled unless you use --dns
Local root: Needs root/sudo on the local machine to set up routing rules
Python on server: The remote server must have Python installed (most Linux servers do)
Performance: SSH adds overhead compared to native VPN protocols like WireGuard

Summary

Sshuttle creates transparent VPN-like tunnels over any SSH connection
No server configuration or root access needed on the remote — just SSH + Python
Route specific subnets or all traffic (0/0) with optional DNS tunneling
Perfect for quickly accessing office networks, securing public WiFi, or reaching cloud VPC resources
TCP only — use WireGuard or OpenVPN for production VPN needs with UDP support

Guide & Instructions

Estimated Time: 10m

Tools Needed:

Sshuttle
SSH
Terminal

Install sshuttle

Install with your package manager: apt install sshuttle, brew install sshuttle, pip install sshuttle, or pacman -S sshuttle.

Route specific subnets

Run sshuttle -r user@server 10.0.0.0/8 to route traffic for the 10.x.x.x subnet through the SSH server. Uses iptables on Linux or pf on macOS.

Route all traffic

Run sshuttle -r user@server 0/0 --dns to route ALL traffic including DNS through the SSH server, acting as a full VPN.

Exclude specific subnets

Use -x to exclude: sshuttle -r user@server 0/0 -x your.server.ip to avoid routing the SSH connection itself through the tunnel.

Use with SSH key auth

Sshuttle uses your SSH config. If you have key-based auth configured, it just works. Add -e 'ssh -i /path/to/key' for specific keys.

Frequently Asked Questions

What is sshuttle?

Sshuttle is a transparent proxy that works like a VPN but uses SSH as the transport. It routes your traffic through any SSH server without needing to install VPN software or have root access on the remote server. It's often called the 'poor man's VPN'.

How is sshuttle different from an SSH tunnel?

An SSH tunnel (-L or -D flag) forwards specific ports or creates a SOCKS proxy that applications must be configured to use. Sshuttle transparently routes all TCP traffic (or specific subnets) through the SSH connection — applications don't need any configuration.

Does sshuttle need root on the server?

No, sshuttle only needs a regular SSH account on the remote server with Python installed. It does need root (or sudo) on the local machine to set up the iptables/pf rules for transparent routing.

Can sshuttle route all internet traffic?

Yes, use sshuttle -r user@server 0/0 to route all traffic. Use --dns to also tunnel DNS queries. This effectively makes the SSH server your internet exit point, similar to a VPN.