Privacy Week : Tunnel traffic through your home network with Sshuttle.

Feb 06

Today’s tip in our “Privacy week” is geared a little bit towards the more advanced geek .. (Who am I kidding, you are ALL advanced Geeks here). In our every lasting quest to ensure our privacy when surfing on “foreign networks” like the one at work, the one at your dorm or the free wifi hotspot at Starbucks , we try to find more ways to make sure all your web traffic is encrypted and your privacy is kept safe.

kirk-and-spock-with-the-galileo

Enter SSHuttle ( NOOO , not the STAR TREK Shuttle) , A brilliant little transparent proxy application that directs ALL or PART of the network traffic from your trusty Linux or Mac machine (the laptop you use on the road) through an SSH tunnel to an SSH server of your choice (perhaps your own server at home). That way your traffic is completely (or partially) obscured from whoever is trying to sniff your traffic on an untrusted network. An added bonus is however that it is a transparent proxy ! This means your computer will actually think it is directly connected to the network where the SSH server is running. It is like running a very very very long cable through the internet straight from your machine to the network where your SSH server is located. 

So let’s start cooking.

Ingredients.

How to install SSHuttle on your client machine.

  • Install SSHuttle on your Linux machine using the command :  sudo apt-get install sshuttle
  • Install SSHuttle on your Mac by first installing HOMEBREW APP. (Installation instructions) and then typing brew install sshuttle

Shuttle is simple but VERY powerful.  It will create an encrypted tunnel between your laptop and the SSH server you setup at home. Depending on what kind of traffic you want to shove through that tunnel you can do different things like :

  • Just tunnel your browser traffic through the tunnel,
  • Shove all of your web traffic through the tunnel (including dns requests),
  • Shove ALL of your traffic through the tunnel.
  • Set up a “site 2 site” VPN  between the network you are working on and your network at home.
  • … and more crazy stuff.

So how does it work ? 

Once installed using SSHuttle is pretty simple. SSHuttle works from the command line and depending on the “switches” it will do different things for you. So on your client laptop , fire up your terminal and start typing.

  • sshuttle --dns -r username@yourremoteserver.com:2222 0/0

Enter the command above to push ALL of your traffic through the SSH tunnel towards your server at home. This is the example of running a virtual network cable THROUGH the internet towards your switch at home. All of your traffic is sent through this encrypted tunnel. USERNAME = A user you have created on your SSH server at home. YOURREMOTESERVER.COM = The external ip address (or Dynamic DNS name) of your home router. 2222 = The port on which you have your SSH server running. In this example I took a non-default port.

  • sshuttle  -r username@yourremoteserver.com:2222 192.168.0.0/24

With this command you can create a site to site VPN. Instead of typing 0/0 is going to send ALL the traffic through the tunnel. Typing the network range of your home network (in this case 192.168.0.0) tells SShuttle to send all the traffic that needs to go to the 192.168.0.0 domain through the tunnel, while sending out the rest of your traffic through  whatever network gateway you are connected to.  The /24 is your subnet mask ( you know , the 255.255.255.0 subnet number of your network).

There are a lot of other switches that you can use , but if you use the two commands we mentioned above you will have a LOT of power at your fingertips. I love using the second command. It allows me to connect to the exchange server at work for my work stuff, but also lets me quickly open up the web interface of my home router (on the LAN SIDE) to do some tinkering. SSHuttle is a very very nice tool that keeps you connected .. and keeps your privacy .. private.

Find out more about SSHUTTLE in this HAK5 episode.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *