How to set up VPN over SSH in Linux

There are many ways to set up a VPN. Setting up a VPN typically requires using privileged access on all hosts involved (in order to create virtual network interfaces via TUN/TAP devices), as well as opening up additional VPN ports on any existing firewall. This is an administrative overhead. If you can configure a VPN over a commonly available SSH tunnel, it will reduce the VPN provisioning overhead.

In this tutorial, I will describe how to set up a VPN over SSH in Linux, by using a command-line tool called sshuttle.

sshuttle is originally developed as a transparent proxy server, but it can work as a VPN over SSH.

To be able to create a VPN through SSH with sshuttle, you only need to install sshuttle on local host. You do not need to install sshuttle nor require root access on the other remote host. Upon VPN creation, the sshuttle's python code on local host will automatically be uploaded to the remote host for running without root access. The only requirements for the remote host are that SSH server be running, and that python interpreter be installed.

To install sshuttle on Ubuntu or Debian:

$ sudo apt-get install sshuttle

To install sshuttle on CentOS, Fedora or RHEL, download its python code from its official repository, and include the downloaded sshuttle in your PATH environment variable.

$ sudo yum git
$ git clone git://github.com/apenwarr/sshuttle

To initiate a VPN connection through SSH tunnel with sshuttle, run the following command.

$ sudo sshuttle -r user@remote_host 0.0.0.0/0 --dns
user@remote_host's password: #######
Connected.

As you can see above, sshuttle will ask you for SSH password to the remote host. If you see "Connected" message after logging in, this means that a VPN is successfully established over SSH.

"0.0.0.0/0" means that all traffic will be forwarded to, and routed via the remote SSH host. "--dns" option makes local DNS requests be forward to the remote host as well.

At this point, you should be able to access any external host via a remote SSH host. To tear down an existing VPN over SSH, simply press Ctrl+C on the terminal where sshuttle is running.

If you want only specific subnets to be routed over the VPN, you can specify such subnets when launching sshuttle as follows.

$ sudo sshuttle -r user@remote_host 172.194.0.0/16 172.195.0.0/16

As clarified in the beginning, the remote host must have python installed. If python is not available on the remote host, you will see the following error when running sshuttle.

P=python2: Command not found.
P: Undefined variable.
client: fatal: server died with error code 1

Subscribe to Xmodulo

Do you want to receive Linux FAQs, detailed tutorials and tips published at Xmodulo? Enter your email address below, and we will deliver our Linux posts straight to your email box, for free. Delivery powered by Google Feedburner.

The following two tabs change content below.
Dan Nanni is the founder and also a regular contributor of Xmodulo.com. He is a Linux/FOSS enthusiast who loves to get his hands dirty with his Linux box. He likes to procrastinate when he is supposed to be busy and productive. When he is otherwise free, he likes to watch movies and shop for the coolest gadgets.

16 thoughts on “How to set up VPN over SSH in Linux

  1. Interesting, thanks for posting this.

    I have used "ssh -Y user@remote" often, but this would be a much less bandwidth-intensive way to deal with public access points.

    The wonder of F/OSS is the variety and quality of basic tools.

  2. It's not a true vpn. You only get TCP and UDP and you don't get a unique address on the network. However, sshuttle is the next best thing and it's a breeze to set up.

  3. I've done this tunneling PPP over ssh before. Works surprisingly well. Not really needed these days with openvpn now in existence. But it still has uses in some environments.

  4. It's not supposed to replace real VPN solutions. The goal of sshuttle is to provide a quick-and-dirty "I would like all my traffic to come from that server where I happen to have ssh access." Last time I relied on it heavily was in China, where openvpn traffic is filtered, but ssh/22 isn't. Previously, I also used it to route all my traffic via my US server so that google voice would actually allow me to create an account.

Leave a comment

Your email address will not be published. Required fields are marked *

Current ye@r *