How to set up VPN over SSH in Linux

Last updated on November 28, 2020 by Dan Nanni

There are many ways to set up a VPN. Setting up a VPN typically requires using privileged access on all hosts involved (in order to create virtual network interfaces via tun/tap devices), as well as opening up additional VPN ports on any existing firewall. This is an administrative overhead. If you can configure a VPN over a commonly available SSH tunnel, it will reduce the VPN provisioning overhead.

In this tutorial, I will describe how to set up a VPN over SSH in Linux, by using a command-line tool called sshuttle.

sshuttle is originally developed as a transparent proxy server, but it can work as a VPN over SSH.

To be able to create a VPN through SSH with sshuttle, you only need to install sshuttle on local host. You do not need to install sshuttle nor require root access on the other remote host. Upon VPN creation, the sshuttle's python code on local host will automatically be uploaded to the remote host for running without root access. The only requirements for the remote host are that SSH server be running, and that python interpreter be installed.

Install sshuttle on Linux

Install sshuttle on Ubuntu or Debian

$ sudo apt-get install sshuttle

Install sshuttle on CentOS, Fedora or RHEL

First, download its python code from its official repository, and include the downloaded sshuttle in your PATH environment variable.

$ sudo yum install git
$ git clone git://github.com/apenwarr/sshuttle

Set up a VPN Tunnel with sshuttle

To initiate a VPN connection through SSH tunnel with sshuttle, run the following command.

$ sudo sshuttle -r user@remote_host 0.0.0.0/0 --dns

user@remote_host's password: #######
Connected.

As you can see above, sshuttle will ask you for SSH password to the remote host. If you see Connected message after logging in, this means that a VPN is successfully established over SSH.

0.0.0.0/0 means that all traffic will be forwarded to, and routed via the remote SSH host. --dns option makes local DNS requests be forward to the remote host as well.

At this point, you should be able to access any external host via a remote SSH host. To tear down an existing VPN over SSH, simply press Ctrl+c on the terminal where sshuttle is running.

If you want only specific subnets to be routed over the VPN, you can specify such subnets when launching sshuttle as follows.

$ sudo sshuttle -r user@remote_host 172.194.0.0/16 172.195.0.0/16

As clarified in the beginning, the remote host must have python installed. If python is not available on the remote host, you will see the following error when running sshuttle.

P=python2: Command not found.
P: Undefined variable.
client: fatal: server died with error code 1

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal or credit card

Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.