

sshuttle: a new kind of userspace VPN - blasdel
http://apenwarr.ca/log/?m=201005#02

======
dryicerx
Why not use the built in dynamic port forwarding / proxy feature (-D switch)
which pretty much makes your ssh client a socks proxy allowing you to connect
to any arbitrary number of hosts:ports on the server side?

Or am I missing something obvious here...?

~~~
apenwarr
I've always found ssh's port forwarding to be unreliable; it freezes up
randomly and seems to do synchronous connect(). It also doesn't do its buffer
management correctly, so you get huge lag on other connections when you're
using a lot of bandwidth on one port.

Plus, socks requires you to reconfigure every single bit of client software to
use it. sshuttle just magically works because it uses the kernel-level
transproxying.

You would also need to decide, in each client application, which IP addresses
should use socks and which shouldn't; otherwise you'd end up forwarding
_everything_ , which is no good either. You can configure sshuttle on a per-
ip-subnet or even per-ip-address basis and it affects all your client
software.

~~~
drewcrawford
I'm running OSX, so many of the advantages don't really work for me.

* Socks on Mac is a tickbox which is pretty much system-wide. I can turn on or off in two clicks anywhere in my system. UNIX socket programming isn't wrapped, so curl and wget don't follow the rules, but all mac apps do. If that wasn't enough, Socks rules are both per-host and per-subnet configurable.

* I've never done UDP over ssh -D, but I do use ssh for the majority of my traffic and haven't had any trouble.

That said, this does look useful for those rare cases when I can't muck about
with the GatewayPorts sshd config on a system. That's a _really_ rare case
though, as typically I will just pay Amazon $.08/hr to bring up something with
root access.

------
kgc
Has anyone successfully used this as a VPN between the US and China?

------
oomkiller
Why not just use OpenVPN? It seems to solve these problems too.

~~~
tzs
OpenVPN requires that the other side have OpenVPN, and that you have been set
up to be allowed access to it.

All that sshuttle requires is that you have plain old ssh access to the other
side.

