Published on

Easy Ad-Hoc VPNs with sshuttle


Theres a utility called sshuttle which allows you to VPN via a SSH connection, which is really handy when you quickly want to be able to reach a private range, which is accessible from a public reachable server such as a bastion host.

In this tutorial, I will demonstrate how to install sshuttle on a mac, if you are using a different OS you can see their documentation and then we will use the VPN connection to reach a "prod" and a "dev" environment.

SSH Config

We will declare 2 jump-boxes / bastion hosts in our ssh config:

  • dev-jump-host is a public server that has network access to our private endpoints in
  • prod-jump-host is a public server that has network access to our private endpoints in

In this case, the above example is 2 AWS Accounts with the same CIDR's, and wanted to demonstrate using sshuttle for this reason, as if we had different CIDRs we can setup a dedicated VPN and route them respectively.

$ cat ~/.ssh/config
Host *
    Port 22
    StrictHostKeyChecking no
    UserKnownHostsFile /dev/null
    ServerAliveInterval 60
    ServerAliveCountMax 30

Host dev-jump-host
    User bastion
    IdentityFile ~/.ssh/id_rsa

Host prod-jump-host
    User bastion
    IdentityFile ~/.ssh/id_rsa

Install sshuttle

Install sshuttle for your operating system:

# macos
$ brew install shuttle

# debian
$ apt install sshuttle


To setup a vpn tunnel to route connections to our prod account:

$ sshuttle -r prod-jump-host

Or to setup a vpn tunnel to route connections to our dev account:

$ sshuttle -r dev-jump-host

Once one of your chosen sessions establishes, you can use a new terminal to access your private network, as example:

$ nc -vz 22

Bash Functions

We can wrap this into functions, so we can use vpn_dev or vpn_prod which aliases to the commands shown below:

$ cat ~/.functions
  sshuttle -r prod-jump-host

  sshuttle -r dev-jump-host

Now source that to your environment:

$ source ~/.functions

Then you should be able to use vpn_dev and vpn_prod from your terminal:

$ vpn_prod
[local sudo] Password:
Warning: Permanently added 'xx,xx' (ECDSA) to the list of known hosts.
client: Connected.

And in a new terminal we can connect to a RDS MySQL Database sitting in a private network:

$ mysql -h -u dbadmin -p$pass

Sshuttle as a Service

You can create a systemd unit file to run a sshuttle vpn as a service. In this scenario I provided 2 different vpn routes, dev and prod, so you can create 2 seperate systemd unit files, but my case I will only create for prod:

$ cat /etc/systemd/system/vpn_prod.service

ExecStart=/usr/bin/sshuttle -r prod-jump-host


Reload the systemd daemon:

$ sudo systemctl daemon-reload

Enable and start the service:

$ sudo systemctl enable vpn_prod
$ sudo systemctl start vpn_prod

Thank You

Thanks for reading, feel free to check out my website, and subscrube to my newsletter or follow me at @ruanbekker on Twitter.

Buy Me A Coffee