sshuttle Cheat Sheet
Transparent proxy/VPN over SSH — route subnets through a compromised SSH host without modifying sshd config.
Overview
sshuttle tunnels IP traffic through an SSH session using iptables/nftables and Python. Ideal when you have SSH credentials to a jump box and need to scan internal ranges as if you were on the remote LAN.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
sudo apt install -y sshuttlepip alternative
pip install sshuttleEssential commands
Route remote subnet through SSH user@jump
sshuttle -r user@10.10.10.5 172.16.0.0/16Include DNS
sshuttle -r user@jump --dns 172.16.0.0/16Run in foreground with verbose
sshuttle -v -r user@jump 172.16.1.0/24Common workflows
Full internal /16 via jump host —
sshuttle -r admin@10.10.11.100 10.10.0.0/16 172.16.0.0/12 -vNew terminal — direct access
nmap -Pn 172.16.5.20curl http://172.16.5.20/internalWith SSH key and custom port —
sshuttle -r user@10.10.10.5:2222 -e 'ssh -i ~/.ssh/id_rsa' 192.168.0.0/24DNS leak-through for AD environments —
sshuttle -r corp\\user@dc01.corp.local --dns 10.0.0.0/8Resolve internal names while routing
dig internal.corp.localExclude local LAN (stay on home network for 192.168.1.0/24) —
sshuttle -r user@jump -x 192.168.1.0/24 10.0.0.0/8Daemon mode —
sshuttle -D -r user@jump 172.16.0.0/16Flags reference
-r user@host | Remote SSH server |
|---|---|
-x CIDR | Exclude subnet from tunnel |
--dns | Hijack DNS via remote |
-v / -vv | Verbose |
-D | Daemonize |
-e cmd | Custom ssh command |
--no-latency-control | Sometimes helps slow links |
--ssh-cmd | Alternate ssh binary |
Tips
- Requires sudo locally (iptables) and Python on the remote host.
- Does not need root on remote — only working SSH shell.
- Combine with ProxyJump in ~/.ssh/config for multi-hop if sshuttle -r points to final hop only.
- Stop with Ctrl-C or sudo pkill sshuttle; verify routes removed with ip route.