sshuttle Cheat Sheet
sshuttle is a "VPN over SSH" tool that transparently routes traffic to remote networks via an SSH tunnel.
Important: sshuttle routes TCP traffic only, not raw IP packets. This is key as, for instance, we will find issues with running nmap.
Installation
In my case, in my virtualenv tooling:
Basic Usage
Example:
This routes all traffic to 172.16.8.0/16 through the pivot.
Using an SSH Key
Custom SSH Port
Verbose Output for Debugging
Multiple Subnets
✅ Troubleshooting nmap
Most nmap scan types use raw packets (not TCP). When you run a typical nmap scan like:
It uses a SYN scan, which sends raw TCP SYN packets directly via raw sockets or libpcap. These:
- Bypass the system's TCP stack
- Do not go through
sshuttle, which routes only normal TCP connections
So nmap's probes never reach the target.
How to make nmap work with sshuttle
Force nmap to use normal TCP connections that sshuttle can route:
sshuttle vs Ligolo-ng
| Feature | sshuttle |
Ligolo-ng |
|---|---|---|
| Transport | SSH | Custom agent + TLS tunnel |
| Setup complexity | Simple, native to Python | Slightly more complex (requires deploying an agent on pivot) |
| Raw traffic support | ❌ Only TCP | ✅ Supports TCP & ICMP (if using TUN mode) |
| ICMP support | ❌ No | ✅ Yes (with TUN mode) |
| Tool footprint | Minimal | Requires deploying binary on the pivot |
| Stealth | Medium (uses SSH) | High (can use mutual TLS, encryption, and obfuscation) |
| Cross-platform support | Linux/macOS | Linux/Windows (agent runs on both) |
| Socks proxy mode | ✅ via ssh -D or system routes |
✅ Built-in SOCKS support |
Packet injection (e.g., nmap -sS) |
❌ (must use -sT) |
✅ (when using TUN mode) |