Using Sshuttle as a service

Mike R

We use If you’re unfamiliar with sshuttle, this is a We use it so much that I started using it a service to make it easier to start, stop and restart my tunnels

This articles shows how to set it up as a service on Centos 7

1 — Service Account

On the server initiating sshuttle (client), create a dedicated Sshuttle service account and create an SSH folder

root@client>; 
groupadd sshuttle
useradd -d /home/sshuttle -g sshuttle sshuttle
mkdir /home/sshuttle/.ssh
chown -R sshuttle:sshuttle /home/sshuttle
chmod 700 /home/sshuttle/.ssh

generate a secure SSH key

root@client>; 
ssh-keygen -o -a 100 -t ed25519 -N "" -C "sshuttle_key" -f /home/sshuttle/.ssh/id_ed25519

This will generate an ed25519 key pair

distribute the public key to whatever host you want to connect to (good practice is to create this service account on each host, and add this key to this sshuttle account’s Authorized_keys file)

try to connect to the target server as sshuttle user to test basic SSH connectivity

root@client>; su sshuttle
sshuttle@client>; ssh targetServer

if you can SSH to the target, move on to next step

2 — Sudo access

Sshuttle client needs sudo access to modify your firewall (on client only, not on the target server)

add the following to “/etc/sudoers.d/sshuttle”, make sure theres an empty line before and after the sudo line

root@client>; cat /etc/sudoers.d/sshuttlesshuttle ALL=(root) NOPASSWD: /usr/bin/python /usr/share/sshuttle/main.py /usr/bin/python --firewall 12*** 0

this allows non-root users (like our service account) to launch Ssshutle and modify the firewall with ports 12xxx

3 — Install package

install Sshuttle on your client server

root@client>; yum install sshuttle

4 — Service scripts

add 2 service scripts, 1 is a bash script that reads in a config file and 2nd is a systemd script that controls sshuttle

sshuttle@client>; vi /home/sshuttle/sshuttle.sh

add the following,

https://gist.github.com/perfecto25/3dea03737df1a6ba092601775ea596f9#file-sshuttle-sh

now add the systemd script to your client server

root@client>; vi /etc/systemd/system/sshuttle.service[Unit]
Description=sshuttle service
After=network.target
[Service]
User=sshuttle
Restart=always
Type=forking
WorkingDirectory=/home/sshuttle
ExecStart=/home/sshuttle/sshuttle.sh start
ExecStop=/home/sshuttle/sshuttle.sh stop
[Install]
WantedBy=multi-user.target

reload systemd

systemctl daemon-reload

You can now start, stop and restart Sshuttle service using systemd

systemctl status sshuttle
systemctl start sshutle
systemctl stop sshuttle

5 — Config File

finally, you add a config file to tell sshuttle where you want to connect to and what networks you want to route via the target hop server

sshuttle@client>; vi /home/sshuttle/sshuttle.confserverA,208.224.11.0/24 192.168.20.0/24 200.34.11.34
serverB,192.13.30.1

Add each target server and networks on separate line

the ‘sshuttle.sh’ script will parse this file and create connections (you can also comment out the config file lines with “#” character

Thats it, the service will now read your config file, parse each line, create a new sshuttle connection using “nohup” to keep the process alive after you log out.

if you want to pass additional parameters like DNS forwarding, add them to the end of the network config, ie,

serverA,192.33.11.3 --dns --(insert another flag)