mirror of
https://github.com/sshuttle/sshuttle.git
synced 2024-11-21 23:43:18 +01:00
parent
d80b590a71
commit
262affe94f
@ -5,4 +5,8 @@ include MANIFEST.in
|
|||||||
include LICENSE
|
include LICENSE
|
||||||
include run
|
include run
|
||||||
include tox.ini
|
include tox.ini
|
||||||
recursive-include sshuttle *.py *.md
|
recursive-include docs *.bat
|
||||||
|
recursive-include docs *.py
|
||||||
|
recursive-include docs *.rst
|
||||||
|
recursive-include docs Makefile
|
||||||
|
recursive-include sshuttle *.py
|
||||||
|
219
README.rst
219
README.rst
@ -26,89 +26,6 @@ common case:
|
|||||||
TCP-over-TCP, which has terrible performance (see below).
|
TCP-over-TCP, which has terrible performance (see below).
|
||||||
|
|
||||||
|
|
||||||
Client side Requirements
|
|
||||||
------------------------
|
|
||||||
|
|
||||||
- sudo, or root access on your client machine.
|
|
||||||
(The server doesn't need admin access.)
|
|
||||||
- Python 2.7 or Python 3.5.
|
|
||||||
|
|
||||||
+-------+--------+------------+-----------------------------------------------+
|
|
||||||
| OS | Method | Features | Requirements |
|
|
||||||
+=======+========+============+===============================================+
|
|
||||||
| Linux | NAT | * IPv4 TCP + iptables DNAT, REDIRECT, and ttl modules. |
|
|
||||||
+ +--------+------------+-----------------------------------------------+
|
|
||||||
| | TPROXY | * IPv4 TCP + Linux with TPROXY support. |
|
|
||||||
| | | * IPv4 UDP + Python 3.5 preferred (see below). |
|
|
||||||
| | | * IPv6 TCP + Python 2 may require PyXAPI_ (see below). |
|
|
||||||
| | | * IPv6 UDP + |
|
|
||||||
+-------+--------+------------+-----------------------------------------------+
|
|
||||||
| MacOS | PF | * IPv4 TCP + You need to have the pfctl command. |
|
|
||||||
+-------+--------+------------+-----------------------------------------------+
|
|
||||||
|
|
||||||
.. _PyXAPI: http://www.pps.univ-paris-diderot.fr/~ylg/PyXAPI/
|
|
||||||
|
|
||||||
Server side Requirements
|
|
||||||
------------------------
|
|
||||||
Python 2.7 or Python 3.5.
|
|
||||||
|
|
||||||
|
|
||||||
Additional Suggested Software
|
|
||||||
-----------------------------
|
|
||||||
|
|
||||||
- You may want to use autossh, available in various package management
|
|
||||||
systems
|
|
||||||
|
|
||||||
|
|
||||||
Additional information for TPROXY
|
|
||||||
---------------------------------
|
|
||||||
TPROXY is the only method that supports full support of IPv6 and UDP.
|
|
||||||
|
|
||||||
Full UDP or DNS support with the TPROXY method requires the ``recvmsg()``
|
|
||||||
syscall. This is not available in Python 2, however is in Python 3.5 and
|
|
||||||
later. Under Python 2 you might find it sufficient installing PyXAPI_ to get
|
|
||||||
the ``recvmsg()`` function.
|
|
||||||
|
|
||||||
There are some things you need to consider for TPROXY to work:
|
|
||||||
|
|
||||||
- The following commands need to be run first as root. This only needs to be
|
|
||||||
done once after booting up::
|
|
||||||
|
|
||||||
ip route add local default dev lo table 100
|
|
||||||
ip rule add fwmark 1 lookup 100
|
|
||||||
ip -6 route add local default dev lo table 100
|
|
||||||
ip -6 rule add fwmark 1 lookup 100
|
|
||||||
|
|
||||||
- The ``--auto-nets`` feature does not detect IPv6 routes automatically. Add IPv6
|
|
||||||
routes manually. e.g. by adding ``'::/0'`` to the end of the command line.
|
|
||||||
|
|
||||||
- The client needs to be run as root. e.g.::
|
|
||||||
|
|
||||||
sudo SSH_AUTH_SOCK="$SSH_AUTH_SOCK" $HOME/tree/sshuttle.tproxy/sshuttle --method=tproxy ...
|
|
||||||
|
|
||||||
- You may need to exclude the IP address of the server you are connecting to.
|
|
||||||
Otherwise sshuttle may attempt to intercept the ssh packets, which will not
|
|
||||||
work. Use the ``--exclude`` parameter for this.
|
|
||||||
|
|
||||||
- Similarly, UDP return packets (including DNS) could get intercepted and
|
|
||||||
bounced back. This is the case if you have a broad subnet such as
|
|
||||||
``0.0.0.0/0`` or ``::/0`` that includes the IP address of the client. Use the
|
|
||||||
``--exclude`` parameter for this.
|
|
||||||
|
|
||||||
- You need the ``--method=tproxy`` parameter, as above.
|
|
||||||
|
|
||||||
- The routes for the outgoing packets must already exist. For example, if your
|
|
||||||
connection does not have IPv6 support, no IPv6 routes will exist, IPv6
|
|
||||||
packets will not be generated and sshuttle cannot intercept them::
|
|
||||||
|
|
||||||
telnet -6 www.google.com 80
|
|
||||||
Trying 2404:6800:4001:805::1010...
|
|
||||||
telnet: Unable to connect to remote host: Network is unreachable
|
|
||||||
|
|
||||||
Add some dummy routes to external interfaces. Make sure they get removed
|
|
||||||
however after sshuttle exits.
|
|
||||||
|
|
||||||
|
|
||||||
Obtaining sshuttle
|
Obtaining sshuttle
|
||||||
------------------
|
------------------
|
||||||
|
|
||||||
@ -122,145 +39,9 @@ Obtaining sshuttle
|
|||||||
./setup.py install
|
./setup.py install
|
||||||
|
|
||||||
|
|
||||||
Usage
|
|
||||||
-----
|
|
||||||
|
|
||||||
- Forward all traffic::
|
|
||||||
|
|
||||||
sshuttle -r username@sshserver 0.0.0.0/0
|
|
||||||
|
|
||||||
- By default sshuttle will automatically choose a method to use. Override with
|
|
||||||
the ``--method=`` parameter.
|
|
||||||
|
|
||||||
- There is a shortcut for 0.0.0.0/0 for those that value
|
|
||||||
their wrists::
|
|
||||||
|
|
||||||
sshuttle -r username@sshserver 0/0
|
|
||||||
|
|
||||||
- If you would also like your DNS queries to be proxied
|
|
||||||
through the DNS server of the server you are connect to::
|
|
||||||
|
|
||||||
sshuttle --dns -r username@sshserver 0/0
|
|
||||||
|
|
||||||
The above is probably what you want to use to prevent
|
|
||||||
local network attacks such as Firesheep and friends.
|
|
||||||
|
|
||||||
(You may be prompted for one or more passwords; first, the local password to
|
|
||||||
become root using sudo, and then the remote ssh password. Or you might have
|
|
||||||
sudo and ssh set up to not require passwords, in which case you won't be
|
|
||||||
prompted at all.)
|
|
||||||
|
|
||||||
|
|
||||||
Usage Notes
|
|
||||||
-----------
|
|
||||||
|
|
||||||
That's it! Now your local machine can access the remote network as if you
|
|
||||||
were right there. And if your "client" machine is a router, everyone on
|
|
||||||
your local network can make connections to your remote network.
|
|
||||||
|
|
||||||
You don't need to install sshuttle on the remote server;
|
|
||||||
the remote server just needs to have python available.
|
|
||||||
sshuttle will automatically upload and run its source code
|
|
||||||
to the remote python interpreter.
|
|
||||||
|
|
||||||
This creates a transparent proxy server on your local machine for all IP
|
|
||||||
addresses that match 0.0.0.0/0. (You can use more specific IP addresses if
|
|
||||||
you want; use any number of IP addresses or subnets to change which
|
|
||||||
addresses get proxied. Using 0.0.0.0/0 proxies *everything*, which is
|
|
||||||
interesting if you don't trust the people on your local network.)
|
|
||||||
|
|
||||||
Any TCP session you initiate to one of the proxied IP addresses will be
|
|
||||||
captured by sshuttle and sent over an ssh session to the remote copy of
|
|
||||||
sshuttle, which will then regenerate the connection on that end, and funnel
|
|
||||||
the data back and forth through ssh.
|
|
||||||
|
|
||||||
Fun, right? A poor man's instant VPN, and you don't even have to have
|
|
||||||
admin access on the server.
|
|
||||||
|
|
||||||
|
|
||||||
Support
|
|
||||||
-------
|
|
||||||
|
|
||||||
Mailing list:
|
|
||||||
|
|
||||||
* Subscribe by sending a message to <sshuttle+subscribe@googlegroups.com>
|
|
||||||
* List archives are at: http://groups.google.com/group/sshuttle
|
|
||||||
|
|
||||||
Issue tracker and pull requests at github:
|
|
||||||
|
|
||||||
* https://github.com/sshuttle/sshuttle
|
|
||||||
|
|
||||||
|
|
||||||
Theory of Operation
|
|
||||||
-------------------
|
|
||||||
|
|
||||||
sshuttle is not exactly a VPN, and not exactly port forwarding. It's kind
|
|
||||||
of both, and kind of neither.
|
|
||||||
|
|
||||||
It's like a VPN, since it can forward every port on an entire network, not
|
|
||||||
just ports you specify. Conveniently, it lets you use the "real" IP
|
|
||||||
addresses of each host rather than faking port numbers on localhost.
|
|
||||||
|
|
||||||
On the other hand, the way it *works* is more like ssh port forwarding than
|
|
||||||
a VPN. Normally, a VPN forwards your data one packet at a time, and
|
|
||||||
doesn't care about individual connections; ie. it's "stateless" with respect
|
|
||||||
to the traffic. sshuttle is the opposite of stateless; it tracks every
|
|
||||||
single connection.
|
|
||||||
|
|
||||||
You could compare sshuttle to something like the old `Slirp
|
|
||||||
<http://en.wikipedia.org/wiki/Slirp>`_ program, which was a userspace TCP/IP
|
|
||||||
implementation that did something similar. But it operated on a
|
|
||||||
packet-by-packet basis on the client side, reassembling the packets on the
|
|
||||||
server side. That worked okay back in the "real live serial port" days,
|
|
||||||
because serial ports had predictable latency and buffering.
|
|
||||||
|
|
||||||
But you can't safely just forward TCP packets over a TCP session (like ssh),
|
|
||||||
because TCP's performance depends fundamentally on packet loss; it
|
|
||||||
*must* experience packet loss in order to know when to slow down! At
|
|
||||||
the same time, the outer TCP session (ssh, in this case) is a reliable
|
|
||||||
transport, which means that what you forward through the tunnel *never*
|
|
||||||
experiences packet loss. The ssh session itself experiences packet loss, of
|
|
||||||
course, but TCP fixes it up and ssh (and thus you) never know the
|
|
||||||
difference. But neither does your inner TCP session, and extremely screwy
|
|
||||||
performance ensues.
|
|
||||||
|
|
||||||
sshuttle assembles the TCP stream locally, multiplexes it statefully over
|
|
||||||
an ssh session, and disassembles it back into packets at the other end. So
|
|
||||||
it never ends up doing TCP-over-TCP. It's just data-over-TCP, which is
|
|
||||||
safe.
|
|
||||||
|
|
||||||
|
|
||||||
Useless Trivia
|
|
||||||
--------------
|
|
||||||
This section written by Avery Pennarun <apenwarr@gmail.com>.
|
|
||||||
|
|
||||||
Back in 1998 (12 years ago! Yikes!), I released the first version of `Tunnel
|
|
||||||
Vision <http://alumnit.ca/wiki/?TunnelVisionReadMe>`_, a semi-intelligent VPN
|
|
||||||
client for Linux. Unfortunately, I made two big mistakes: I implemented the
|
|
||||||
key exchange myself (oops), and I ended up doing TCP-over-TCP (double oops).
|
|
||||||
The resulting program worked okay - and people used it for years - but the
|
|
||||||
performance was always a bit funny. And nobody ever found any security flaws
|
|
||||||
in my key exchange, either, but that doesn't mean anything. :)
|
|
||||||
|
|
||||||
The same year, dcoombs and I also released Fast Forward, a proxy server
|
|
||||||
supporting transparent proxying. Among other things, we used it for
|
|
||||||
automatically splitting traffic across more than one Internet connection (a
|
|
||||||
tool we called "Double Vision").
|
|
||||||
|
|
||||||
I was still in university at the time. A couple years after that, one of my
|
|
||||||
professors was working with some graduate students on the technology that would
|
|
||||||
eventually become `Slipstream Internet Acceleration
|
|
||||||
<http://www.slipstream.com/>`_. He asked me to do a contract for him to build
|
|
||||||
an initial prototype of a transparent proxy server for mobile networks. The
|
|
||||||
idea was similar to sshuttle: if you reassemble and then disassemble the TCP
|
|
||||||
packets, you can reduce latency and improve performance vs. just forwarding
|
|
||||||
the packets over a plain VPN or mobile network. (It's unlikely that any of my
|
|
||||||
code has persisted in the Slipstream product today, but the concept is still
|
|
||||||
pretty cool. I'm still horrified that people use plain TCP on complex mobile
|
|
||||||
networks with crazily variable latency, for which it was never really
|
|
||||||
intended.)
|
|
||||||
|
|
||||||
That project I did for Slipstream was what first gave me the idea to merge
|
|
||||||
the concepts of Fast Forward, Double Vision, and Tunnel Vision into a single
|
|
||||||
program that was the best of all worlds. And here we are, at last, 10 years
|
|
||||||
later. You're welcome.
|
|
||||||
|
177
docs/Makefile
Normal file
177
docs/Makefile
Normal file
@ -0,0 +1,177 @@
|
|||||||
|
# Makefile for Sphinx documentation
|
||||||
|
#
|
||||||
|
|
||||||
|
# You can set these variables from the command line.
|
||||||
|
SPHINXOPTS =
|
||||||
|
SPHINXBUILD = sphinx-build
|
||||||
|
PAPER =
|
||||||
|
BUILDDIR = _build
|
||||||
|
|
||||||
|
# User-friendly check for sphinx-build
|
||||||
|
ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1)
|
||||||
|
$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/)
|
||||||
|
endif
|
||||||
|
|
||||||
|
# Internal variables.
|
||||||
|
PAPEROPT_a4 = -D latex_paper_size=a4
|
||||||
|
PAPEROPT_letter = -D latex_paper_size=letter
|
||||||
|
ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
|
||||||
|
# the i18n builder cannot share the environment and doctrees with the others
|
||||||
|
I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) .
|
||||||
|
|
||||||
|
.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext
|
||||||
|
|
||||||
|
help:
|
||||||
|
@echo "Please use \`make <target>' where <target> is one of"
|
||||||
|
@echo " html to make standalone HTML files"
|
||||||
|
@echo " dirhtml to make HTML files named index.html in directories"
|
||||||
|
@echo " singlehtml to make a single large HTML file"
|
||||||
|
@echo " pickle to make pickle files"
|
||||||
|
@echo " json to make JSON files"
|
||||||
|
@echo " htmlhelp to make HTML files and a HTML help project"
|
||||||
|
@echo " qthelp to make HTML files and a qthelp project"
|
||||||
|
@echo " devhelp to make HTML files and a Devhelp project"
|
||||||
|
@echo " epub to make an epub"
|
||||||
|
@echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter"
|
||||||
|
@echo " latexpdf to make LaTeX files and run them through pdflatex"
|
||||||
|
@echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx"
|
||||||
|
@echo " text to make text files"
|
||||||
|
@echo " man to make manual pages"
|
||||||
|
@echo " texinfo to make Texinfo files"
|
||||||
|
@echo " info to make Texinfo files and run them through makeinfo"
|
||||||
|
@echo " gettext to make PO message catalogs"
|
||||||
|
@echo " changes to make an overview of all changed/added/deprecated items"
|
||||||
|
@echo " xml to make Docutils-native XML files"
|
||||||
|
@echo " pseudoxml to make pseudoxml-XML files for display purposes"
|
||||||
|
@echo " linkcheck to check all external links for integrity"
|
||||||
|
@echo " doctest to run all doctests embedded in the documentation (if enabled)"
|
||||||
|
|
||||||
|
clean:
|
||||||
|
rm -rf $(BUILDDIR)/*
|
||||||
|
|
||||||
|
html:
|
||||||
|
$(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The HTML pages are in $(BUILDDIR)/html."
|
||||||
|
|
||||||
|
dirhtml:
|
||||||
|
$(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml."
|
||||||
|
|
||||||
|
singlehtml:
|
||||||
|
$(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml."
|
||||||
|
|
||||||
|
pickle:
|
||||||
|
$(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle
|
||||||
|
@echo
|
||||||
|
@echo "Build finished; now you can process the pickle files."
|
||||||
|
|
||||||
|
json:
|
||||||
|
$(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json
|
||||||
|
@echo
|
||||||
|
@echo "Build finished; now you can process the JSON files."
|
||||||
|
|
||||||
|
htmlhelp:
|
||||||
|
$(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp
|
||||||
|
@echo
|
||||||
|
@echo "Build finished; now you can run HTML Help Workshop with the" \
|
||||||
|
".hhp project file in $(BUILDDIR)/htmlhelp."
|
||||||
|
|
||||||
|
qthelp:
|
||||||
|
$(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp
|
||||||
|
@echo
|
||||||
|
@echo "Build finished; now you can run "qcollectiongenerator" with the" \
|
||||||
|
".qhcp project file in $(BUILDDIR)/qthelp, like this:"
|
||||||
|
@echo "# qcollectiongenerator $(BUILDDIR)/qthelp/sshuttle.qhcp"
|
||||||
|
@echo "To view the help file:"
|
||||||
|
@echo "# assistant -collectionFile $(BUILDDIR)/qthelp/sshuttle.qhc"
|
||||||
|
|
||||||
|
devhelp:
|
||||||
|
$(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp
|
||||||
|
@echo
|
||||||
|
@echo "Build finished."
|
||||||
|
@echo "To view the help file:"
|
||||||
|
@echo "# mkdir -p $$HOME/.local/share/devhelp/sshuttle"
|
||||||
|
@echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/sshuttle"
|
||||||
|
@echo "# devhelp"
|
||||||
|
|
||||||
|
epub:
|
||||||
|
$(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The epub file is in $(BUILDDIR)/epub."
|
||||||
|
|
||||||
|
latex:
|
||||||
|
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
|
||||||
|
@echo
|
||||||
|
@echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex."
|
||||||
|
@echo "Run \`make' in that directory to run these through (pdf)latex" \
|
||||||
|
"(use \`make latexpdf' here to do that automatically)."
|
||||||
|
|
||||||
|
latexpdf:
|
||||||
|
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
|
||||||
|
@echo "Running LaTeX files through pdflatex..."
|
||||||
|
$(MAKE) -C $(BUILDDIR)/latex all-pdf
|
||||||
|
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
|
||||||
|
|
||||||
|
latexpdfja:
|
||||||
|
$(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex
|
||||||
|
@echo "Running LaTeX files through platex and dvipdfmx..."
|
||||||
|
$(MAKE) -C $(BUILDDIR)/latex all-pdf-ja
|
||||||
|
@echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex."
|
||||||
|
|
||||||
|
text:
|
||||||
|
$(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The text files are in $(BUILDDIR)/text."
|
||||||
|
|
||||||
|
man:
|
||||||
|
$(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The manual pages are in $(BUILDDIR)/man."
|
||||||
|
|
||||||
|
texinfo:
|
||||||
|
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo."
|
||||||
|
@echo "Run \`make' in that directory to run these through makeinfo" \
|
||||||
|
"(use \`make info' here to do that automatically)."
|
||||||
|
|
||||||
|
info:
|
||||||
|
$(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo
|
||||||
|
@echo "Running Texinfo files through makeinfo..."
|
||||||
|
make -C $(BUILDDIR)/texinfo info
|
||||||
|
@echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo."
|
||||||
|
|
||||||
|
gettext:
|
||||||
|
$(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The message catalogs are in $(BUILDDIR)/locale."
|
||||||
|
|
||||||
|
changes:
|
||||||
|
$(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes
|
||||||
|
@echo
|
||||||
|
@echo "The overview file is in $(BUILDDIR)/changes."
|
||||||
|
|
||||||
|
linkcheck:
|
||||||
|
$(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck
|
||||||
|
@echo
|
||||||
|
@echo "Link check complete; look for any errors in the above output " \
|
||||||
|
"or in $(BUILDDIR)/linkcheck/output.txt."
|
||||||
|
|
||||||
|
doctest:
|
||||||
|
$(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest
|
||||||
|
@echo "Testing of doctests in the sources finished, look at the " \
|
||||||
|
"results in $(BUILDDIR)/doctest/output.txt."
|
||||||
|
|
||||||
|
xml:
|
||||||
|
$(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The XML files are in $(BUILDDIR)/xml."
|
||||||
|
|
||||||
|
pseudoxml:
|
||||||
|
$(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml
|
||||||
|
@echo
|
||||||
|
@echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml."
|
261
docs/conf.py
Normal file
261
docs/conf.py
Normal file
@ -0,0 +1,261 @@
|
|||||||
|
#!/usr/bin/env python3
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
#
|
||||||
|
# sshuttle documentation build configuration file, created by
|
||||||
|
# sphinx-quickstart on Sun Jan 17 12:13:47 2016.
|
||||||
|
#
|
||||||
|
# This file is execfile()d with the current directory set to its
|
||||||
|
# containing dir.
|
||||||
|
#
|
||||||
|
# Note that not all possible configuration values are present in this
|
||||||
|
# autogenerated file.
|
||||||
|
#
|
||||||
|
# All configuration values have a default; values that are commented out
|
||||||
|
# serve to show the default.
|
||||||
|
|
||||||
|
# import sys
|
||||||
|
# import os
|
||||||
|
|
||||||
|
# If extensions (or modules to document with autodoc) are in another directory,
|
||||||
|
# add these directories to sys.path here. If the directory is relative to the
|
||||||
|
# documentation root, use os.path.abspath to make it absolute, like shown here.
|
||||||
|
# sys.path.insert(0, os.path.abspath('.'))
|
||||||
|
|
||||||
|
# -- General configuration ------------------------------------------------
|
||||||
|
|
||||||
|
# If your documentation needs a minimal Sphinx version, state it here.
|
||||||
|
# needs_sphinx = '1.0'
|
||||||
|
|
||||||
|
# Add any Sphinx extension module names here, as strings. They can be
|
||||||
|
# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom
|
||||||
|
# ones.
|
||||||
|
extensions = [
|
||||||
|
'sphinx.ext.todo',
|
||||||
|
'sphinx.ext.coverage',
|
||||||
|
]
|
||||||
|
|
||||||
|
# Add any paths that contain templates here, relative to this directory.
|
||||||
|
templates_path = ['_templates']
|
||||||
|
|
||||||
|
# The suffix of source filenames.
|
||||||
|
source_suffix = '.rst'
|
||||||
|
|
||||||
|
# The encoding of source files.
|
||||||
|
# source_encoding = 'utf-8-sig'
|
||||||
|
|
||||||
|
# The master toctree document.
|
||||||
|
master_doc = 'index'
|
||||||
|
|
||||||
|
# General information about the project.
|
||||||
|
project = 'sshuttle'
|
||||||
|
copyright = '2016, Brian May'
|
||||||
|
|
||||||
|
# The version info for the project you're documenting, acts as replacement for
|
||||||
|
# |version| and |release|, also used in various other places throughout the
|
||||||
|
# built documents.
|
||||||
|
#
|
||||||
|
# The short X.Y version.
|
||||||
|
from setuptools_scm import get_version
|
||||||
|
version = get_version(root="..")
|
||||||
|
# The full version, including alpha/beta/rc tags.
|
||||||
|
release = version
|
||||||
|
|
||||||
|
# The language for content autogenerated by Sphinx. Refer to documentation
|
||||||
|
# for a list of supported languages.
|
||||||
|
# language = None
|
||||||
|
|
||||||
|
# There are two options for replacing |today|: either, you set today to some
|
||||||
|
# non-false value, then it is used:
|
||||||
|
# today = ''
|
||||||
|
# Else, today_fmt is used as the format for a strftime call.
|
||||||
|
# today_fmt = '%B %d, %Y'
|
||||||
|
|
||||||
|
# List of patterns, relative to source directory, that match files and
|
||||||
|
# directories to ignore when looking for source files.
|
||||||
|
exclude_patterns = ['_build']
|
||||||
|
|
||||||
|
# The reST default role (used for this markup: `text`) to use for all
|
||||||
|
# documents.
|
||||||
|
# default_role = None
|
||||||
|
|
||||||
|
# If true, '()' will be appended to :func: etc. cross-reference text.
|
||||||
|
# add_function_parentheses = True
|
||||||
|
|
||||||
|
# If true, the current module name will be prepended to all description
|
||||||
|
# unit titles (such as .. function::).
|
||||||
|
# add_module_names = True
|
||||||
|
|
||||||
|
# If true, sectionauthor and moduleauthor directives will be shown in the
|
||||||
|
# output. They are ignored by default.
|
||||||
|
# show_authors = False
|
||||||
|
|
||||||
|
# The name of the Pygments (syntax highlighting) style to use.
|
||||||
|
pygments_style = 'sphinx'
|
||||||
|
|
||||||
|
# A list of ignored prefixes for module index sorting.
|
||||||
|
# modindex_common_prefix = []
|
||||||
|
|
||||||
|
# If true, keep warnings as "system message" paragraphs in the built documents.
|
||||||
|
# keep_warnings = False
|
||||||
|
|
||||||
|
|
||||||
|
# -- Options for HTML output ----------------------------------------------
|
||||||
|
|
||||||
|
# The theme to use for HTML and HTML Help pages. See the documentation for
|
||||||
|
# a list of builtin themes.
|
||||||
|
html_theme = 'default'
|
||||||
|
|
||||||
|
# Theme options are theme-specific and customize the look and feel of a theme
|
||||||
|
# further. For a list of options available for each theme, see the
|
||||||
|
# documentation.
|
||||||
|
# html_theme_options = {}
|
||||||
|
|
||||||
|
# Add any paths that contain custom themes here, relative to this directory.
|
||||||
|
# html_theme_path = []
|
||||||
|
|
||||||
|
# The name for this set of Sphinx documents. If None, it defaults to
|
||||||
|
# "<project> v<release> documentation".
|
||||||
|
# html_title = None
|
||||||
|
|
||||||
|
# A shorter title for the navigation bar. Default is the same as html_title.
|
||||||
|
# html_short_title = None
|
||||||
|
|
||||||
|
# The name of an image file (relative to this directory) to place at the top
|
||||||
|
# of the sidebar.
|
||||||
|
# html_logo = None
|
||||||
|
|
||||||
|
# The name of an image file (within the static path) to use as favicon of the
|
||||||
|
# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
|
||||||
|
# pixels large.
|
||||||
|
# html_favicon = None
|
||||||
|
|
||||||
|
# Add any paths that contain custom static files (such as style sheets) here,
|
||||||
|
# relative to this directory. They are copied after the builtin static files,
|
||||||
|
# so a file named "default.css" will overwrite the builtin "default.css".
|
||||||
|
html_static_path = ['_static']
|
||||||
|
|
||||||
|
# Add any extra paths that contain custom files (such as robots.txt or
|
||||||
|
# .htaccess) here, relative to this directory. These files are copied
|
||||||
|
# directly to the root of the documentation.
|
||||||
|
# html_extra_path = []
|
||||||
|
|
||||||
|
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
|
||||||
|
# using the given strftime format.
|
||||||
|
# html_last_updated_fmt = '%b %d, %Y'
|
||||||
|
|
||||||
|
# If true, SmartyPants will be used to convert quotes and dashes to
|
||||||
|
# typographically correct entities.
|
||||||
|
# html_use_smartypants = True
|
||||||
|
|
||||||
|
# Custom sidebar templates, maps document names to template names.
|
||||||
|
# html_sidebars = {}
|
||||||
|
|
||||||
|
# Additional templates that should be rendered to pages, maps page names to
|
||||||
|
# template names.
|
||||||
|
# html_additional_pages = {}
|
||||||
|
|
||||||
|
# If false, no module index is generated.
|
||||||
|
# html_domain_indices = True
|
||||||
|
|
||||||
|
# If false, no index is generated.
|
||||||
|
# html_use_index = True
|
||||||
|
|
||||||
|
# If true, the index is split into individual pages for each letter.
|
||||||
|
# html_split_index = False
|
||||||
|
|
||||||
|
# If true, links to the reST sources are added to the pages.
|
||||||
|
# html_show_sourcelink = True
|
||||||
|
|
||||||
|
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
|
||||||
|
# html_show_sphinx = True
|
||||||
|
|
||||||
|
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
|
||||||
|
# html_show_copyright = True
|
||||||
|
|
||||||
|
# If true, an OpenSearch description file will be output, and all pages will
|
||||||
|
# contain a <link> tag referring to it. The value of this option must be the
|
||||||
|
# base URL from which the finished HTML is served.
|
||||||
|
# html_use_opensearch = ''
|
||||||
|
|
||||||
|
# This is the file name suffix for HTML files (e.g. ".xhtml").
|
||||||
|
# html_file_suffix = None
|
||||||
|
|
||||||
|
# Output file base name for HTML help builder.
|
||||||
|
htmlhelp_basename = 'sshuttledoc'
|
||||||
|
|
||||||
|
|
||||||
|
# -- Options for LaTeX output ---------------------------------------------
|
||||||
|
|
||||||
|
latex_elements = {
|
||||||
|
# The paper size ('letterpaper' or 'a4paper').
|
||||||
|
# 'papersize': 'letterpaper',
|
||||||
|
|
||||||
|
# The font size ('10pt', '11pt' or '12pt').
|
||||||
|
# 'pointsize': '10pt',
|
||||||
|
|
||||||
|
# Additional stuff for the LaTeX preamble.
|
||||||
|
# 'preamble': '',
|
||||||
|
}
|
||||||
|
|
||||||
|
# Grouping the document tree into LaTeX files. List of tuples
|
||||||
|
# (source start file, target name, title,
|
||||||
|
# author, documentclass [howto, manual, or own class]).
|
||||||
|
latex_documents = [
|
||||||
|
('index', 'sshuttle.tex', 'sshuttle documentation', 'Brian May', 'manual'),
|
||||||
|
]
|
||||||
|
|
||||||
|
# The name of an image file (relative to this directory) to place at the top of
|
||||||
|
# the title page.
|
||||||
|
# latex_logo = None
|
||||||
|
|
||||||
|
# For "manual" documents, if this is true, then toplevel headings are parts,
|
||||||
|
# not chapters.
|
||||||
|
# latex_use_parts = False
|
||||||
|
|
||||||
|
# If true, show page references after internal links.
|
||||||
|
# latex_show_pagerefs = False
|
||||||
|
|
||||||
|
# If true, show URL addresses after external links.
|
||||||
|
# latex_show_urls = False
|
||||||
|
|
||||||
|
# Documents to append as an appendix to all manuals.
|
||||||
|
# latex_appendices = []
|
||||||
|
|
||||||
|
# If false, no module index is generated.
|
||||||
|
# latex_domain_indices = True
|
||||||
|
|
||||||
|
|
||||||
|
# -- Options for manual page output ---------------------------------------
|
||||||
|
|
||||||
|
# One entry per manual page. List of tuples
|
||||||
|
# (source start file, name, description, authors, manual section).
|
||||||
|
man_pages = [
|
||||||
|
('manpage', 'sshuttle', 'sshuttle documentation', ['Brian May'], 1)
|
||||||
|
]
|
||||||
|
|
||||||
|
# If true, show URL addresses after external links.
|
||||||
|
# man_show_urls = False
|
||||||
|
|
||||||
|
|
||||||
|
# -- Options for Texinfo output -------------------------------------------
|
||||||
|
|
||||||
|
# Grouping the document tree into Texinfo files. List of tuples
|
||||||
|
# (source start file, target name, title, author,
|
||||||
|
# dir menu entry, description, category)
|
||||||
|
texinfo_documents = [
|
||||||
|
('index', 'sshuttle', 'sshuttle documentation',
|
||||||
|
'Brian May', 'sshuttle', 'A transparent proxy-based VPN using ssh',
|
||||||
|
'Miscellaneous'),
|
||||||
|
]
|
||||||
|
|
||||||
|
# Documents to append as an appendix to all manuals.
|
||||||
|
# texinfo_appendices = []
|
||||||
|
|
||||||
|
# If false, no module index is generated.
|
||||||
|
# texinfo_domain_indices = True
|
||||||
|
|
||||||
|
# How to display URL addresses: 'footnote', 'no', or 'inline'.
|
||||||
|
# texinfo_show_urls = 'footnote'
|
||||||
|
|
||||||
|
# If true, do not generate a @detailmenu in the "Top" node's menu.
|
||||||
|
# texinfo_no_detailmenu = False
|
37
docs/how-it-works.rst
Normal file
37
docs/how-it-works.rst
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
How it works
|
||||||
|
============
|
||||||
|
sshuttle is not exactly a VPN, and not exactly port forwarding. It's kind
|
||||||
|
of both, and kind of neither.
|
||||||
|
|
||||||
|
It's like a VPN, since it can forward every port on an entire network, not
|
||||||
|
just ports you specify. Conveniently, it lets you use the "real" IP
|
||||||
|
addresses of each host rather than faking port numbers on localhost.
|
||||||
|
|
||||||
|
On the other hand, the way it *works* is more like ssh port forwarding than
|
||||||
|
a VPN. Normally, a VPN forwards your data one packet at a time, and
|
||||||
|
doesn't care about individual connections; ie. it's "stateless" with respect
|
||||||
|
to the traffic. sshuttle is the opposite of stateless; it tracks every
|
||||||
|
single connection.
|
||||||
|
|
||||||
|
You could compare sshuttle to something like the old `Slirp
|
||||||
|
<http://en.wikipedia.org/wiki/Slirp>`_ program, which was a userspace TCP/IP
|
||||||
|
implementation that did something similar. But it operated on a
|
||||||
|
packet-by-packet basis on the client side, reassembling the packets on the
|
||||||
|
server side. That worked okay back in the "real live serial port" days,
|
||||||
|
because serial ports had predictable latency and buffering.
|
||||||
|
|
||||||
|
But you can't safely just forward TCP packets over a TCP session (like ssh),
|
||||||
|
because TCP's performance depends fundamentally on packet loss; it
|
||||||
|
*must* experience packet loss in order to know when to slow down! At
|
||||||
|
the same time, the outer TCP session (ssh, in this case) is a reliable
|
||||||
|
transport, which means that what you forward through the tunnel *never*
|
||||||
|
experiences packet loss. The ssh session itself experiences packet loss, of
|
||||||
|
course, but TCP fixes it up and ssh (and thus you) never know the
|
||||||
|
difference. But neither does your inner TCP session, and extremely screwy
|
||||||
|
performance ensues.
|
||||||
|
|
||||||
|
sshuttle assembles the TCP stream locally, multiplexes it statefully over
|
||||||
|
an ssh session, and disassembles it back into packets at the other end. So
|
||||||
|
it never ends up doing TCP-over-TCP. It's just data-over-TCP, which is
|
||||||
|
safe.
|
||||||
|
|
24
docs/index.rst
Normal file
24
docs/index.rst
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
sshuttle: where transparent proxy meets VPN meets ssh
|
||||||
|
=====================================================
|
||||||
|
|
||||||
|
Contents:
|
||||||
|
|
||||||
|
.. toctree::
|
||||||
|
:maxdepth: 2
|
||||||
|
|
||||||
|
overview
|
||||||
|
requirements
|
||||||
|
installation
|
||||||
|
usage
|
||||||
|
Manpage <manpage>
|
||||||
|
how-it-works
|
||||||
|
support
|
||||||
|
trivia
|
||||||
|
|
||||||
|
|
||||||
|
Indices and tables
|
||||||
|
==================
|
||||||
|
|
||||||
|
* :ref:`genindex`
|
||||||
|
* :ref:`search`
|
||||||
|
|
11
docs/installation.rst
Normal file
11
docs/installation.rst
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
Installation
|
||||||
|
============
|
||||||
|
|
||||||
|
- From PyPI::
|
||||||
|
|
||||||
|
pip install sshuttle
|
||||||
|
|
||||||
|
- Clone::
|
||||||
|
|
||||||
|
git clone https://github.com/sshuttle/sshuttle.git
|
||||||
|
./setup.py install
|
242
docs/make.bat
Normal file
242
docs/make.bat
Normal file
@ -0,0 +1,242 @@
|
|||||||
|
@ECHO OFF
|
||||||
|
|
||||||
|
REM Command file for Sphinx documentation
|
||||||
|
|
||||||
|
if "%SPHINXBUILD%" == "" (
|
||||||
|
set SPHINXBUILD=sphinx-build
|
||||||
|
)
|
||||||
|
set BUILDDIR=_build
|
||||||
|
set ALLSPHINXOPTS=-d %BUILDDIR%/doctrees %SPHINXOPTS% .
|
||||||
|
set I18NSPHINXOPTS=%SPHINXOPTS% .
|
||||||
|
if NOT "%PAPER%" == "" (
|
||||||
|
set ALLSPHINXOPTS=-D latex_paper_size=%PAPER% %ALLSPHINXOPTS%
|
||||||
|
set I18NSPHINXOPTS=-D latex_paper_size=%PAPER% %I18NSPHINXOPTS%
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "" goto help
|
||||||
|
|
||||||
|
if "%1" == "help" (
|
||||||
|
:help
|
||||||
|
echo.Please use `make ^<target^>` where ^<target^> is one of
|
||||||
|
echo. html to make standalone HTML files
|
||||||
|
echo. dirhtml to make HTML files named index.html in directories
|
||||||
|
echo. singlehtml to make a single large HTML file
|
||||||
|
echo. pickle to make pickle files
|
||||||
|
echo. json to make JSON files
|
||||||
|
echo. htmlhelp to make HTML files and a HTML help project
|
||||||
|
echo. qthelp to make HTML files and a qthelp project
|
||||||
|
echo. devhelp to make HTML files and a Devhelp project
|
||||||
|
echo. epub to make an epub
|
||||||
|
echo. latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter
|
||||||
|
echo. text to make text files
|
||||||
|
echo. man to make manual pages
|
||||||
|
echo. texinfo to make Texinfo files
|
||||||
|
echo. gettext to make PO message catalogs
|
||||||
|
echo. changes to make an overview over all changed/added/deprecated items
|
||||||
|
echo. xml to make Docutils-native XML files
|
||||||
|
echo. pseudoxml to make pseudoxml-XML files for display purposes
|
||||||
|
echo. linkcheck to check all external links for integrity
|
||||||
|
echo. doctest to run all doctests embedded in the documentation if enabled
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "clean" (
|
||||||
|
for /d %%i in (%BUILDDIR%\*) do rmdir /q /s %%i
|
||||||
|
del /q /s %BUILDDIR%\*
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
%SPHINXBUILD% 2> nul
|
||||||
|
if errorlevel 9009 (
|
||||||
|
echo.
|
||||||
|
echo.The 'sphinx-build' command was not found. Make sure you have Sphinx
|
||||||
|
echo.installed, then set the SPHINXBUILD environment variable to point
|
||||||
|
echo.to the full path of the 'sphinx-build' executable. Alternatively you
|
||||||
|
echo.may add the Sphinx directory to PATH.
|
||||||
|
echo.
|
||||||
|
echo.If you don't have Sphinx installed, grab it from
|
||||||
|
echo.http://sphinx-doc.org/
|
||||||
|
exit /b 1
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "html" (
|
||||||
|
%SPHINXBUILD% -b html %ALLSPHINXOPTS% %BUILDDIR%/html
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Build finished. The HTML pages are in %BUILDDIR%/html.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "dirhtml" (
|
||||||
|
%SPHINXBUILD% -b dirhtml %ALLSPHINXOPTS% %BUILDDIR%/dirhtml
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Build finished. The HTML pages are in %BUILDDIR%/dirhtml.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "singlehtml" (
|
||||||
|
%SPHINXBUILD% -b singlehtml %ALLSPHINXOPTS% %BUILDDIR%/singlehtml
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Build finished. The HTML pages are in %BUILDDIR%/singlehtml.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "pickle" (
|
||||||
|
%SPHINXBUILD% -b pickle %ALLSPHINXOPTS% %BUILDDIR%/pickle
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Build finished; now you can process the pickle files.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "json" (
|
||||||
|
%SPHINXBUILD% -b json %ALLSPHINXOPTS% %BUILDDIR%/json
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Build finished; now you can process the JSON files.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "htmlhelp" (
|
||||||
|
%SPHINXBUILD% -b htmlhelp %ALLSPHINXOPTS% %BUILDDIR%/htmlhelp
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Build finished; now you can run HTML Help Workshop with the ^
|
||||||
|
.hhp project file in %BUILDDIR%/htmlhelp.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "qthelp" (
|
||||||
|
%SPHINXBUILD% -b qthelp %ALLSPHINXOPTS% %BUILDDIR%/qthelp
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Build finished; now you can run "qcollectiongenerator" with the ^
|
||||||
|
.qhcp project file in %BUILDDIR%/qthelp, like this:
|
||||||
|
echo.^> qcollectiongenerator %BUILDDIR%\qthelp\sshuttle.qhcp
|
||||||
|
echo.To view the help file:
|
||||||
|
echo.^> assistant -collectionFile %BUILDDIR%\qthelp\sshuttle.ghc
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "devhelp" (
|
||||||
|
%SPHINXBUILD% -b devhelp %ALLSPHINXOPTS% %BUILDDIR%/devhelp
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Build finished.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "epub" (
|
||||||
|
%SPHINXBUILD% -b epub %ALLSPHINXOPTS% %BUILDDIR%/epub
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Build finished. The epub file is in %BUILDDIR%/epub.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "latex" (
|
||||||
|
%SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Build finished; the LaTeX files are in %BUILDDIR%/latex.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "latexpdf" (
|
||||||
|
%SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex
|
||||||
|
cd %BUILDDIR%/latex
|
||||||
|
make all-pdf
|
||||||
|
cd %BUILDDIR%/..
|
||||||
|
echo.
|
||||||
|
echo.Build finished; the PDF files are in %BUILDDIR%/latex.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "latexpdfja" (
|
||||||
|
%SPHINXBUILD% -b latex %ALLSPHINXOPTS% %BUILDDIR%/latex
|
||||||
|
cd %BUILDDIR%/latex
|
||||||
|
make all-pdf-ja
|
||||||
|
cd %BUILDDIR%/..
|
||||||
|
echo.
|
||||||
|
echo.Build finished; the PDF files are in %BUILDDIR%/latex.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "text" (
|
||||||
|
%SPHINXBUILD% -b text %ALLSPHINXOPTS% %BUILDDIR%/text
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Build finished. The text files are in %BUILDDIR%/text.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "man" (
|
||||||
|
%SPHINXBUILD% -b man %ALLSPHINXOPTS% %BUILDDIR%/man
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Build finished. The manual pages are in %BUILDDIR%/man.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "texinfo" (
|
||||||
|
%SPHINXBUILD% -b texinfo %ALLSPHINXOPTS% %BUILDDIR%/texinfo
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Build finished. The Texinfo files are in %BUILDDIR%/texinfo.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "gettext" (
|
||||||
|
%SPHINXBUILD% -b gettext %I18NSPHINXOPTS% %BUILDDIR%/locale
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Build finished. The message catalogs are in %BUILDDIR%/locale.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "changes" (
|
||||||
|
%SPHINXBUILD% -b changes %ALLSPHINXOPTS% %BUILDDIR%/changes
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.The overview file is in %BUILDDIR%/changes.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "linkcheck" (
|
||||||
|
%SPHINXBUILD% -b linkcheck %ALLSPHINXOPTS% %BUILDDIR%/linkcheck
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Link check complete; look for any errors in the above output ^
|
||||||
|
or in %BUILDDIR%/linkcheck/output.txt.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "doctest" (
|
||||||
|
%SPHINXBUILD% -b doctest %ALLSPHINXOPTS% %BUILDDIR%/doctest
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Testing of doctests in the sources finished, look at the ^
|
||||||
|
results in %BUILDDIR%/doctest/output.txt.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "xml" (
|
||||||
|
%SPHINXBUILD% -b xml %ALLSPHINXOPTS% %BUILDDIR%/xml
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Build finished. The XML files are in %BUILDDIR%/xml.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
if "%1" == "pseudoxml" (
|
||||||
|
%SPHINXBUILD% -b pseudoxml %ALLSPHINXOPTS% %BUILDDIR%/pseudoxml
|
||||||
|
if errorlevel 1 exit /b 1
|
||||||
|
echo.
|
||||||
|
echo.Build finished. The pseudo-XML files are in %BUILDDIR%/pseudoxml.
|
||||||
|
goto end
|
||||||
|
)
|
||||||
|
|
||||||
|
:end
|
@ -1,171 +1,187 @@
|
|||||||
% sshuttle(8) Sshuttle 0.46
|
sshuttle
|
||||||
% Avery Pennarun <apenwarr@gmail.com>
|
========
|
||||||
% 2011-01-25
|
|
||||||
|
|
||||||
# NAME
|
|
||||||
|
|
||||||
sshuttle - a transparent proxy-based VPN using ssh
|
|
||||||
|
|
||||||
# SYNOPSIS
|
|
||||||
|
|
||||||
sshuttle [options...] [-r [username@]sshserver[:port]] \<subnets...\>
|
|
||||||
|
|
||||||
|
|
||||||
# DESCRIPTION
|
Synopsis
|
||||||
|
--------
|
||||||
|
**sshuttle** [*options*] [**-r** *[username@]sshserver[:port]*] \<*subnets* ...\>
|
||||||
|
|
||||||
sshuttle allows you to create a VPN connection from your
|
|
||||||
|
Description
|
||||||
|
-----------
|
||||||
|
:program:`sshuttle` allows you to create a VPN connection from your
|
||||||
machine to any remote server that you can connect to via
|
machine to any remote server that you can connect to via
|
||||||
ssh, as long as that server has python 2.3 or higher.
|
ssh, as long as that server has python 2.3 or higher.
|
||||||
|
|
||||||
To work, you must have root access on the local machine,
|
To work, you must have root access on the local machine,
|
||||||
but you can have a normal account on the server.
|
but you can have a normal account on the server.
|
||||||
|
|
||||||
It's valid to run sshuttle more than once simultaneously on
|
It's valid to run :program:`sshuttle` more than once simultaneously on
|
||||||
a single client machine, connecting to a different server
|
a single client machine, connecting to a different server
|
||||||
every time, so you can be on more than one VPN at once.
|
every time, so you can be on more than one VPN at once.
|
||||||
|
|
||||||
If run on a router, sshuttle can forward traffic for your
|
If run on a router, :program:`sshuttle` can forward traffic for your
|
||||||
entire subnet to the VPN.
|
entire subnet to the VPN.
|
||||||
|
|
||||||
|
|
||||||
# OPTIONS
|
Options
|
||||||
|
-------
|
||||||
|
.. program:: sshuttle
|
||||||
|
|
||||||
\<subnets...\>
|
.. option:: subnets
|
||||||
: a list of subnets to route over the VPN, in the form
|
|
||||||
`a.b.c.d[/width]`. Valid examples are 1.2.3.4 (a
|
A list of subnets to route over the VPN, in the form
|
||||||
|
``a.b.c.d[/width]``. Valid examples are 1.2.3.4 (a
|
||||||
single IP address), 1.2.3.4/32 (equivalent to 1.2.3.4),
|
single IP address), 1.2.3.4/32 (equivalent to 1.2.3.4),
|
||||||
1.2.3.0/24 (a 24-bit subnet, ie. with a 255.255.255.0
|
1.2.3.0/24 (a 24-bit subnet, ie. with a 255.255.255.0
|
||||||
netmask), and 0/0 ('just route everything through the
|
netmask), and 0/0 ('just route everything through the
|
||||||
VPN').
|
VPN').
|
||||||
|
|
||||||
-l, --listen=*[ip:]port*
|
.. option:: -l, --listen=[ip:]port
|
||||||
: use this ip address and port number as the transparent
|
|
||||||
proxy port. By default sshuttle finds an available
|
Use this ip address and port number as the transparent
|
||||||
|
proxy port. By default :program:`sshuttle` finds an available
|
||||||
port automatically and listens on IP 127.0.0.1
|
port automatically and listens on IP 127.0.0.1
|
||||||
(localhost), so you don't need to override it, and
|
(localhost), so you don't need to override it, and
|
||||||
connections are only proxied from the local machine,
|
connections are only proxied from the local machine,
|
||||||
not from outside machines. If you want to accept
|
not from outside machines. If you want to accept
|
||||||
connections from other machines on your network (ie. to
|
connections from other machines on your network (ie. to
|
||||||
run sshuttle on a router) try enabling IP Forwarding in
|
run :program:`sshuttle` on a router) try enabling IP Forwarding in
|
||||||
your kernel, then using `--listen 0.0.0.0:0`.
|
your kernel, then using ``--listen 0.0.0.0:0``.
|
||||||
|
|
||||||
-H, --auto-hosts
|
.. option:: -H, --auto-hosts
|
||||||
: scan for remote hostnames and update the local /etc/hosts
|
|
||||||
|
Scan for remote hostnames and update the local /etc/hosts
|
||||||
file with matching entries for as long as the VPN is
|
file with matching entries for as long as the VPN is
|
||||||
open. This is nicer than changing your system's DNS
|
open. This is nicer than changing your system's DNS
|
||||||
(/etc/resolv.conf) settings, for several reasons. First,
|
(/etc/resolv.conf) settings, for several reasons. First,
|
||||||
hostnames are added without domain names attached, so
|
hostnames are added without domain names attached, so
|
||||||
you can `ssh thatserver` without worrying if your local
|
you can ``ssh thatserver`` without worrying if your local
|
||||||
domain matches the remote one. Second, if you sshuttle
|
domain matches the remote one. Second, if you :program:`sshuttle`
|
||||||
into more than one VPN at a time, it's impossible to
|
into more than one VPN at a time, it's impossible to
|
||||||
use more than one DNS server at once anyway, but
|
use more than one DNS server at once anyway, but
|
||||||
sshuttle correctly merges /etc/hosts entries between
|
:program:`sshuttle` correctly merges /etc/hosts entries between
|
||||||
all running copies. Third, if you're only routing a
|
all running copies. Third, if you're only routing a
|
||||||
few subnets over the VPN, you probably would prefer to
|
few subnets over the VPN, you probably would prefer to
|
||||||
keep using your local DNS server for everything else.
|
keep using your local DNS server for everything else.
|
||||||
|
|
||||||
-N, --auto-nets
|
.. option:: -N, --auto-nets
|
||||||
: in addition to the subnets provided on the command
|
|
||||||
|
In addition to the subnets provided on the command
|
||||||
line, ask the server which subnets it thinks we should
|
line, ask the server which subnets it thinks we should
|
||||||
route, and route those automatically. The suggestions
|
route, and route those automatically. The suggestions
|
||||||
are taken automatically from the server's routing
|
are taken automatically from the server's routing
|
||||||
table.
|
table.
|
||||||
|
|
||||||
--dns
|
.. option:: --dns
|
||||||
: capture local DNS requests and forward to the remote DNS
|
|
||||||
|
Capture local DNS requests and forward to the remote DNS
|
||||||
server.
|
server.
|
||||||
|
|
||||||
--python
|
.. option:: --python
|
||||||
: specify the name/path of the remote python interpreter.
|
|
||||||
The default is just `python`, which means to use the
|
Specify the name/path of the remote python interpreter.
|
||||||
|
The default is just ``python``, which means to use the
|
||||||
default python interpreter on the remote system's PATH.
|
default python interpreter on the remote system's PATH.
|
||||||
|
|
||||||
-r, --remote=*[username@]sshserver[:port]*
|
.. option:: -r, --remote=[username@]sshserver[:port]
|
||||||
: the remote hostname and optional username and ssh
|
|
||||||
|
The remote hostname and optional username and ssh
|
||||||
port number to use for connecting to the remote server.
|
port number to use for connecting to the remote server.
|
||||||
For example, example.com, testuser@example.com,
|
For example, example.com, testuser@example.com,
|
||||||
testuser@example.com:2222, or example.com:2244.
|
testuser@example.com:2222, or example.com:2244.
|
||||||
|
|
||||||
-x, --exclude=*subnet*
|
.. option:: -x, --exclude=subnet
|
||||||
: explicitly exclude this subnet from forwarding. The
|
|
||||||
format of this option is the same as the `<subnets>`
|
Explicitly exclude this subnet from forwarding. The
|
||||||
|
format of this option is the same as the ``<subnets>``
|
||||||
option. To exclude more than one subnet, specify the
|
option. To exclude more than one subnet, specify the
|
||||||
`-x` option more than once. You can say something like
|
``-x`` option more than once. You can say something like
|
||||||
`0/0 -x 1.2.3.0/24` to forward everything except the
|
``0/0 -x 1.2.3.0/24`` to forward everything except the
|
||||||
local subnet over the VPN, for example.
|
local subnet over the VPN, for example.
|
||||||
|
|
||||||
-X, --exclude-from=*file*
|
.. option:: -X, --exclude-from=file
|
||||||
: exclude the subnets specified in a file, one subnet per
|
|
||||||
|
Exclude the subnets specified in a file, one subnet per
|
||||||
line. Useful when you have lots of subnets to exclude.
|
line. Useful when you have lots of subnets to exclude.
|
||||||
|
|
||||||
-v, --verbose
|
.. option:: -v, --verbose
|
||||||
: print more information about the session. This option
|
|
||||||
|
Print more information about the session. This option
|
||||||
can be used more than once for increased verbosity. By
|
can be used more than once for increased verbosity. By
|
||||||
default, sshuttle prints only error messages.
|
default, :program:`sshuttle` prints only error messages.
|
||||||
|
|
||||||
-e, --ssh-cmd
|
.. option:: -e, --ssh-cmd
|
||||||
: the command to use to connect to the remote server. The
|
|
||||||
default is just `ssh`. Use this if your ssh client is
|
The command to use to connect to the remote server. The
|
||||||
|
default is just ``ssh``. Use this if your ssh client is
|
||||||
in a non-standard location or you want to provide extra
|
in a non-standard location or you want to provide extra
|
||||||
options to the ssh command, for example, `-e 'ssh -v'`.
|
options to the ssh command, for example, ``-e 'ssh -v'``.
|
||||||
|
|
||||||
--seed-hosts
|
.. option:: --seed-hosts
|
||||||
: a comma-separated list of hostnames to use to
|
|
||||||
initialize the `--auto-hosts` scan algorithm.
|
A comma-separated list of hostnames to use to
|
||||||
`--auto-hosts` does things like poll local SMB servers
|
initialize the :option:`--auto-hosts` scan algorithm.
|
||||||
|
:option:`--auto-hosts` does things like poll local SMB servers
|
||||||
for lists of local hostnames, but can speed things up
|
for lists of local hostnames, but can speed things up
|
||||||
if you use this option to give it a few names to start
|
if you use this option to give it a few names to start
|
||||||
from.
|
from.
|
||||||
|
|
||||||
--no-latency-control
|
.. option:: --no-latency-control
|
||||||
: sacrifice latency to improve bandwidth benchmarks. ssh
|
|
||||||
|
Sacrifice latency to improve bandwidth benchmarks. ssh
|
||||||
uses really big socket buffers, which can overload the
|
uses really big socket buffers, which can overload the
|
||||||
connection if you start doing large file transfers,
|
connection if you start doing large file transfers,
|
||||||
thus making all your other sessions inside the same
|
thus making all your other sessions inside the same
|
||||||
tunnel go slowly. Normally, sshuttle tries to avoid
|
tunnel go slowly. Normally, :program:`sshuttle` tries to avoid
|
||||||
this problem using a "fullness check" that allows only
|
this problem using a "fullness check" that allows only
|
||||||
a certain amount of outstanding data to be buffered at
|
a certain amount of outstanding data to be buffered at
|
||||||
a time. But on high-bandwidth links, this can leave a
|
a time. But on high-bandwidth links, this can leave a
|
||||||
lot of your bandwidth underutilized. It also makes
|
lot of your bandwidth underutilized. It also makes
|
||||||
sshuttle seem slow in bandwidth benchmarks (benchmarks
|
:program:`sshuttle` seem slow in bandwidth benchmarks (benchmarks
|
||||||
rarely test ping latency, which is what sshuttle is
|
rarely test ping latency, which is what :program:`sshuttle` is
|
||||||
trying to control). This option disables the latency
|
trying to control). This option disables the latency
|
||||||
control feature, maximizing bandwidth usage. Use at
|
control feature, maximizing bandwidth usage. Use at
|
||||||
your own risk.
|
your own risk.
|
||||||
|
|
||||||
-D, --daemon
|
.. option:: -D, --daemon
|
||||||
: automatically fork into the background after connecting
|
|
||||||
to the remote server. Implies `--syslog`.
|
|
||||||
|
|
||||||
--syslog
|
Automatically fork into the background after connecting
|
||||||
: after connecting, send all log messages to the
|
to the remote server. Implies :option:`--syslog`.
|
||||||
`syslog`(3) service instead of stderr. This is
|
|
||||||
implicit if you use `--daemon`.
|
|
||||||
|
|
||||||
--pidfile=*pidfilename*
|
.. option:: --syslog
|
||||||
: when using `--daemon`, save sshuttle's pid to
|
|
||||||
*pidfilename*. The default is `sshuttle.pid` in the
|
after connecting, send all log messages to the
|
||||||
|
:manpage:`syslog(3)` service instead of stderr. This is
|
||||||
|
implicit if you use :option:`--daemon`.
|
||||||
|
|
||||||
|
.. option:: --pidfile=pidfilename
|
||||||
|
|
||||||
|
when using :option:`--daemon`, save :program:`sshuttle`'s pid to
|
||||||
|
*pidfilename*. The default is ``sshuttle.pid`` in the
|
||||||
current directory.
|
current directory.
|
||||||
|
|
||||||
--firewall
|
.. option:: --firewall
|
||||||
: (internal use only) run the firewall manager. This is
|
|
||||||
the only part of sshuttle that must run as root. If
|
(internal use only) run the firewall manager. This is
|
||||||
you start sshuttle as a non-root user, it will
|
the only part of :program:`sshuttle` that must run as root. If
|
||||||
automatically run `sudo` or `su` to start the firewall
|
you start :program:`sshuttle` as a non-root user, it will
|
||||||
manager, but the core of sshuttle still runs as a
|
automatically run ``sudo`` or ``su`` to start the firewall
|
||||||
|
manager, but the core of :program:`sshuttle` still runs as a
|
||||||
normal user.
|
normal user.
|
||||||
|
|
||||||
--hostwatch
|
.. option:: --hostwatch
|
||||||
: (internal use only) run the hostwatch daemon. This
|
|
||||||
|
(internal use only) run the hostwatch daemon. This
|
||||||
process runs on the server side and collects hostnames for
|
process runs on the server side and collects hostnames for
|
||||||
the `--auto-hosts` option. Using this option by itself
|
the :option:`--auto-hosts` option. Using this option by itself
|
||||||
makes it a lot easier to debug and test the `--auto-hosts`
|
makes it a lot easier to debug and test the :option:`--auto-hosts`
|
||||||
feature.
|
feature.
|
||||||
|
|
||||||
|
|
||||||
# EXAMPLES
|
Examples
|
||||||
|
--------
|
||||||
Test locally by proxying all local connections, without using ssh:
|
Test locally by proxying all local connections, without using ssh::
|
||||||
|
|
||||||
$ sshuttle -v 0/0
|
$ sshuttle -v 0/0
|
||||||
|
|
||||||
@ -189,7 +205,7 @@ Test locally by proxying all local connections, without using ssh:
|
|||||||
c : SW#6:192.168.42.106:50035: deleting
|
c : SW#6:192.168.42.106:50035: deleting
|
||||||
|
|
||||||
Test connection to a remote server, with automatic hostname
|
Test connection to a remote server, with automatic hostname
|
||||||
and subnet guessing:
|
and subnet guessing::
|
||||||
|
|
||||||
$ sshuttle -vNHr example.org
|
$ sshuttle -vNHr example.org
|
||||||
|
|
||||||
@ -212,20 +228,20 @@ and subnet guessing:
|
|||||||
c : SW#6:192.168.42.121:60554: deleting
|
c : SW#6:192.168.42.121:60554: deleting
|
||||||
|
|
||||||
|
|
||||||
# DISCUSSION
|
Discussion
|
||||||
|
----------
|
||||||
When it starts, sshuttle creates an ssh session to the
|
When it starts, :program:`sshuttle` creates an ssh session to the
|
||||||
server specified by the `-r` option. If `-r` is omitted,
|
server specified by the ``-r`` option. If ``-r`` is omitted,
|
||||||
it will start both its client and server locally, which is
|
it will start both its client and server locally, which is
|
||||||
sometimes useful for testing.
|
sometimes useful for testing.
|
||||||
|
|
||||||
After connecting to the remote server, sshuttle uploads its
|
After connecting to the remote server, :program:`sshuttle` uploads its
|
||||||
(python) source code to the remote end and executes it
|
(python) source code to the remote end and executes it
|
||||||
there. Thus, you don't need to install sshuttle on the
|
there. Thus, you don't need to install :program:`sshuttle` on the
|
||||||
remote server, and there are never sshuttle version
|
remote server, and there are never :program:`sshuttle` version
|
||||||
conflicts between client and server.
|
conflicts between client and server.
|
||||||
|
|
||||||
Unlike most VPNs, sshuttle forwards sessions, not packets.
|
Unlike most VPNs, :program:`sshuttle` forwards sessions, not packets.
|
||||||
That is, it uses kernel transparent proxying (`iptables
|
That is, it uses kernel transparent proxying (`iptables
|
||||||
REDIRECT` rules on Linux) to
|
REDIRECT` rules on Linux) to
|
||||||
capture outgoing TCP sessions, then creates entirely
|
capture outgoing TCP sessions, then creates entirely
|
||||||
@ -246,7 +262,7 @@ tcp-based encrypted streams like ssh or ssl, and have to
|
|||||||
implement their own encryption from scratch, which is very
|
implement their own encryption from scratch, which is very
|
||||||
complex and error prone.
|
complex and error prone.
|
||||||
|
|
||||||
sshuttle's simplicity comes from the fact that it can
|
:program:`sshuttle`'s simplicity comes from the fact that it can
|
||||||
safely use the existing ssh encrypted tunnel without
|
safely use the existing ssh encrypted tunnel without
|
||||||
incurring a performance penalty. It does this by letting
|
incurring a performance penalty. It does this by letting
|
||||||
the client-side kernel manage the incoming tcp stream, and
|
the client-side kernel manage the incoming tcp stream, and
|
||||||
@ -256,6 +272,6 @@ between the two separate streams, so a tcp-based tunnel is
|
|||||||
fine.
|
fine.
|
||||||
|
|
||||||
|
|
||||||
# SEE ALSO
|
See Also
|
||||||
|
--------
|
||||||
`ssh`(1), `python`(1)
|
:manpage:`ssh(1)`, :manpage:`python(1)`
|
26
docs/overview.rst
Normal file
26
docs/overview.rst
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
Overview
|
||||||
|
========
|
||||||
|
|
||||||
|
As far as I know, sshuttle is the only program that solves the following
|
||||||
|
common case:
|
||||||
|
|
||||||
|
- Your client machine (or router) is Linux, FreeBSD, or MacOS.
|
||||||
|
|
||||||
|
- You have access to a remote network via ssh.
|
||||||
|
|
||||||
|
- You don't necessarily have admin access on the remote network.
|
||||||
|
|
||||||
|
- The remote network has no VPN, or only stupid/complex VPN
|
||||||
|
protocols (IPsec, PPTP, etc). Or maybe you *are* the
|
||||||
|
admin and you just got frustrated with the awful state of
|
||||||
|
VPN tools.
|
||||||
|
|
||||||
|
- You don't want to create an ssh port forward for every
|
||||||
|
single host/port on the remote network.
|
||||||
|
|
||||||
|
- You hate openssh's port forwarding because it's randomly
|
||||||
|
slow and/or stupid.
|
||||||
|
|
||||||
|
- You can't use openssh's PermitTunnel feature because
|
||||||
|
it's disabled by default on openssh servers; plus it does
|
||||||
|
TCP-over-TCP, which has terrible performance (see below).
|
35
docs/requirements.rst
Normal file
35
docs/requirements.rst
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
Requirements
|
||||||
|
============
|
||||||
|
|
||||||
|
Client side Requirements
|
||||||
|
------------------------
|
||||||
|
|
||||||
|
- sudo, or root access on your client machine.
|
||||||
|
(The server doesn't need admin access.)
|
||||||
|
- Python 2.7 or Python 3.5.
|
||||||
|
|
||||||
|
+-------+--------+------------+-----------------------------------------------+
|
||||||
|
| OS | Method | Features | Requirements |
|
||||||
|
+=======+========+============+===============================================+
|
||||||
|
| Linux | NAT | * IPv4 TCP + iptables DNAT, REDIRECT, and ttl modules. |
|
||||||
|
+ +--------+------------+-----------------------------------------------+
|
||||||
|
| | TPROXY | * IPv4 TCP + Linux with TPROXY support. |
|
||||||
|
| | | * IPv4 UDP + Python 3.5 preferred (see below). |
|
||||||
|
| | | * IPv6 TCP + Python 2 may require PyXAPI_ (see below). |
|
||||||
|
| | | * IPv6 UDP + |
|
||||||
|
+-------+--------+------------+-----------------------------------------------+
|
||||||
|
| MacOS | PF | * IPv4 TCP + You need to have the pfctl command. |
|
||||||
|
+-------+--------+------------+-----------------------------------------------+
|
||||||
|
|
||||||
|
.. _PyXAPI: http://www.pps.univ-paris-diderot.fr/~ylg/PyXAPI/
|
||||||
|
|
||||||
|
Server side Requirements
|
||||||
|
------------------------
|
||||||
|
Python 2.7 or Python 3.5.
|
||||||
|
|
||||||
|
|
||||||
|
Additional Suggested Software
|
||||||
|
-----------------------------
|
||||||
|
|
||||||
|
- You may want to use autossh, available in various package management
|
||||||
|
systems
|
11
docs/support.rst
Normal file
11
docs/support.rst
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
Support
|
||||||
|
=======
|
||||||
|
|
||||||
|
Mailing list:
|
||||||
|
|
||||||
|
* Subscribe by sending a message to <sshuttle+subscribe@googlegroups.com>
|
||||||
|
* List archives are at: http://groups.google.com/group/sshuttle
|
||||||
|
|
||||||
|
Issue tracker and pull requests at github:
|
||||||
|
|
||||||
|
* https://github.com/sshuttle/sshuttle
|
36
docs/trivia.rst
Normal file
36
docs/trivia.rst
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
Useless Trivia
|
||||||
|
==============
|
||||||
|
This section written by the original author, Avery Pennarun
|
||||||
|
<apenwarr@gmail.com>.
|
||||||
|
|
||||||
|
Back in 1998 (12 years ago! Yikes!), I released the first version of `Tunnel
|
||||||
|
Vision <http://alumnit.ca/wiki/?TunnelVisionReadMe>`_, a semi-intelligent VPN
|
||||||
|
client for Linux. Unfortunately, I made two big mistakes: I implemented the
|
||||||
|
key exchange myself (oops), and I ended up doing TCP-over-TCP (double oops).
|
||||||
|
The resulting program worked okay - and people used it for years - but the
|
||||||
|
performance was always a bit funny. And nobody ever found any security flaws
|
||||||
|
in my key exchange, either, but that doesn't mean anything. :)
|
||||||
|
|
||||||
|
The same year, dcoombs and I also released Fast Forward, a proxy server
|
||||||
|
supporting transparent proxying. Among other things, we used it for
|
||||||
|
automatically splitting traffic across more than one Internet connection (a
|
||||||
|
tool we called "Double Vision").
|
||||||
|
|
||||||
|
I was still in university at the time. A couple years after that, one of my
|
||||||
|
professors was working with some graduate students on the technology that would
|
||||||
|
eventually become `Slipstream Internet Acceleration
|
||||||
|
<http://www.slipstream.com/>`_. He asked me to do a contract for him to build
|
||||||
|
an initial prototype of a transparent proxy server for mobile networks. The
|
||||||
|
idea was similar to sshuttle: if you reassemble and then disassemble the TCP
|
||||||
|
packets, you can reduce latency and improve performance vs. just forwarding
|
||||||
|
the packets over a plain VPN or mobile network. (It's unlikely that any of my
|
||||||
|
code has persisted in the Slipstream product today, but the concept is still
|
||||||
|
pretty cool. I'm still horrified that people use plain TCP on complex mobile
|
||||||
|
networks with crazily variable latency, for which it was never really
|
||||||
|
intended.)
|
||||||
|
|
||||||
|
That project I did for Slipstream was what first gave me the idea to merge
|
||||||
|
the concepts of Fast Forward, Double Vision, and Tunnel Vision into a single
|
||||||
|
program that was the best of all worlds. And here we are, at last, 10 years
|
||||||
|
later. You're welcome.
|
||||||
|
|
100
docs/usage.rst
Normal file
100
docs/usage.rst
Normal file
@ -0,0 +1,100 @@
|
|||||||
|
Usage
|
||||||
|
=====
|
||||||
|
- Forward all traffic::
|
||||||
|
|
||||||
|
sshuttle -r username@sshserver 0.0.0.0/0
|
||||||
|
|
||||||
|
- By default sshuttle will automatically choose a method to use. Override with
|
||||||
|
the ``--method=`` parameter.
|
||||||
|
|
||||||
|
- There is a shortcut for 0.0.0.0/0 for those that value
|
||||||
|
their wrists::
|
||||||
|
|
||||||
|
sshuttle -r username@sshserver 0/0
|
||||||
|
|
||||||
|
- If you would also like your DNS queries to be proxied
|
||||||
|
through the DNS server of the server you are connect to::
|
||||||
|
|
||||||
|
sshuttle --dns -r username@sshserver 0/0
|
||||||
|
|
||||||
|
The above is probably what you want to use to prevent
|
||||||
|
local network attacks such as Firesheep and friends.
|
||||||
|
|
||||||
|
(You may be prompted for one or more passwords; first, the local password to
|
||||||
|
become root using sudo, and then the remote ssh password. Or you might have
|
||||||
|
sudo and ssh set up to not require passwords, in which case you won't be
|
||||||
|
prompted at all.)
|
||||||
|
|
||||||
|
|
||||||
|
Usage Notes
|
||||||
|
-----------
|
||||||
|
That's it! Now your local machine can access the remote network as if you
|
||||||
|
were right there. And if your "client" machine is a router, everyone on
|
||||||
|
your local network can make connections to your remote network.
|
||||||
|
|
||||||
|
You don't need to install sshuttle on the remote server;
|
||||||
|
the remote server just needs to have python available.
|
||||||
|
sshuttle will automatically upload and run its source code
|
||||||
|
to the remote python interpreter.
|
||||||
|
|
||||||
|
This creates a transparent proxy server on your local machine for all IP
|
||||||
|
addresses that match 0.0.0.0/0. (You can use more specific IP addresses if
|
||||||
|
you want; use any number of IP addresses or subnets to change which
|
||||||
|
addresses get proxied. Using 0.0.0.0/0 proxies *everything*, which is
|
||||||
|
interesting if you don't trust the people on your local network.)
|
||||||
|
|
||||||
|
Any TCP session you initiate to one of the proxied IP addresses will be
|
||||||
|
captured by sshuttle and sent over an ssh session to the remote copy of
|
||||||
|
sshuttle, which will then regenerate the connection on that end, and funnel
|
||||||
|
the data back and forth through ssh.
|
||||||
|
|
||||||
|
Fun, right? A poor man's instant VPN, and you don't even have to have
|
||||||
|
admin access on the server.
|
||||||
|
|
||||||
|
Additional information for TPROXY
|
||||||
|
---------------------------------
|
||||||
|
TPROXY is the only method that supports full support of IPv6 and UDP.
|
||||||
|
|
||||||
|
Full UDP or DNS support with the TPROXY method requires the ``recvmsg()``
|
||||||
|
syscall. This is not available in Python 2, however is in Python 3.5 and
|
||||||
|
later. Under Python 2 you might find it sufficient installing PyXAPI_ to get
|
||||||
|
the ``recvmsg()`` function.
|
||||||
|
|
||||||
|
There are some things you need to consider for TPROXY to work:
|
||||||
|
|
||||||
|
- The following commands need to be run first as root. This only needs to be
|
||||||
|
done once after booting up::
|
||||||
|
|
||||||
|
ip route add local default dev lo table 100
|
||||||
|
ip rule add fwmark 1 lookup 100
|
||||||
|
ip -6 route add local default dev lo table 100
|
||||||
|
ip -6 rule add fwmark 1 lookup 100
|
||||||
|
|
||||||
|
- The ``--auto-nets`` feature does not detect IPv6 routes automatically. Add IPv6
|
||||||
|
routes manually. e.g. by adding ``'::/0'`` to the end of the command line.
|
||||||
|
|
||||||
|
- The client needs to be run as root. e.g.::
|
||||||
|
|
||||||
|
sudo SSH_AUTH_SOCK="$SSH_AUTH_SOCK" $HOME/tree/sshuttle.tproxy/sshuttle --method=tproxy ...
|
||||||
|
|
||||||
|
- You may need to exclude the IP address of the server you are connecting to.
|
||||||
|
Otherwise sshuttle may attempt to intercept the ssh packets, which will not
|
||||||
|
work. Use the ``--exclude`` parameter for this.
|
||||||
|
|
||||||
|
- Similarly, UDP return packets (including DNS) could get intercepted and
|
||||||
|
bounced back. This is the case if you have a broad subnet such as
|
||||||
|
``0.0.0.0/0`` or ``::/0`` that includes the IP address of the client. Use the
|
||||||
|
``--exclude`` parameter for this.
|
||||||
|
|
||||||
|
- You need the ``--method=tproxy`` parameter, as above.
|
||||||
|
|
||||||
|
- The routes for the outgoing packets must already exist. For example, if your
|
||||||
|
connection does not have IPv6 support, no IPv6 routes will exist, IPv6
|
||||||
|
packets will not be generated and sshuttle cannot intercept them::
|
||||||
|
|
||||||
|
telnet -6 www.google.com 80
|
||||||
|
Trying 2404:6800:4001:805::1010...
|
||||||
|
telnet: Unable to connect to remote host: Network is unreachable
|
||||||
|
|
||||||
|
Add some dummy routes to external interfaces. Make sure they get removed
|
||||||
|
however after sshuttle exits.
|
Loading…
Reference in New Issue
Block a user