SSH-based transparent proxy CLI for routing selected subnets and DNS through a remote host without a full VPN setup.
$brew install sshuttle
AI Analysis
sshuttle creates an SSH-backed transparent proxy that makes selected remote subnets reachable from your machine or router. It sits between one-off SSH port forwards and a full VPN by capturing traffic locally and relaying it through a remote host that only needs Python.
What It Enables
- Reach private services on remote subnets over SSH without setting up per-port forwards or deploying a separate VPN server.
- Route all traffic or specific IPv4 and IPv6 ranges, plus DNS when supported, through a remote host and optionally auto-discover remote routes or hostnames.
- Bring up repeatable access to internal environments from flags, config files, environment variables, or daemonized service runs.
Agent Fit
- Useful when an agent first needs network reachability to private hosts, dashboards, APIs, or databases behind an SSH-accessible bastion.
- The CLI is scriptable through flags, config files, and
SSHUTTLE_ARGS, but it exposes only plain log output and exit codes, not structured status data. - Best inside supervised workflows or skills: it changes local firewall state, often needs sudo, and long-lived tunnels are more brittle than short inspect-or-mutate commands.
Caveats
- Local root or sudo is required, and the remote host still needs a usable Python 3.9+ installation.
- Support depends on the selected method and platform; for example, TPROXY is the only documented method with UDP support, and
--sudoers-no-modifyis explicitly marked insecure.