Wednesday, March 23, 2011

ditch that high price vpn with sshuttle and an 'ology...

Stumbled across this one today: https://github.com/apenwarr/sshuttle#readme

In the style of Maureen Lipman who famously said in her British Telecom advert:

"you got an 'ology' you're a scientist!".

And there is no need to take the decorations off the cake either!

So if you got port 22? You've got a VPN!


Have to say one of the neatest uses of iptables/ipfw REDIRECT/PREROUTING I've seen in a long time - amazing what folks come up with, and this one is a lovely implementation! You can follow the conversation here, Avery does a great job keeping up with the flow. Anyway, here's a screen grab from my net with 192.168.1.7 as a local client and 10.1.6.0 as the remote network:

jcuff@srv:~/sshuttle$ sudo ./sshuttle --dns -r jcuff@remote 0/0 -v
Starting sshuttle proxy.
Listening on ('127.0.0.1', 12300).
DNS listening on ('127.0.0.1', 12300).
firewall manager ready.
c : connecting to server...
Password: 
Enter PASSCODE:
 s: latency control setting = True
 s: available routes:
 s:   10.1.6.0/25
 s:   169.254.0.0/16
c : connected.
Connected.
firewall manager: starting transproxy.
>> iptables -t nat -N sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -I OUTPUT 1 -j sshuttle-12300
>> iptables -t nat -I PREROUTING 1 -j sshuttle-12300
>> iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.0/8 -p tcp
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 0.0.0.0/0 -p tcp --to-ports 12300 -m ttl ! --ttl 42
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 192.168.1.7/32 -p udp --dport 53 --to-ports 12300 -m ttl ! --ttl 42

If you are feeling fruity, client mount of remote NFS/CIFS or AFP disk is cake:

jcuff@srv:~$ showmount -e 10.1.6.10
Export list for 10.1.6.10:
/vdm_5/data                (10.1.6.5)

jcuff@srv:~$ sudo mount 10.1.6.10:/vdm_5/data ./testmnt/

jcuff@srv:~/testmnt# df -H .
Filesystem             Size   Used  Avail Use% Mounted on
10.1.6.10:/vdm_5/data
                       40.4T  334G  40.0T   1% /home/jcuff/testmnt

*update*

Oh yeah! - we did, and do ;-)



[any opinions here are all mine, and have absolutely nothing to do with my employer]
(c) 2011 James Cuff