How to use SSH as a VPN with sshuttle

You don't need a VPN server running on a remote host to create a VPN tunnel. With the help of a simple tool, you can create that tunnel with ease.

How to use SSH as a VPN with sshuttle

Did you know that you can create a VPN tunnel using SSH? There's a lesser-known tool (available for both Linux and macOS) called sshuttle. With this tool, you can transform an SSH connection into a VPN connection with relative ease. The sshuttle tool is command-line only but doesn't require too much knowledge of the CLI to get it to work.

The sshuttle tool doesn't use a standard VPN server. Instead, it works with SSH on both ends, so as long as your remote machine has an SSH server up and running, you should be good to go.

SEE: Information security policy template download (Tech Pro Research)

I'm going to show you how this is done using Ubuntu Linux 18.10 (desktop).

What you need

The only things you need to make this work are the following:

  • A Linux desktop client (sshuttle can be installed on numerous distributions).
  • A remote server that allows SSH connections, for which you have login credentials.
  • A local user with sudo permission.

With those bits at the ready, let's make this work.


The first thing that must be done is installing sshuttle on your client machine. Log into that machine, open a terminal, and issue the following command:

sudo apt-get install sshuttle -y

If you're on an rpm-based machine, that installation would be:

sudo yum install sshuttle


sudo dnf install sshuttle

Once the installation is complete, you're ready to go.


The standard usage of sshuttle looks like this:

sudo sshuttle -r USERNAME@SERVER_IP -vv

Where USERNAME is the remote username and SERVER_IP is the IP address of the remote server. However, there's a known issue with newer kernels that causes sshuttle to crash with a timeout. Because of that, the command must be revised like so:

sudo sshuttle -r USERNAME@SERVER_IP -x SERVER_IP 0/0 -vv

Where USERNAME is the remote username and both instances of SERVER_IP are the IP address of the remote server.

You will be prompted for the remote user's password. Upon successful authentication, sshuttle will connect, and your encrypted VPN tunnel is up and running.

If you want to test to see that your IP address has changed install curl with the command:

sudo apt-get install curl -y 

Once installed, issue the command:


You should see your IP address now reflects that of the remote server (Figure A).

Figure A

Figure A: A new IP address, by way of sshuttle.

When you're finished with the VPN connection, type the [Ctrl]+[c] key combination, and the tunnel will be broken.

And that, my fellow IT pros, is all there is to creating a VPN tunnel, with the help of SSH.

Also see

Image: Jack Wallen

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic, The New Stack, and Linux New Media. He's covered a variety of topics for over twenty years and is an avid promoter of open source. For more news about Jack Wallen, visit his website jackwallen....