Using sshuttle to remain Safe on Insecure Wi-Fi

Working from home mostly means working from cafes. Though I mostly tether through my mobile to get onto the Internet, it’s not always fast enough. Also bigger bandwidth does attract the geek in me towards public wi-fi. But most public wi-fis are insecure (I think even the private ones are insecure). Using HTTPS connection always helps in a way but not all my traffic is secure. Say, if I am logging into my self-hosted wordpress account or generally what I am browsing is something that people around me are interested in. All they need is a simple plugin to steal my account or a simple tool to sniff out everything I do on the network. They just need to be on the same network as me. It’s not difficult for a creep to connect to hotel wi-fi, isn't it?

First level of defense of course is to use HTTPS everywhere. But a safer way is VPN. You can get an account on PrivateTunnel and use an OpenVPN client to connect to the Internet. You pay for the data passing through the VPN tunnel.

But if you are a developer like me then you will probably have a machine somewhere that you trust. Say, you have a machine on Amazon (you get a machine free for a year) or back at home which is publically accessible. Then you can easily tunnel to that machine to access Internet.

What you need on your server:

  1. Accessible on Internet
  2. Can run Python
  3. You have ssh access to that machine (no need for root/admin access)

What you need on your machine:

  1. Linux with Python (works on Mac too.)
  2. Root access

How to to use it:
Log in to your local machine

git clone
cd sshuttle
sudo ./sshuttle -r user@remote-machine --dns 0/0 -vv


Go to your browser and search for 'what’s my IP'. It should show your server IP address. Now all your traffic (TCP and DNS but not UDP) is transparently tunneled through your server. If your server is in a foreign country then you can beat censorship or get access to cool services. Isn't that simple?


  1. sshuttle modifies the local machine's firewall (iptables) to transparently forward all your traffic.
  2. You don't need to install anything on server. sshuttle will automatically upload and run its source code to the remote python interpreter. Check py-remoteexec project to see how it’s done.
  3. If you are on Windows try Anand's method.
  4. If your hotel/university has blocked ssh (22) port, then you can change the ssh listening port on your server to 80 (http) or 443 (https). To do this, login to your server and edit by running sudo nano /etc/ssh/sshd_config. Find line “Port 22”, and add the line “Port 80” and “Port 443”.


2 Responses

  1. Janella says:

    Great tip! You can also use a free vpn service to encrypt all of your traffic :)

  1. September 12, 2012

    […] than my readers. I wanted to protect the admin screen (basically wp-admin). Given that I use my own VPN on public wifi, it may seem less important. But SSL gives a great advantage of blogging-in from a cyber cafe, […]