Network Tunnel

Published

November 17, 2023

Modified

April 18, 2024

sshuttle ¹ creates a transparent tunnel to a remote network using SSH. This is similar in connectivity to a Virtual Private Network (VPN) ² based technology. Sshuttle enables users to work as if their computer is located within the GSI network. Practically this allows to access all GSI internal service including the HPC infrastructure. The sshuttle requires root access on your local computer in order to modify the system firewall to tunnel all traffic through an SSH connection.

Connect

Connect to a login node from the Internet. Start a tunnel to the GSI internal network with following command, where $user is your GSI Linux username:

sshuttle --daemon --pidfile=/tmp/sshuttle.pid --dns --remote $user@lxpool.gsi.de 0/0

The /tmp/sshuttle.pid stores the process ID of the sshuttle instance for later use. This connection will route all your traffic including DNS requests transparently through an SSH connection into the GSI network. Using the sshuttle command will prompt for the sudo ³ password and then for the SSH login password.

Disconnect

Use the process ID stored in /tmp/sshuttle.pid to disconnect:

# stop the tunnel
kill $(cat /tmp/sshuttle.pid)

Alternatively you can run pkill sshuttle ⁴, which will kill all active sshuttle instances running.

Configuration

It is recommended to us a configuration-file ⁵ to store all connection options for repeated logins. The following examples illustrates a configuration to connect to the lxlogin.gsi.de nodes from the Internet:

# Create a configuration file
cat > lxlogin.conf <<EOF
140.181.0.0/16
10.0.0.0/8
--remote
lxlogin.gsi.de
--dns
--disable-ipv6
--daemon
--pidfile
/tmp/sshuttle.pid
--exclude
140.181.60.0/24
EOF

Arguments read from a file must be one per line, as shown above. Pass the name of the configuration file preceded by the @ character to the Sshuttle command:

# ...and pass the configuration file as argument to Sshuttle
sshuttle @lxlogin.conf

Footnotes

Sshuttle, GitHub
https://github.com/apenwarr/sshuttle ↩︎
Virtual Private Network, Wikipedia
https://en.wikipedia.org/wiki/Virtual_private_network ↩︎
Sudo Manual Pages
https://www.sudo.ws/man.html ↩︎
pkill Manual Page
https://manpages.org/pkill ↩︎
Configuration File, Sshuttle Documentation
https://sshuttle.readthedocs.io/en/stable/manpage.html#configuration-file ↩︎

--- title: Network Tunnel date: 2023/11/17 date-modified: 2024/04/18 --- `sshuttle` [^shtle] creates a **transparent tunnel to a remote network using [SSH][b8lcN]**. This is similar in connectivity to a Virtual Private Network (VPN) [^vpnwp] based technology. Sshuttle enables users to work as if their computer is located within the GSI network. Practically this allows to access all GSI internal service including the HPC infrastructure. The `sshuttle` requires root access on your local computer in order to modify the system firewall to tunnel all traffic through an SSH connection. [b8lcN]: submit-nodes.html#secure-shell [skYNS]: submit-nodes.html#login-nodes [^shtle]: Sshuttle, GitHub <https://github.com/apenwarr/sshuttle> [^vpnwp]: Virtual Private Network, Wikipedia <https://en.wikipedia.org/wiki/Virtual_private_network> ### Connect Connect to a [login node][skYNS] from the Internet. Start a tunnel to the GSI internal network with following command, where `$user` is your GSI Linux username: ```sh sshuttle --daemon --pidfile=/tmp/sshuttle.pid --dns --remote $user@lxpool.gsi.de 0/0 ``` The `/tmp/sshuttle.pid` stores the process ID of the `sshuttle` instance for later use. This connection will route all your traffic including DNS requests transparently through an SSH connection into the GSI network. Using the `sshuttle` command will prompt for the `sudo` [^sudom] password and then for the SSH login password. [^sudom]: Sudo Manual Pages <https://www.sudo.ws/man.html> ### Disconnect Use the process ID stored in `/tmp/sshuttle.pid` to disconnect: ```sh # stop the tunnel kill $(cat /tmp/sshuttle.pid) ``` Alternatively you can run `pkill sshuttle` [^k7wOK], which will kill all active `sshuttle` instances running. [^k7wOK]: `pkill` Manual Page <https://manpages.org/pkill> ### Configuration It is recommended to us a configuration-file [^dZ8wT] to store all connection options for repeated logins. The following examples illustrates a configuration to connect to the `lxlogin.gsi.de` nodes from the Internet: [^dZ8wT]: Configuration File, Sshuttle Documentation <https://sshuttle.readthedocs.io/en/stable/manpage.html#configuration-file> ```sh # Create a configuration file cat > lxlogin.conf <<EOF 140.181.0.0/16 10.0.0.0/8 --remote lxlogin.gsi.de --dns --disable-ipv6 --daemon --pidfile /tmp/sshuttle.pid --exclude 140.181.60.0/24 EOF ``` Arguments read from a file must be one per line, as shown above. Pass the name of the configuration file preceded by the `@` character to the Sshuttle command: ```sh # ...and pass the configuration file as argument to Sshuttle sshuttle @lxlogin.conf ```