Skip to content

Instantly share code, notes, and snippets.

@kylekyle

kylekyle/sshuttle-openwrt.md

Last active April 23, 2025 07:13
Show Gist options
  • Save kylekyle/fcbb7b93ad9816915b31022a17f19cea to your computer and use it in GitHub Desktop.
Save kylekyle/fcbb7b93ad9816915b31022a17f19cea to your computer and use it in GitHub Desktop.
Download ZIP
Install and configure sshuttle on OpenWrt
Raw
sshuttle-openwrt.md

Install and configure sshuttle on OpenWrt

Note that ANY flash update will wreck the extroot configuration. I didn't realize that and had to:

Configure extroot

Before you can install sshuttle, you'll need to add some space. Pop a USB drive in the back of the router and follow these directions.

Once you have the space, install sshuttle:

root@OpenWrt:~# opkg update
root@OpenWrt:~# opkg install python3 python3-pip iptables-mod-extra iptables-mod-nat-extra iptables-mod-ipopt
root@OpenWrt:~# pip3 install sshuttle

Create a wifi access point

I really wanted a wireless access point that tunneled everything on it through sshuttle. To do that, you'll need to add a Static IP interface, and give it a unique block of DHCP addresses to give clients. I used 192.168.2.0/24. The interface should be in the lan firewall group and bridge to the wan port. Next, configure a wifi access point to use your new interface.

Generate an ssh key

Generate an ssh key to add to authorized keys on the remote server:

root@OpenWrt:~# dropbearkey -t rsa -f /root/.ssh/id_rsa
root@OpenWrt:~# dropbearkey -y -f .ssh/id_rsa | grep "^ssh-rsa " > .ssh/id_rsa.pub
root@OpenWrt:~# scp .ssh/id_rsa.pub [email protected]:.ssh/authorized_keys

Create sshuttle.conf

Create a file called sshuttle.conf that looks something like this:

0/0
-v
-l
0.0.0.0:12345
-e
ssh -i /root/.ssh/id_rsa
-r
[email protected]
--ns-host
192.168.2.1

Start sshuttle

You should be set. To start sshuttle, run:

root@OpenWrt:~# sshuttle @sshuttle.conf
- or - 
root@OpenWrt:~# screen -d -m sshuttle @sshuttle.conf

Everything passing through the router should now be tunneled. To restrict tunneling to just the 192.168.2.1/24 subnet, you'll need to add an iptables rule:

root@OpenWrt:~# iptables -t nat -I sshuttle-12345 -j RETURN \! --src 192.168.2.0/24

You can see the iptables rules for sshuttle with the following command:

root@OpenWrt:~# iptables -t nat -L sshuttle-12345
Chain sshuttle-12345 (2 references)
target     prot opt source               destination         
RETURN     all  -- !192.168.2.0/24       anywhere            
RETURN    !udp  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     udp  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL udp dpt:!domain
RETURN     tcp  --  anywhere             192.168.0.0/16      
REDIRECT   tcp  --  anywhere             anywhere             TTL match TTL != 63 redir ports 12345
REDIRECT   udp  --  anywhere             OpenWrt.lan          udp dpt:domain TTL match TTL != 63 redir ports 12299
@stokito
Copy link

stokito commented Dec 12, 2023

It would be great if you can merge the instruction with official https://sshuttle.readthedocs.io/en/stable/openwrt.html

@stokito
Copy link

stokito commented Dec 14, 2023
edited
Loading

Is any significant difference with pppossh?
It works with dropbear and uses openwrt protocols support.

I forked the instruction and changed id_rsa to id_ed25519 https://github.com/stokito/gist-sshuttle-openwrt/blob/master/sshuttle-openwrt.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment