Tag Archives: ssh

X forwarding over ssh and sudo

This has bugged me for years – with random success depending on sudo, su – etc.

The proper solution:-

steve@studio:~$ ssh -X
Last login: Fri Feb 10 21:54:11 2017 from
[steve@fleabox ~]$ xauth list
fleabox.track3.org.uk/unix:12  MIT-MAGIC-COOKIE-1  b4339e07fb0e4febdde6128fc56419e4
[steve@fleabox ~]$ sudo su -
[sudo] password for steve: 
[root@fleabox ~]# xauth add fleabox.track3.org.uk/unix:12  MIT-MAGIC-COOKIE-1  b4339e07fb0e4febdde6128fc56419e4
[root@fleabox ~]# virt-manager &
[1] 7168


VPN-like functionality over ssh tunnel (sshuttle)

Running TCP over TCP (for example, TCP over an SSH tunnel) results in poor performance and reliability.  There’s several ways to do this; for example basic port forwarding in ssh or via pppd over ssh.

However, there’s a much nicer solution:  sshuttle!

From GitHub:

“As far as I know, sshuttle is the only program that solves the following common case:

  • Your client machine (or router) is Linux, FreeBSD, or MacOS.
  • You have access to a remote network via ssh.
  • You don’t necessarily have admin access on the remote network.
  • The remote network has no VPN, or only stupid/complex VPN protocols (IPsec, PPTP, etc). Or maybe you are the admin and you just got frustrated with the awful state of VPN tools.
  • You don’t want to create an ssh port forward for every single host/port on the remote network.
  • You hate openssh’s port forwarding because it’s randomly slow and/or stupid.
  • You can’t use openssh’s PermitTunnel feature because it’s disabled by default on openssh servers; plus it does TCP-over-TCP, which has terrible performance (see below).”

‘sshuttle’ appears to be available in both in the standard debian/ubuntu repos and the RHEL/Centos EPEL repo.

The following creates ane then routes all traffic (including DNS lookuos) over a ‘VPN-like’ ssh tunnel.

sudo sshuttle --dns -r <user>@<target host>:<port> 0/0 -vv

Once this is working you can drop the -vv (verbose level 2).  Also, if you’re not concerned about DNS hijacking you can omit the –dns to speed up DNS lookups (resolve locally).  To stop the tunnel just CTRL-C.

The man page for sshuttle is quite detailed; check there for more information.