Simplifying tunnel to private network

How our current ssh config looks like below and it will have multiple line of local forward to tunnel the traffic.

Host pg
    User admin
    Port 22
    ForwardAgent yes
    LocalForward localhost:6767
    LocalForward localhost:9898
    LocalForward localhost:9999
    LocalForward localhost:3308

What's the problem with above configuration? everything works good !

The above configuration will work awesome and there is no issue with it when we have few LocalForwards. Problem arise when have more number of LocalForwards, in our case we will have staging LocalForwards and production LocalForwards.

Disadvantage of having more LocalForward

  1. Every new service in private network need to be added in ssh config
  2. Need to remember the forward port
  3. Need to check available local forward port to avoid collision  


sshuttle is a transparent proxy server that works as a VPN over ssh. The only requirement on the client side is that the host must have Python available. This is because sshuttle constructs and runs some Python source code to help transmit data.

Install sshuttle using brew  in mac

brew install sshuttle

Install sshuttle in linux

apt-get install sshuttle

for more installation checkout  github

Make a copy of current ssh config

mv ~/.ssh/config ~/.ssh/config-bakup

Create a new SSH config with the config below

vi ~/.ssh/config
host i-*.* mi-*.*
  ProxyCommand bash -c "aws ssm start-session --target $(echo %h|cut -d'.' -f1) --profile $(echo %h|/usr/bin/cut -d'.' -f2) --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

yes that's it, no other config is required in ssh config, it looks clean and simple.

It time to connect our Blackhole Server.  

As you all know how to connect blackhole server, I am skipping this section. If you want to know on how to connect/setup blackhole please checkout this

Here is the magical command to forward all the private network.

sshuttle -r wegodev@<ssm-instance-id>.<profile_name>

Note: if you want to connect both staging and production simultaneously , open new terminal and run the same command with production instance id and aws profile name.

Yes, now poor man's vpn is up and can connect RDS, Redis, Internal LoadBalance, etc without doing any local forward.  

Happy Connecting !!!

View Comments