Does sshuttle work with OS X 10.8 Mountain Lion?

[John Hitchings]

There were issues with sshuttle for the upgrade to 10.7. Before I upgrade to Mountain Lion, has anyone had success running sshuttle on the newest version of the os?

Thanks!

John

[Avery Pennarun]

I haven't heard of anyone testing it yet. That means it probably
doesn't work. :)

Have fun,

Avery

[John Hitchings]

I was successful running sshuttle on 10.8 (with sshuttle already working with scopedroute in 10.7), for what it's worth.

[Luis Gonzalez Sandoval]

Yes, works for me!

Luis

[Anand Buddhdev]

Well, it works on Mountain Lion, but both my colleague and I had kernel panics this afternoon; both panics were caused by, or at least related to ipfw.

[Avery Pennarun]

On Thu, Jul 26, 2012 at 12:20 AM, John Hitchings <hit...@gmail.com> wrote:
> I was successful running sshuttle on 10.8 (with sshuttle already working
> with scopedroute in 10.7), for what it's worth.

Could you clarify what you mean by "alreasdy working with scopedroute in 10.7"?

Also, for the people getting ipfw panics, are you running Safari by any chance?

Thanks,

Avery

[John Hitchings]

> Could you clarify what you mean by "alreasdy working with scopedroute in 10.7"? 

Sorry, I meant that in 10.7, I had to set net.inet.ip.scopedroute=0 to get sshuttle working, but in the setting was preserved upgrading to 10.8 and I didn't need to do anything special to get it working.

$ sysctl -a | grep bootargs

kern.bootargs: net.inet.ip.scopedroute=0

John

[Anand Buddhdev]

Hey Avery,

I'm NOT running Safari. The only browser I run is Chrome.

Anand 

[Jari Fredriksson]

Sshuttle does not seem to work. Worked fine in MacBook Air original running Lion. Now a new Air with Mountain Lion preinstalled, no joy.

net.inet.ip.scopedroute seems to be 0. No errors visible, -vv or not.

--jarif

[Jari Fredriksson]

Addition: so no errors. sshuttle launches and ssh says "Connected". Then, nothing happens. If I run with -vv, it shows no activity when I try to connect to remote hosts.

--jarif

[csa...@gmail.com]

I just installed sshuttle for the first time today (cloned from github/master) and I had a couple of kernel panics too. Here are the crash reports in case that helps any:

http://pastie.org/private/brbjrxwh7leo0ceqtfusw
http://pastie.org/private/84a2c5lqxgi5f7anxiniw

Before the first one I also had OpenGarden running so I quit that after rebooting and it crashed again anyway. Before the crash, everything seems to work ok as far as the tunnel is concerned. Didn't see anything of use in the system logs either.

[phl...@gmail.com]

I'm having the same issue. Everything seems to work fine. net.inet.ip.scopedroute is 0. But nothing is going through the tunnel.

[Avery Pennarun]

On Wed, Oct 24, 2012 at 10:25 PM, <phl...@gmail.com> wrote:
> I'm having the same issue. Everything seems to work fine.
> net.inet.ip.scopedroute is 0. But nothing is going through the tunnel.

Hmmmm. I definitely have a Mountain Lion laptop and sshuttle
definitely works on it. But that laptop happens to have a bunch of
employer-specific hackery on it, so it's not exactly in mint
condition. (My personal laptop is still on Lion.)

Does anyone else have an experience where Mountain Lion *is* working for them?

Avery

[Luis Gonzalez Sandoval]

Hello,

My Macbook Pro are running Mountain Lion 10.8.2 and I use sshuttle every day all day long.
Works for me!

Luis-Gonzalezs-MacBook-Pro:sshuttle lgonzalezsa$ git status
# On branch macos_10_7_only_hack
nothing to commit (working directory clean)
Luis-Gonzalezs-MacBook-Pro:sshuttle lgonzalezsa$ git log
commit 0b2443d85e8d58bd7716e35114d98ccad94a59c7
Author: Ian Wolfcat Atha <i...@atha.io>
Date: Mon Aug 1 17:20:41 2011 -0700

[phl...@gmail.com]

I am running Mountain Lion 10.8.2. It is pretty stock, I have not had the computer for very long.

I have tried using whatever comes with homebrew. I have also tried the apenwarr/sshuttle git repo and thatha/sshuttle git repo.

I have been able to run the client successfully from my desktop and it works great! So it seems I am using it correctly :/

On the macbook it appears to connect properly, I just see no traffic in the terminal when when browsing websites and http://ifconfig.me/ shows the IP for my home network. I get the same behavior when I use the gui app.

Here is the output:

riddler:sshuttle.appenwarr phliver$ ./sshuttle --dns -vr phliver@thehostiuse 0/0

Starting sshuttle proxy.

Listening on ('127.0.0.1', 12300).

DNS listening on ('127.0.0.1', 12300).

firewall manager ready.

c : connecting to server...

 s: latency control setting = True

 s: available routes:

 s:   173.255.204.0/24

c : connected.

Connected.

firewall manager: starting transproxy.

>> ipfw -q add 12300 check-state ip from any to any

>> ipfw -q add 12300 skipto 12301 tcp from any to 127.0.0.0/8

>> ipfw -q add 12300 fwd 127.0.0.1,12300 tcp from any to 0.0.0.0/0 not ipttl 42 keep-state setup

>> ipfw -q add 12300 divert 12300 udp from any to 192.168.0.1/32 53 not ipttl 42

>> ipfw -q add 12300 divert 12300 udp from any 12300 to any not ipttl 42

Is there any other information I could provide that would help?

[mic...@infamia.com]

WOrks for me, but I haven't tried the -dns option. Your output looks similar to mine. have you tried :

- a known-good remote host?

- specifying a more narrow network range (e.g. 27.120.101.0/24 to check on ifconfig.me )

- I'm assuming you already rebooted your mac :)

Y

[phl...@gmail.com]

I ended up getting this working. It turns out I had my firewall turned on in preferences.

iirc the firewall is turned off by default on macs.

If I go to system preferences, and then security and privacy, make sure my firewall is turned off then sshuttle works perfectly.

I'm actually a little surprised this is not a more common problem. Do people really run around with their firewalls turned off?

At any rate, as long as everybody else experiences the same behavior, could we get this put in the documentation? Maybe we can prevent this issue for other users in the future.

[Jari Fredriksson]

I hope this can be taken care by sshuttle package, it is possibly
anything too compilacated. I too had firewall on, but as I disabled it,
sshuttle started working!

Thanks for this.

--
Jari Fredriksson
Digital Identity Solutions Europe Oy
tel. +358 400 779440
jari.fre...@digital-identity.com

[mcma...@gmail.com]

10.8.2.  Works most of the time - but with occasional, terrifying kernel panics.

[sandul...@gmail.com]

After some tinkering on my 10.8.3, I discovered It's not just the firewall that's causing the trouble. It's PF itself. While PF is enabled, ipfw forwarding rules (which is what sshuttle sets up) silently stop working, so as a result, sshuttle claims it's working perfectly, but nothing will be redirected through.
The firewall uses PF internally, setting up rules at the `com.apple/250.ApplicationFirewall/*` anchor, but it's not the only one. Internet Sharing, as well as AirDrop, use (and enable) PF as well, so bear in mind that using any of those will prevent forwarding from working while they are running.

I think this would definitely be worth putting in the Known Bugs section, but ultimately the application should be made to generate PF redirect rules instead. However, I haven't had success yet in getting those to work.

PS: yes I do get kernel panics too (10.8.3 on 2011 MBA), for what it's worth. Probably about once a day so far. I guess I'll try to get PF to do the forwarding instead.

[mma...@gmail.com]

Does Apple have a we to create a bug report for this issue?

[cas...@gmail.com]

Any progress on this? Sshuttle is a great tool, but the kernel panics are getting annoying.

[matt....@gmail.com]

I'm also getting kernel panics all the time and hope it can be fixed. But I have no idea how to debug it myself...

[Dan Sanduleac]

Sorry, I haven't had a lot of time lately to further debug this so I left it at that (not at university either anymore so no more pressing need for using sshuttle).

 

The solution seems to be to update and recompile the kernel itself to either:

* implement the PF divert rule (as on other BSD kernels), or

* fix ipfw code (it does provide a kernel stack trace when it crashes, so one could start from there) -- but the problem of its functionality when PF is also turned on remains. 

Of course, neither of these are particularly easy to do, and would require recompiling the kernel on each new system update. However I haven't found a way of making this work with the tools as they are right now. 

[mma...@gmail.com]

I'm having grey screen of death crashes under 10.9 too.