How to use sshuttle on a TP-link router running openwrt?

[szepe...@gmail.com]

This is a cross-post from superuser.com http://superuser.com/questions/641273/how-to-use-sshuttle-on-a-router-running-openwrt. There was not a lot of interest in this question over there - fingers crossed for some guidance here, in this topic.

I'm using a TP-Link TL-WR1043ND router running OpenWrt and Gargoyle. I used the 1.5.10 install package from Gargoyle which comes with the final release of OpenWrt Attitude. I'd like to forward all traffic from my local network (served by the router) to a remote server transparently. After much fiddling, I finally managed to satisfy all prerequisites, and I can start sshuttle without any error messages, like this:

./sshuttle --dns -vvr XXX...@YY.YY.YY.YY 0/0

Where XXXXXX is my username at a remote server YY.YY.YY.YY sshuttle seems to initialize just fine, no error messages, adds all necessary rules to iptables, yet after the local proxy is established, I'm unable to connect anywhere from my local network. This is sshuttle's output:

Starting sshuttle proxy.
Binding: 12300
Listening on ('127.0.0.1', 12300).
DNS listening on ('127.0.0.1', 12300).
firewall manager ready.
c : connecting to server...
c : executing: ['ssh', 'XXX...@YY.YY.YY.YY', '--', 'P=python2; $P -V 2>/dev/null || P=python; exec "$P" -c \'import sys; skip_imports=1; verbosity=2; exec compile(sys.stdin.read(764), "assembler.py", "exec")\'']
c :  > channel=0 cmd=PING len=7 (fullness=0)
WARNING: Ignoring unknown argument '--'
XXX...@YY.YY.YY.YY's password:
server: assembling 'cmdline_options.py' (29 bytes)
server: assembling 'helpers.py' (914 bytes)
server: assembling 'ssubprocess.py' (13668 bytes)
server: assembling 'ssnet.py' (5446 bytes)
server: assembling 'hostwatch.py' (2270 bytes)
server: assembling 'server.py' (2370 bytes)
 s: latency control setting = True
 s: available routes:
 s:   69.64.32.0/22
 s:  > channel=0 cmd=PING len=7 (fullness=0)
c : connected.
Connected.
c : Waiting: 3 r=[3, 5, 9] w=[9] x=[] (fullness=7/0)
c :   Ready: 3 r=[] w=[9] x=[]
c : mux wrote: 15/15
c : Waiting: 3 r=[3, 5, 9] w=[] x=[] (fullness=7/0)
 s:  > channel=0 cmd=ROUTES len=14 (fullness=7)
 s: Waiting: 1 r=[4] w=[5] x=[] (fullness=21/0)
 s:   Ready: 1 r=[] w=[5] x=[]
 s: mux wrote: 15/15
 s: mux wrote: 22/22
 s: Waiting: 1 r=[4] w=[] x=[] (fullness=21/0)
c :   Ready: 3 r=[9] w=[] x=[]
c : <  channel=0 cmd=PING len=7
c :  > channel=0 cmd=PONG len=7 (fullness=7)
c : <  channel=0 cmd=ROUTES len=14
firewall manager: starting transproxy.
 s:   Ready: 1 r=[4] w=[] x=[]
 s: <  channel=0 cmd=PING len=7
 s:  > channel=0 cmd=PONG len=7 (fullness=21)
 s: mux wrote: 15/15
 s: Waiting: 1 r=[4] w=[] x=[] (fullness=28/0)
>> iptables -t nat -N sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -I OUTPUT 1 -j sshuttle-12300
>> iptables -t nat -I PREROUTING 1 -j sshuttle-12300
>> iptables -t nat -A sshuttle-12300 -j RETURN --dest 127.0.0.0/8 -p tcp
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 0.0.0.0/0 -p tcp --to-ports 12300 -m ttl ! --ttl 42
>> iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 127.0.0.1/32 -p udp --dport 53 --to-ports 12300 -m ttl ! --ttl 42
c : mux wrote: 15/15
c : <  channel=0 cmd=PONG len=7
c : received PING response
c : Waiting: 3 r=[3, 5, 9] w=[] x=[] (fullness=0/0)
 s:   Ready: 1 r=[4] w=[] x=[]
 s: <  channel=0 cmd=PONG len=7
 s: received PING response
 s: Waiting: 1 r=[4] w=[] x=[] (fullness=0/0)

I have no idea how to even start debugging this issue. If I stop sshuttle, it will remove the iptables rules and network connections will work again:

firewall manager: undoing changes.
>> iptables -t nat -D OUTPUT -j sshuttle-12300
>> iptables -t nat -D PREROUTING -j sshuttle-12300
>> iptables -t nat -F sshuttle-12300
>> iptables -t nat -X sshuttle-12300
c :
c : Keyboard interrupt: exiting.

Has anyone managed to set up a working sshuttle instance on openwrt? Where would I start looking to get to the bottom of this connection issue?

Any help is much appreciated. Thanks.

[Avery Pennarun]

You might need to add '-l 0.0.0.0' (that's a lowercase L) in order to
tell sshuttle to listen for connections from other than localhost (the
router itself). For security reasons, sshuttle won't route other
people's traffic by default.

> --
> You received this message because you are subscribed to the Google Groups
> "sshuttle" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to sshuttle+u...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.

[szepe...@gmail.com]

Holy cow, that was it!!

This works perfectly:

./sshuttle -l 0.0.0.0 --dns -vvr XXX...@YY.YY.YY.YY 0/0

Thanks a million times!

[Daniele Pomponi]

Hello, 

I'm trying to install sshuttle on a router GL iNet running open-wrt. 
I'm using an external hard drive and everything seems to be well configured but when I start sshuttle I got an error concerning the iptables module "addrtype"

root@GL-MT300N-V2:~# sshuttle  -l 0.0.0.0 --dns -vr $USER@$SERVER $IP/$CLASS

Starting sshuttle proxy.

firewall manager: Starting firewall with Python version 3.6.5

firewall manager: ready method name nat.

IPv6 enabled: None

UDP enabled: False

DNS enabled: True

User enabled: False

TCP redirector listening on ('0.0.0.0', 12300).

DNS listening on ('0.0.0.0', 12299).

Starting client with Python version 3.6.5

c : connecting to server...

WARNING: Ignoring unknown option --

Login for $USER@$SERVER

Password: 

ssh: Authentication partially succeeded, more attempts required

Login for  $USER@$SERVER

Login for $USER:

        1. Authenticator App

        2. Yubikey

Option (1-2): $YUBIKEYOUTPUT

Starting server with Python version 3.6.8

 s: latency control setting = True

 s: auto-nets:False

c : Connected.

firewall manager: setting up.

>> iptables -t nat -N sshuttle-12300

>> iptables -t nat -F sshuttle-12300

>> iptables -t nat -I OUTPUT 1 -j sshuttle-12300

>> iptables -t nat -I PREROUTING 1 -j sshuttle-12300

>> iptables -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL ! -p udp

iptables v1.6.2: Couldn't load match `addrtype':No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

firewall manager: undoing changes.

>> iptables -t nat -D OUTPUT -j sshuttle-12300

>> iptables -t nat -D PREROUTING -j sshuttle-12300

>> iptables -t nat -F sshuttle-12300

>> iptables -t nat -X sshuttle-12300

fatal: ['iptables', '-t', 'nat', '-A', 'sshuttle-12300', '-j', 'RETURN', '-m', 'addrtype', '--dst-type', 'LOCAL', '!', '-p', 'udp'] returned 2

c : fatal: cleanup: ['/mnt/sda1/usr/bin/python3', '/mnt/sda1/usr/bin/sshuttle', '-v', '--method', 'auto', '--firewall'] returned 99

Can you help me? 

Thanks!

Cheers,

Daniele

[Tony Godshall]

Well, you might want to look into why it's saying "WARNING: Ignoring unknown option --" and maybe paste the output of a simpler ssh session.

To view this discussion on the web visit https://groups.google.com/d/msgid/sshuttle/7f93bee8-3677-4576-bede-90028ede2160n%40googlegroups.com.

[Daniele Pomponi]

Just an update, I noticed that in the module iptables-mod-extra there was included "addrtype" I installed it through OPKG and now I'm stuck always at the iptables stage, but with a different error: 

firewall manager: setting up.

>> iptables -t nat -N sshuttle-12300

>> iptables -t nat -F sshuttle-12300

>> iptables -t nat -I OUTPUT 1 -j sshuttle-12300

>> iptables -t nat -I PREROUTING 1 -j sshuttle-12300

>> iptables -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL ! -p udp

iptables: No chain/target/match by that name.

[Tony Godshall]

Are you able to ssh $USER@$SERVER successfully? ssh is necessary
infrastructure, just like iptables.

Smells like an issue with openwrt; has anyone successfully used
sshuttle on openwrt? Is the iptables a full one or a busybox
implementation?

> To view this discussion on the web visit https://groups.google.com/d/msgid/sshuttle/7e4a0107-8b75-4415-84b9-b6b3de8e1f8bn%40googlegroups.com.



--
--
Best Regards.
This is unedited.
This message came out of me
via a suboptimal keyboard.