Reducing latency of SSH tunnelled connections

Published: 2018-04-04 08:37:11 +0000
Categories: BASH, Misc,




The ability to tunnel connections over an SSH connection is incredibly useful, essentially creating a poor man's VPN, whether to a specific port (ssh -L ssh-server.domain) or by standing up a SOCKS proxy (ssh -D 8080 ssh-server.domain).

The most common complaint when doing this, though, is that the latency sucks. This is because of the TCP over TCP Problem. You're essentially running two layers of TCP congestion control, so any loss hurts - a lot.

This can be addressed by installing and using SShuttle (docs here).

It works (on Linux and Mac OS X) by intercepting and termination TCP connections locally, and transmitting payload and packet metadata over a SSH connection as data. The remote end re-assembles the packets and transmits on your behalf. The remote end only needs to have Python installed (as sshuttle remotely runs a python snippet to handle receipt and re-assembly of packet information).

The result is, there's no TCP connection within the tunnel, so you're still only contending with a single layer of congestion control


# Tunnel any packets destinated for via ssh-server.domain
sshuttle -r ssh-server.domain 

# Send everything via the tunnel
sshuttle -r ssh-server.domain

# Send only port 80 traffic via the tunnel
sshuttle -r ssh-server.domain 

# Send connections to port numbers between 2000 and 3000 via tunnel
sshuttle -r ssh-server.domain

# Bind to port 1234 and forward connections to via the tunnel
# can be used to provide a proxy to other machines on your LAN
sshuttle -l -r ssh-server.domain

# Check whether a DNS name is valid at the remote end, and update /etc/hosts
# Useful to save mucking around with changing DNS whenever you bring a tunnel up
sshuttle -H -r ssh-server.domain

# Intercept local DNS queries and send them all over the tunnel (to avoid DNS leaks)
sshuttle --dns -r ssh-server.domain

# Forward everything but
sshuttle -X -r ssh-server.domain

Usage Example

# Any of the config options can be dumped into a config file (one per line):

cat /etc/sshuttle.conf
-r ssh-server.domain

# When calling sshuttle, pass it the path to the config file, prefixed with @
sshuttle @/etc/sshuttle.conf


Client Machine
  • Linux or Mac OS X
  • sudo access
  • SSH client
SSH Server
  • Python >= 2.3 on remote server
  • A running SSH daemon


ssh, tunnel, latency, sshuttle, VPN, forwarding, tunnelling,

Latest Posts

Copyright © 2022 Ben Tasker | Sitemap | Privacy Policy
Available at, http://phecoopwm6x7azx26ctuqcp6673bbqkrqfeoiz2wwk36sady5tqbdpqd.onion and http://snippets.bentasker.i2p
hit counter