I love the smell of

in the morning
Everything here is my opinion. I do not speak for your employer.
September 2010
November 2010

2010-10-01 »

sshuttle now works on MacOS

I know there are quite a few people who will be as happy to know this as I was. Thanks to a helpful contributor known only as dkf, I've now added the magic incantation (namely, sysctl -w net.inet.ip.scopedroute=0) that's needed to make ipfw transparent proxying work on MacOS 10.6 Snow Leopard. I don't know what it does, and I don't care! All I know is that sshuttle restores it on exit to whatever its previous value was :)

This means you, as well as I, can now use a Macbook to VPN into any network that gives you ssh access. That's a lot more helpful than always having to do it from a Linux VM.

Why sshuttle is awesome

For those who are just joining us, sshuttle provides VPN-like connectivity using a plain ssh connection, without needing root access (and thus the admin's permission) on the server side. Basically, it makes a transparent proxy server on your client that automatically forwards through an ssh tunnel.

Compared to ssh's built-in port forwarding and tunneling and socks mode, sshuttle is better because:

  • it auto-discovers hostnames from the server side and puts them in your /etc/hosts while the tunnel is running.
  • it auto-discovers network routes from the server so you don't have to specify them on the client.
  • it works even if you don't know how to configure socks, and with programs that don't support socks, and you don't have to remember to turn socks on and off when your tunnel comes and goes.
  • you can easily run more than one tunnel at once to more than one remote server (as long as the remote subnets use different IP addresses, of course).
  • the remote admin can't disable it in the sshd configuration.
  • there's a workaround for ssh's tendency to use megabyte-sized tx/rx socket buffers, which result in horrible latency. So you can download a large file and have interactive traffic on the same tunnel, and performance doesn't suck.
  • it doesn't have the random freeze-up bugs that ssh port forwarding does. (Though maybe that's specific to Debian's ssh, and maybe it only happens to me. Nobody has ever corroborated my story that ssh port forwarding freezes ALL THE TIME.)

And although ssh forwarding also has the following, not every VPN package does. It's worth pointing out that sshuttle is awesome because:

  • you get exactly the same level of transport security and key management as ssh (ie. a lot), because it uses ssh.
  • you don't have to install anything on the server (as long as you have sshd, a shell account, and python). It installs a temporary copy of itself on the server ("internet worm technology"), whenever you connect. There's never a client/server version mismatch.
  • it's astonishingly easy to configure; you don't even need to 'make install'.
  • it elegantly avoids the infamous tcp-over-tcp problem that most tcp-based SSL VPNs have, while still being able to use chained ciphers that udp-based VPNs can't (at least not without incurring a lot of overhead).
  • almost all of it does not run as root (including 100% of the server side).

You can download sshuttle 0.40 from github. Enjoy!

2010-10-11 »

Avery World Tour 2010

Although the tour has already begun, I suppose some of my faithful (ha!) readers may be interested to know where this trip has yet to go:

  • Theodore Roosevelt Park, ND ("I grow very fond of this place, and it certainly has a desolate, grim beauty of its own, that has a curious fascination for me." - T.R.)
  • Black Hills Park, SD (including Mount Rushmore, apparently)
  • Yellowstone Park (home of Old Faithful)
  • Boulder
  • Denver
  • Salt Lake City
  • Provo and Orem, UT (founding places of Novell and Wordperfect)
  • Bonneville Salt Flats (where the land vehicle world speed record is held: faster than Mach 1!)
  • Grand Canyon, AZ
  • Las Vegas
  • Los Angeles
  • San Diego
  • Somewhere in Mexico (maybe)
  • Mountain View (for GitTogether 2010)
  • San Francisco
  • Portland
  • Seattle
  • Victoria and/or Vancouver
  • Saltspring Island

If you are in one of those places and you think you want to see me while I'm there, send me an email. Even better if you have an extra couch to crash on.

Also if you want a postcard, let me know. No guarantee about which of the above places it will come from. I'm not that good.

2010-10-16 »

Employee Cults

    The way you know your processes are working is when you overhear employee number 5 saying, "thank God I got a job early on in this company, because there's no way I could get one now."

    -- blognewcomb

I remember hearing that a few times at NITI. It seems like good advice. So is the rest of the article.

September 2010
November 2010

I'm CEO at Tailscale, where we make network problems disappear.

Why would you follow me on twitter? Use RSS.

apenwarr on gmail.com