sshuttle VPN no longer working in Mavericks due to ipfw changes ... anyone ?

Discussion in 'OS X Mavericks (10.9)' started by gjarold, Oct 6, 2014.

  1. gjarold macrumors regular

    Joined:
    Nov 14, 2007
    #1
    First, let me recommend "sshuttle" as a VPN software - very simple, very nice way of making a quick and simple VPN with any remote server that is running OpenSSH. Only requirement is that the remote server has to have python on it.

    https://github.com/apenwarr/sshuttle

    I have used this on several OSX systems with good success.

    It does not work on Mavericks. The issue is explained well in this apple forum posting:

    https://discussions.apple.com/thread/6534813

    I wonder if anyone here is using sshuttle on Mavericks and can comment ?

    Why is ipfw broken and poorly maintained in OSX nowadays ?
     
  2. gjarold thread starter macrumors regular

    Joined:
    Nov 14, 2007
    #2
    Ok, here is an immediate followup ...

    It turns out that, as of October 2014, *this* is the source repo that you want to be using:

    https://github.com/sshuttle/sshuttle

    and *not* the original apenwarr version that is what google shows you, etc.

    There are new commits and new code in that new git repo ... however I have not yet tested whether it actually works on Mavericks ...
     
  3. gjarold thread starter macrumors regular

    Joined:
    Nov 14, 2007
    #3
    Another self-reply ...

    All versions of sshuttle, including the newest ones from the new author, rely on ipfw.

    And ipfw is broken / deprecated in OSX as of ... Mountain Lion ? Who knows.

    ipfw binary is still there in OSX and looks like its working, but it is not.

    To be clear - there was absolutely no reason to break ipfw - it does not interfere with the new pf/pfctl framework and if people aren't using it, it just sits there as an unused binary. No reason at all to cripple/break it.

    But they did.
     
  4. petehare macrumors newbie

    Joined:
    Oct 31, 2014
    #4
    @gjerold So is the general consensus that it's a no-go for now? Such a shame if so. I'm still trying to find a viable solution.
     
  5. Astralis macrumors newbie

    Joined:
    Dec 21, 2014
    Location:
    Sweden
    #5
    Hi, everyone.

    I was looking for the solution to this as well and I stumbled upon ssh's built in SOCKS proxy. To use it, ssh to your machine using "ssh -D 1234 user@hostname" and then add a proxy connection to "localhost:1234". While not a complete solution to the problem, it is a very nice alternative for most people.
     
  6. domain macrumors member

    Joined:
    Jan 25, 2007
    #6
    I glanced over the code of this application (which was quite frightening)... trying to understand what changes it makes from a firewall perspective.

    Based on my understanding of what it is trying to accomplish, the version of pf included with OS X is missing functionality that would be required to make this work.

    The mainline version of pf (from the originating OpenBSD) looks like it would be capable of replicating what they are doing in ipfw via the "divert-to" option, but the one included in OSX does not support this to my knowledge.
     

Share This Page