how to let docker container work with sshuttle?

Question

I need container be able to use sshuttle tool. I try either way in host or containner. But none of it will work. Here's what I need: I run : sshuttle -r [email protected] --dns 0/0 in host. It can help host application access internet via sshuttle. But for container, it can't resolve the DNS request. It seems --dns will affect container's DNS capability. how to make container work with host's sshuttle?

also if I run sshuttle inside the container. It seems container don't have the permission with "--dns" option in sshuttle.

anyway, I need this option "--dns" in container because it's the only way to get over government fire wall (GFW) in china.

anyone help to make it work?

Answer 1

Try sshuttle -l 0.0.0.0 --dns -vvr [email protected] 0/0, that works for me. I guess we need -l 0.0.0.0 so that docker containers with "remote ip" can connect to the tunnel.

Answer 2

Normally, setting 0.0.0.0 entails listening on externally available interfaces, and this is also the case with sshuttle .

A more secure approach would be the following - on your host:

1. launch your "normal" sshuttle instance, listening on localhost,
2. launch another sshuttle instance, listening on your docker host's virtual network interface.

For example:

sshuttle --dns -r <your-ssh-server> 0/0
sshuttle -l 172.17.0.1 --dns -r <your-ssh-server> 0/0

Note that this will interfere with host <-> container communication (such as port binding), but it will allow for secure outside connections for your containers (you can further help yourself with excluding Docker's subnet, e.g. with -x 172.17.0.0/24).

Answer 3

you can see your network bridge subnets and exclude it in sshuttle e.g,

sudo sshuttle -l 0.0.0.0:0 -r user@host -x host -x 127.0.0.1 -x 172.21.0.0/24 -x 172.22.0.0/24 -x 172.23.0.0/24 0/0 --dns