SSH tunnels are one of the most versatile tools in a self-hosted infrastructure toolkit. They provide encrypted connectivity for forwarding ports, accessing remote services, and creating ad-hoc VPN connections without setting up dedicated VPN software. In this guide, we compare three SSH tunnel management approaches: sshuttle, autossh, and sshtunnel.

Overview

Featuresshuttleautosshsshtunnel
GitHub Stars13,315N/A (packages)1,286
TypeTransparent proxyConnection monitorPython library
LanguagePythonCPython
VPN ModeFull subnet routingPort forwarding onlyPort forwarding only
Auto-ReconnectYesYesYes
DNS TunnelingYesNoNo
Root RequiredYes (for transparent proxy)NoNo
PlatformLinux, macOSLinux, macOS, BSDCross-platform
UDP SupportYesNoNo

What Is sshuttle?

sshuttle creates a transparent proxy server that works as a “poor man’s VPN.” It forwards all traffic for specified subnets over SSH, with no configuration needed on the remote server. Unlike traditional SSH port forwarding, sshuttle handles all traffic to the target network automatically.

Key Features

  • Transparent proxy: Routes all traffic for specified subnets without per-port configuration
  • DNS resolution: Forwards DNS queries over the SSH tunnel
  • UDP support: Handles UDP traffic including DNS and VoIP
  • No root on server: Only requires SSH access — no special server software
  • Subnet routing: Forward entire networks, not just individual ports
  • Automatic reconnect: Re-establishes the tunnel after disconnections

Installation

1
2
3

sudo apt install sshuttle
brew install sshuttle
pip install sshuttle

Basic Usage

1
2
3
4
5
6
7
8

# Route all traffic for 10.0.0.0/8 through the SSH tunnel
sshuttle -r user@remote-server 10.0.0.0/8

# Route multiple subnets with DNS
sshuttle -r user@remote-server --dns 10.0.0.0/8 172.16.0.0/12

# Run as daemon
sshuttle -r user@remote-server --daemon 10.0.0.0/8

systemd Service

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

[Unit]
Description=sshuttle VPN tunnel
After=network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/sshuttle -r user@remote-server --dns 10.0.0.0/8
Restart=always
RestartSec=10

[Install]
WantedBy=multi-user.target

What Is autossh?

autossh is a program that monitors and restarts SSH connections. It maintains persistent SSH tunnels — if the connection drops, autossh automatically reconnects. It has been a staple of Unix system administration for over two decades.

Key Features

  • Connection monitoring: Uses a loopback port or echo service to detect dropped connections
  • Automatic restart: Re-establishes SSH connections after network interruptions
  • Configurable polling: Adjust monitoring interval to balance responsiveness and resource usage
  • Lightweight: Written in C, uses minimal system resources
  • SSH-compatible: Works with any SSH configuration and options

Installation

1

sudo apt install autossh

Basic Usage

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Create a persistent local port forward
autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" \
    -L 8080:localhost:80 user@remote-server

# Remote port forwarding
autossh -M 0 -o "ServerAliveInterval 30" \
    -R 9090:localhost:3000 user@remote-server

# Dynamic SOCKS proxy
autossh -M 0 -D 1080 user@remote-server

What Is sshtunnel?

sshtunnel is a Python library that provides programmatic SSH tunnel management. It is ideal for applications that need to create and manage SSH tunnels from within Python code.

Key Features

  • Python API: Create and manage tunnels programmatically
  • Context manager: Use Python’s with statement for clean tunnel lifecycle management
  • Multiple tunnels: Open multiple tunnels from a single connection
  • Gateway chaining: Connect through multiple SSH hops
  • Key-based auth: Supports password, key file, and agent authentication

Installation

1

pip install sshtunnel

Basic Usage

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

from sshtunnel import SSHTunnelForwarder

with SSHTunnelForwarder(
    ('bastion.example.com', 22),
    ssh_username='deploy',
    ssh_private_key='/home/user/.ssh/id_ed25519',
    remote_bind_address=('db.internal', 5432),
    local_bind_address=('localhost', 15432)
) as tunnel:
    print(f"Tunnel open on port {tunnel.local_bind_port}")

Choosing the Right SSH Tunnel Tool

Choose sshuttle if: You need access to an entire remote network, want transparent proxy behavior, need DNS resolution through the tunnel, or want UDP traffic support.

Choose autossh if: You need persistent port forwarding, want automatic reconnection after network drops, and are managing production tunnels via systemd.

Choose sshtunnel if: You are building a Python application that needs SSH tunnels, need programmatic tunnel creation and teardown, or are writing deployment scripts and CI/CD pipelines.

SSH Tunnel Security Best Practices

1. Use SSH Keys, Not Passwords

Always use SSH key-based authentication for automated tunnels:

1
2

ssh-keygen -t ed25519 -f ~/.ssh/tunnel_key -C "tunnel-key"
ssh-copy-id -i ~/.ssh/tunnel_key.pub user@remote-server

2. Restrict Tunnel Capabilities

Limit what the tunnel user can do on the remote server in ~/.ssh/authorized_keys:

1

command="/usr/bin/true",no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 AAAA...

3. Use Dedicated Tunnel Users

Create separate system users for each tunnel to improve security isolation:

1
2

sudo adduser --disabled-password --gecos "" tunnel-db
sudo adduser --disabled-password --gecos "" tunnel-app

Why Self-Host Your SSH Tunnel Infrastructure?

Running your own SSH tunnel infrastructure leverages existing SSH servers — no additional software installation is required on the remote side. You can create secure connectivity to any server you have SSH access to, from simple VPS instances to complex enterprise environments.

SSH tunnels are encrypted end-to-end using the same protocols that protect your shell sessions. Unlike many commercial VPN solutions that use proprietary protocols or require client software installation, SSH tunnels work with standard OpenSSH available on every major operating system.

For developers and system administrators, SSH tunnels provide a flexible alternative to traditional VPN setups. Instead of configuring complex IPsec or WireGuard infrastructure, you can create secure connectivity to remote networks in minutes with a single command.

If you are building a complete remote access infrastructure, our zero-trust network access guide covers modern ZTNA solutions, and our remote desktop guide covers graphical remote access solutions. For network-level access control, our network access control guide covers enterprise NAC solutions.

SSH Tunnel Use Cases in Self-Hosted Infrastructure

Database Access Through Bastion Hosts

When your database servers are in a private network, SSH tunnels provide secure access without exposing database ports to the internet. autossh maintains persistent database tunnels that survive network interruptions. sshtunnel enables application code to create and manage tunnels programmatically with clean lifecycle management using Python context managers.

Remote Development Environments

sshuttle is ideal for developers who need access to internal development services without per-port configuration. A single sshuttle command routes all traffic for specified subnets including DNS resolution, providing a VPN-like experience using only SSH.

CI/CD Pipeline Access

Build systems often need to access internal registries, artifact repositories, and deployment targets. autossh provides persistent tunnels that CI/CD runners can rely on for consistent connectivity to internal services throughout build and deployment pipelines.

SSH vs Dedicated VPN Solutions

SSH tunnels are excellent for specific use cases, but dedicated VPN solutions like WireGuard or Tailscale may be better for full-network access. SSH tunnels are quick to set up with no server-side configuration needed, making them ideal for ad-hoc access. WireGuard provides better performance with lower overhead and is better for always-on connectivity. Tailscale and Headscale offer easier management with built-in NAT traversal, making them better for team access scenarios. For infrastructure that needs both SSH tunneling and VPN connectivity, combining sshuttle for development access with WireGuard for production services provides comprehensive network access.

FAQ

What is the difference between sshuttle, autossh, and sshtunnel?

sshuttle creates a transparent VPN-like proxy that routes all traffic for specified subnets over SSH. autossh monitors and automatically restarts SSH connections for persistent port forwarding. sshtunnel is a Python library that provides programmatic SSH tunnel management from within application code.

Does sshuttle require root access?

sshuttle requires root (or sudo) access on the client machine to set up iptables rules for transparent proxying. The remote server only needs standard SSH access — no root or special software is required.

Can I use sshuttle with Windows?

sshuttle natively supports Linux and macOS. Windows support is limited through WSL2 (Windows Subsystem for Linux). For native Windows SSH tunneling, consider using autossh with OpenSSH for Windows or the built-in ssh -D SOCKS proxy.

How does autossh detect connection failures?

autossh uses SSH’s ServerAliveInterval and ServerAliveCountMax options by default. When -M 0 is specified, it relies entirely on SSH built-in keepalive mechanism. With a non-zero -M value, autossh opens an additional monitoring port to independently verify connection health.

Can sshtunnel handle SSH agent authentication?

Yes. When installed with the agent extra (pip install sshtunnel[agent]), sshtunnel can use keys from the SSH agent. Set ssh_agent=True in the SSHTunnelForwarder constructor to enable agent-based authentication.

Is it safe to expose SSH tunnel ports publicly?

SSH tunnel ports should generally not be exposed to the public internet. Use firewall rules to restrict access to trusted IP ranges. If public access is required, consider adding an additional authentication layer or using a reverse proxy with access controls.

How do I make an SSH tunnel start automatically on boot?

Use systemd service files for autossh and sshuttle. Create a .service file in /etc/systemd/system/ with Restart=always and WantedBy=multi-user.target. For sshtunnel, integrate the tunnel creation into your application startup process or use a process supervisor like supervisord.

Can I chain multiple SSH tunnels?

Yes. sshuttle supports gateway hosts. autossh can chain tunnels by forwarding through intermediate servers. sshtunnel supports nested context managers for multi-hop tunnel chains in Python code.