Sshuttle VPN - iptables addrtype error

Applications Others
#1

I am trying to run sshuttle on Sailfish 3.3.0.16.
sshuttle is a simple proxy (VPN) for tcp which only needs ssh on the server side

  • see: https://github.com/sshuttle/sshuttle
    I can sucessfully clone the repository and install via provided script (needed python3-setuptools and a symlink from python3 to python)
    When I want to start the client I get an error:

iptables -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL ! -p udp
iptables v1.8.2 (legacy): Couldn’t load match `addrtype’:No such file or directory

How can I run sshuttle on SailfishOS?
Thanks, palim

Enhancement: Improve availability of netfilter/iptables/xt modules
#2

Availability of this match type depends on the kernel your phone runs. My JP1301 does not have a support module for this:

[nemo@jp1301 ~]$ zcat /proc/config.gz |grep -i addrtype
# CONFIG_NETFILTER_XT_MATCH_ADDRTYPE is not set

On newer phones with newer kernels, the configuration may not be accessible at /proc/config.gz, but the mechanism to identify kernel module support should be similar.

#3

Hi Maus - indeed:

zcat /proc/config.gz |grep -i addrtype
CONFIG_NETFILTER_XT_MATCH_ADDRTYPE is not set
uname -a
Linux [xxx] 3.10.84 #1 SMP PREEMPT Sun Feb 16 19:24:33 UTC 2020 aarch64 GNU/Linux

So no luck until a newer kernel with enabled netfilter module.
Aargh, any suggestions for a simple VPN?
Thanks.

#4

what about simple proxy instead of simple vpn?)

#5

Hi coderus - how so?

#6

Are the stock VPN options not sufficient (or not simple enough)? Anyway, as @coderus wrote, it all depends on what you actually need to get working.

#7

sshuttle would be an ideal “poor man’s” VPN without the need for setting up a complicated network and certificates. All you need is a working ssh login at the target, nothing else. I am using it regularly on my desktop and it works quite well.

#8

So it’s a matter of know your tools, which is a good reasoning. Alas, your tool of choice is not available on this phone.

#9

Maybe there is a way to achieve what that iptables rule is doing another way that doesn’t need the addrtype match?

I’m not familiar with the details, but maybe policy routing can do it?