Sshuttle 1.1.1 not working on macOS Sonoma 14.1.1

Question

Sshuttle 1.1.1 not working on macOS Sonoma 14.1.1

jadsonjs opened this issue a year ago · 8 comments

Sorry if this is a duplicate issue, but I could not find another issue with the same problem. I am trying to use Sshuttle for the first time to connect to a Linux server from my macOS. With the command below:

sshuttle -v -r user@XXX.XX.XX.XX:YYYY -x XXX.XX.XXX.XX XXX.0.0.0/8 XXX.XXX.X.0/24

When running this command, after typing the password, the flow lines of logs are shown:

s: Running server on remote host with /usr/bin/python3 (version 3.10.6)
s: latency control setting = True
s: auto-nets:False
c : Connected to server.
fw: setting up.
fw: >> pfctl -s Interfaces -i lo -v
fw: >> pfctl -s all
fw: >> pfctl -a sshuttle6-12300 -f /dev/stdin
fw: >> pfctl -E
fw: >> pfctl -s Interfaces -i lo -v
fw: >> pfctl -s all
fw: >> pfctl -a sshuttle-12300 -f /dev/stdin
fw: >> pfctl -E

And it stays stopped in the last line (pfctl -E command), frozen, forever.
The pfctl -E command is used to enable the PF (Packet Filter) firewall on macOS
When I try to execute the command directly on my macOS terminal, the following lines are shown:

$pfctl -E
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled
Token : 4235676552202453487

macOS Sonoma 14.1.1
shuttle --version 1.1.1

I checked the following issues, without any success:

#563
#706
#864
#895

I think this is a bug of sshuttle in macOS Sonoma. Can someone help me? Thanks

Answer 1 · 2024-01-02T04:43:30.000Z

Same problem here. Everything worked before update

% sshuttle --dns -vr root@xxx 0/0
Starting sshuttle proxy (version 1.1.1).
c : Starting firewall manager with command: ['/Users/xxx/.pyenv/versions/3.11.5/envs/global3_11_5/bin/python3.11', '/Users/xxx/.pyenv/versions/global3_11_5/bin/sshuttle', '-v', '--method', 'auto', '--firewall']
fw: Starting firewall with Python version 3.11.5
fw: ready method name nft.
c : IPv6 enabled: Using default IPv6 listen address ::1
c : Method: nft
c : IPv4: on
c : IPv6: on
c : UDP : off (not available with nft method)
c : DNS : on
c : User: off (not available with nft method)
c : Subnets to forward through remote host (type, IP, cidr mask width, startPort, endPort):
c :   (<AddressFamily.AF_INET: 2>, '0.0.0.0', 0, 0, 0)
c : Subnets to exclude from forwarding:
c :   (<AddressFamily.AF_INET: 2>, '127.0.0.1', 32, 0, 0)
c :   (<AddressFamily.AF_INET6: 30>, '::1', 128, 0, 0)
c : DNS requests normally directed at these servers will be redirected to remote:
c :   (<AddressFamily.AF_INET: 2>, '8.8.8.8')
c :   (<AddressFamily.AF_INET: 2>, '1.1.1.1')
c :   (<AddressFamily.AF_INET: 2>, '4.4.2.2')
c : TCP redirector listening on ('::1', 12300, 0, 0).
c : TCP redirector listening on ('127.0.0.1', 12300).
c : DNS listening on ('::1', 12299, 0, 0).
c : DNS listening on ('127.0.0.1', 12299).
c : Starting client with Python version 3.11.5
c : Connecting to server...
 s: Running server on remote host with /usr/bin/python3 (version 3.10.12)
 s: latency control setting = True
 s: auto-nets:False
c : Connected to server.
fw: setting up.
fw: nft add table inet sshuttle-ipv6-12300
Error: No such file add table
fw: undoing changes.
fw: nft delete table inet sshuttle-ipv6-12300
Error: No such file delete table
fw: error: ['nft', 'delete table', 'inet', 'sshuttle-ipv6-12300', ''] returned -13
fw: nft delete table inet sshuttle-ipv4-12300
Error: No such file delete table
fw: error: ['nft', 'delete table', 'inet', 'sshuttle-ipv4-12300', ''] returned -13
fw: fatal: ['nft', 'add table', 'inet', 'sshuttle-ipv6-12300', ''] returned 1
c : fatal: cleanup: ['/Users/xxx/.pyenv/versions/3.11.5/envs/global3_11_5/bin/python3.11', '/Users/xxx/.pyenv/versions/global3_11_5/bin/sshuttle', '-v', '--method', 'auto', '--firewall'] returned 99

Answer 2 · 2024-02-15T11:35:10.000Z

Works fine with 1.1.1 on Sonoma 14.3

Answer 3 · 2024-02-22T18:02:35.000Z

Contrary to to what is said by @andloh, I still have the issue in Sonoma 14.3 (version 14.3.1 (23D60)) with sshuttle v1.1.1 and v1.1.2 (available in brew) on Macbook Air M2 (SIP enabled; professionnal machine with Microsoft Defender for Endpoint, GlobalProtect+TunnelBlick) and Macbook Pro M2 Pro (SIP enabled; personal machine, no security software installed; Tailscale)

Answer 4 · 2024-02-28T17:24:14.000Z

Didn't work on 14.2.2, I attempted to upgrade to 14.3.1 and it still does not work. Wonder if there is some other factor in play here. @andloh do you have your firewall enabled?

Answer 5 · 2024-03-05T09:33:44.000Z

@skrobul Yes, I have firewall enabled, SIP too. Intel Mac

Answer 6 · 2024-03-05T10:36:21.000Z

@andloh thanks, fwiw I'm on ARM based Mac so there is a difference here. Enabling/disabling firewall does not change a thing. SIP is enabled and I want to keep it that way.
Maybe it's some sort of endpoint protection software (i.e. Crowdstrike or Appgate SDP) blocking these?

Answer 7 · 2024-03-06T08:30:47.000Z

sshuttle 1.1.1 on ARM M2 is OK for me. Firewall disabled. I did not change my SIP settings (=> enabled)

If you are using a VPN to connect see #563

Answer 8 · 2024-06-18T20:22:41.000Z

Thanks @ZeGuigui. Following suggestions from #563 did the trick for me