sshuttle is better ssh -D alternative

ignw大神以前说过ssh和openvpn性能不行,我当时觉得如果openvpn走tcp连接的话,隧道里的tcp的控制和重发岂不是就没用了?

今天HN上讨论了一个新东东 sshuttle,一句话介绍:

如果说ssh -D是tcp-over-tcp,那么sshuttle则是data-over-tcp。

详细介绍:

But you can't safely just forward TCP packets over a TCP session (like ssh), because TCP's performance depends fundamentally on packet loss; it must experience packet loss in order to know when to slow down! At the same time, the outer TCP session (ssh, in this case) is a reliable transport, which means that what you forward through the tunnel never experiences packet loss. The ssh session itself experiences packet loss, of course, but TCP fixes it up and ssh (and thus you) never know the difference. But neither does your inner TCP session, and extremely screwy performance ensues.

sshuttle assembles the TCP stream locally, multiplexes it statefully over an ssh session, and disassembles it back into packets at the other end. So it never ends up doing TCP-over-TCP. It's just data-over-TCP, which is safe.

和VPN相比sshuttle是stateful的,和ssh相比sshuttle lets you use the "real" IP addresses of each host rather than faking port numbers on localhost.

还有一篇essay说为神马TCP Over TCP Is A Bad Idea。简单的说,就是双层数据丢包性能底下。

Comments