Skip to content

Instantly share code, notes, and snippets.

@johnsimcall

johnsimcall/ssh-tunnel-example-bastion.config

Last active October 22, 2022 07:22
Show Gist options
  • Save johnsimcall/61a2c6d05899dd1da4d68614c5faf263 to your computer and use it in GitHub Desktop.
Save johnsimcall/61a2c6d05899dd1da4d68614c5faf263 to your computer and use it in GitHub Desktop.
Download ZIP
systemd unit file for establishing an SSH tunnel to a remote host that runs (or can reach) a proxy service
Raw
ssh-tunnel-example-bastion.config
Host example-bastion
HostName example-bastion.fqdn.com
IdentityFile /root/.ssh/id_ed25519 # -i
User john # -l
ExitOnForwardFailure yes
ServerAliveInterval 10
SessionType none # -N
RequestTTY no # -T
GatewayPorts yes # -g
LocalForward 3129 outside.proxy.com:3128 # -L
Raw
ssh-tunnel@.service
[Unit]
Description=Setup a secure tunnel to %i
After=network-online.target
[Service]
ExecStart=/usr/bin/autossh -M 0 -F /etc/ssh/ssh-tunnel-%i.config %i
RestartSec=5
Restart=always
[Install]
WantedBy=multi-user.target
@johnsimcall
Copy link
Author

All of this systemd trickery is the equivalent of just running

$ ssh -L 3129:outside.proxy.com:3128 outside.bastion.com

Here are some other options to consider that can put the ssh command into the background (-f) and expose the forwarded port(s) to other hosts in the local network (g)

 -L | start listening on 3129 locally, then
    | forward anything received there to port 3128 on outside.proxy (via outside.bastion)
 -g | allow other systems to use the port forwarding
 -N | don't execute any commands on outside.bastion, just setup the port forwarding
 -f | after prompting for password, fork into the background and return the shell prompt
 -n | don't allow password input, instead connect stdin to /dev/null
 -T | don't allocate a pseudo-terminal

 -o "ExitOnForwardFailure yes" | fails if cannot setup port forwarding
                               | doesn't fail if the port forward successfully goes to a blackhole
                               | e.g. sshd sets "DisableForwarding yes" or "AllowTcpForwarding no"
 -o "ServerAliveInterval 10"   | if the connection is quiet, send a heartbeat every 10 seconds
 -o "ServerAliveCountMax 3"    | exit when this many heartbeats are unacknowledged

If you also have control over the remote sshd daemon, you might consider applying this:

 -o "ClientAliveInterval 10"   | if the client is quiet, send a heartbeat every 10 seconds

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment