Configure SSH tunnels and port forwardings.
Tip
On a desktop linux you better to try NetworkManager SSH plugin It allows to configure an SSH VPN with GUI.
If your computer is behind a NAT you can expose your website with a tunnel. There are a few of services that provides free or cheap tunnels e.g. https://localhost.run, https://srv.us etc.
To configure server and a tunnel you need to set up the SSH key for the server.
The sshtunnel is run by a root
user. So you need to configure keys in its /root/.ssh/
folder.
Let's ensure that it's exists with sudo mkdir /root/.ssh/
.
You can generate a new key with a command sudo ssh-keygen
.
Or you can copy your existing keys sudo cp ~/.ssh/id_* /root/.ssh/
.
Also add a host key to /root/.ssh/known_hosts
or use StrictHostKeyChecking accept-new
bellow.
When the sshtunnel
starts it reads ~/.ssh/config
finds all hosts that ends with _tun
e.g. Host router_tun
and starts an ssh connection to the host.
So edit the sudo -e /root/.ssh/config
by this example:
Host router_tun
HostName 192.168.1.1
Port 2222
User root
ServerAliveInterval 30
ConnectionAttempts 10
StrictHostKeyChecking accept-new
# When someone connect to the router's public IP on 80 port forward it to the local 8080 port
RemoteForward 80 127.0.0.1:8080
# When sendmail connecting to the local 25 port then connect to the router and forward to its 25 port
LocalForward 25 127.0.0.1:25
# Start a SOCKS proxy on local 1080 port. Configure a browser to use it.
DynamicForward 1080
The sshtunnel will also add -N -o ExitOnForwardFailure=yes -o BatchMode=yes
options when starting the ssh connection.
Then restart with systemctl restart sshtunnel
and check status with systemctl status sshtunnel
.
If no any tunnel specified the sshtunnel stops and a service won't be running unless you restart it.
Another configuration file is /root/.ssh/sshtunnel.config.sh
.
The file is a DSL over a plain shell script. It may be more expressive but has fewer options.
Edit the config file with sudo -e /root/.ssh/sshtunnel.config.sh
e.g.:
server "srv_us"
HostName="srv.us"
User="root"
IdentityFile="/root/.ssh/id_ed25519"
tunnelR "srv_us_http"
servername="srv_us"
remoteaddress="1"
remoteport=80
localaddress="127.0.0.1"
localport=8080
See sshtunnel.config.sh for more samples.
server
specify SSH server options. One server may have multiple tunnels.enabled
set to0
to disable.HostName
IP, domain or Host configured in~/.ssh/config
. Required.User
default is a user that started the sshtunnel service i.e.root
. You better to create a separate limited user on the server.Port
default22
.IdentityFile
an absolute path to a private key. If empty then the ssh will try/root/.ssh/id_rsa
, then/root/.ssh/id_ed25519
etc. Set it only if name is non-standard.StrictHostKeyChecking
defaultaccept-new
. If you are afraid that server can change it in future then set tono
to your own risk.ServerAliveInterval
default30
.ServerAliveCountMax
default2
.ConnectionAttempts
default10
.
tunnelR
remote to local tunnelremoteaddress
,remoteport
,localaddress
,localport
tunnelL
local to remote tunnelremoteaddress
,remoteport
,localaddress
,localport
tunnelD
dynamic tunnel e.g. SOCKS proxylocaladdress
,localport
tunnelW
VPNTunnel
point-to-point
(default) orethernet
. SeeTunnel
in man ssh_configlocaldev
,remotedev
tun devices. SeeTunnelDevice
in man ssh_config
Options from SSH config file are starting from Upper case but the sshtunnel specific options starts with lowercase.
So use man ssh_config
to see the meaning of options.
If you need more options e.g. ProxyJump
then specify them in ~/.ssh/config
.
Check that ssh has been started with ps ax | grep ssh
e.g.:
ssh root@srv.us -i /root/.ssh/id_ed25519 -o StrictHostKeyChecking=accept-new -R 1:80:127.0.0.1:8080 -N -o ExitOnForwardFailure=yes -o BatchMode=yes
To read logs use:
sudo journalctl -u sshtunnel -f -n 50
For Ubuntu use PPA repository:
sudo add-apt-repository ppa:stokito/utils
sudo apt update
sudo apt install sshtunnel
Or install by downloading the package:
wget -O /tmp/sshtunnel https://github.com/yurt-page/sshtunnel/releases/download/v1.0.2/sshtunnel_1.0.0_all.deb
sudo dpkg -i /tmp/sshtunnel
rm -f /tmp/sshtunnel
git clone git@github.com:yurt-page/sshtunnel.git
cd sshtunnel
# install files, service and reload systemd services
sudo make install_all
# reload and test after changes
sudo make service_restart
sudo cp sshtunnel.sh /usr/bin/sshtunnel
sudo chmod +x /usr/bin/sshtunnel
sudo cp sshtunnel.service /etc/systemd/system/
sudo systemctl daemon-reload
- SystemD SSH client unit based on SystemD templates. Configure port forwardings in the SSH config
- OpenWrt sshtunnel for a router. This project is a port of the sshtunnel.
- NetworkManager SSH plugin