{{tag>remotessh ssh autossh tunnel}}
====== Remote SSH Tunnel with autossh ======

If you need to access a remote system behind a firewall and an unknown dynamic IP address, this might be useful. This configuration enables **host-b.site-b.net** to connect to **host-a.site-a.net** via //jump host// **example.com**. //autossh// is used to establish a //remote ssh tunnel// from **host-a.site-a.net** to **example.com**. Through this //remote ssh tunnel// **host-b.site-b.net** will be able to connect to **host-a.site-a.net**.

{{drawio>pages:howtos:remote-ssh-tunnel-with-autossh}}

\\ 
\\ 
\\ 

<WRAP center round info 60%>
In this example I am using:
  * ''example.com'' as the //hostname// of the //jump host//.
  * ''host-a.site-a.net'' as the //hostname// of the system from which the remote ssh tunnel will be originating
  * ''remotesitea'' as the //username// on **example.com**.

<wrap hi>Please replace all used hostnames and usernames according to your environment.</wrap>
</WRAP>
\\ 
\\ 
\\ 
===== on example.com =====

Create a user for the //remote tunnel// at the //jump host//:
<sxh bash; gutter: false>
useradd -m -s /bin/bash remotesitea
passwd remotesitea
</sxh>

===== host-a.site-a.net =====
Install //autossh// and generate a //SSH key// <wrap hi>without a pass phrase</wrap>.
<sxh bash; gutter: false>
apt update && apt -y upgrade && apt -y full-upgrade && apt -y autoremove
apt -y install autossh
ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/autossh-key -C "autossh@host-a.site-a.net"
</sxh>

Copy the //autossh// pub key to the jump host.
<sxh bash; gutter: false>
ssh-copy-id -i /root/.ssh/autossh-key remotesitea@example.com
</sxh>

Create a unit file.
<sxh bash; gutter: false>
vim /etc/systemd/system/sshtunnel.service
</sxh>

<sxh bash; title: /etc/systemd/system/sshtunnel.service>
[Unit]
Description=Remote SSH tunnel to 'example.com'
After=network-online.target ssh.service

[Service]
User=root
Environment="AUTOSSH_PORT=0"
Environment="AUTOSSH_GATETIME=0"
RestartSec=30
Restart=always

ExecStart=/usr/bin/autossh -NT -o "ExitOnForwardFailure=yes" -R 16000:127.0.0.1:22 -p 22 -l remotesitea example.com -i /root/.ssh/autossh-key
ExecStop=/usr/bin/killall -s KILL autossh
TimeoutStopSec=10

[Install]
WantedBy=multi-user.target
</sxh>

Enable and start the autossh remote tunnel as a service
<sxh bash; gutter: false>
systemctl enable sshtunnel.service
systemctl start sshtunnel.service
</sxh>


===== host-b.site-b.net =====
Now you can connect from **host-b.site-b.net** to **host-a.site-a.net** via the jump host:
<sxh bash; gutter: false>
# ssh to example.com and log in
ssh <youruser>@example.com
# when you are logged in on example.com, ssh through the remote tunnel to host-a.site-a.net
ssh -p 16000 <A-User-Account-On-host-a.site-a.net>@localhost
</sxh>

----
~~DISCUSSION~~