Autossh is essentially a wrapper around the standard SSH client. Its primary job is to monitor the SSH connection and automatically restart it if it drops. This is crucial for reverse SSH tunnels because a standard SSH session can die silently due to network hiccups, router reboots, or ISP interruptions, leaving your tunnel dead without you knowing until you try to connect.
Here is how to use autossh effectively for maintaining a persistent reverse tunnel:
Installation First, you need to install autossh on your home machine. It is usually available in standard package repositories. On Debian or Ubuntu systems, run sudo apt install autossh. For Arch Linux, use sudo pacman -S autossh. If you are on macOS via Homebrew, run brew install autossh. On CentOS or RHEL, execute sudo yum install autossh.
Basic Usage The syntax for autossh is very similar to standard SSH, but you replace ssh with autossh. To create a reverse tunnel that forwards port 8080 on your remote server to port 22 on your local machine, run the following command: autossh -M 0 -N -R 8080:localhost:22
user@public-server.com. Let's break down those flags. The -M 0 flag disables the monitoring port that autossh normally uses to check connection health. Instead, it relies on SSH's built-in keepalive mechanisms. This is generally preferred for simplicity and to avoid firewall issues with extra ports. The -N flag tells SSH not to execute a remote command, meaning we only want the tunnel and not a shell session. The -R 8080:localhost:22 part defines the reverse port forwarding rule, mapping the remote port to the local host and port. Finally,
user@public-server.com represents your destination server.
Tuning for Stability While -M 0 is convenient, for maximum reliability in unstable networks, you might want to explicitly configure SSH keepalives to ensure the connection is detected as dead quickly so autossh can restart it. You can add these flags to your command: autossh -M 0 -N -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -R 8080:localhost:22
user@public-server.com. The ServerAliveInterval 30 option sends a keepalive message every 30 seconds. The ServerAliveCountMax 3 option specifies that if 3 consecutive keepalives go unanswered, resulting in a total time of roughly 90 seconds, the connection is considered dead and autossh will restart it.
Running as a Background Service (Systemd) Running autossh manually in a terminal is fine for testing, but for a production setup, you should run it as a system service so it starts on boot and restarts if it crashes. Create a systemd service file, such as /etc/systemd/system/autossh-tunnel.service, with the following content:
[Unit] Description=AutoSSH Tunnel for Remote Access After=network-online.target Wants=network-online.target
[Service] User=your_username ExecStart=/usr/bin/autossh -M 0 -N -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -R 8080:localhost:22
user@public-server.com Restart=always RestartSec=10 StandardOutput=journal StandardError=journal
[Install] WantedBy=multi-user.target
Replace your_username and
user@public-server.com with your actual values. Then enable and start the service by running sudo systemctl daemon-reload, followed by sudo systemctl enable autossh-tunnel.service and sudo systemctl start autossh-tunnel.service. You can check the status with sudo systemctl status autossh-tunnel.service and view logs with journalctl -u autossh-tunnel.service.
Important Configuration Note: GatewayPorts By default, SSH binds the remote forwarded port to localhost on the server. This means you can only access the tunnel from the server itself. To access it from anywhere on the internet via the server's public IP, you need to enable GatewayPorts on the remote server, which is the VPS, not your home machine. On your remote server, edit the /etc/ssh/sshd_config file. Find or add the line GatewayPorts yes. Then restart the SSH service by running sudo systemctl restart sshd. Alternatively, you can force this per-session by adding the -g flag to your autossh command on the home machine, like this: autossh -M 0 -N -g -R 8080:localhost:22 ...
Summary of Workflow First, install autossh on your home machine. Second, configure SSH keys for passwordless login to your VPS, which is highly recommended for automation. Third, set up the systemd service to handle boot and crash recovery. Fourth, enable GatewayPorts on your VPS if you need external access. Fifth, verify the tunnel is active by checking the process list or trying to connect from an external network.
This setup ensures that even if your home internet blips or your router reboots, autossh will detect the drop and re-establish the tunnel automatically, keeping your remote access alive without manual intervention.
Cool 'Eh? :)
-warmfuzzy
--- Mystic BBS v1.12 A49 2023/04/30 (Linux/64)
* Origin: thE qUAntUm wOrmhOlE, rAmsgAtE, uK. bbs.erb.pw (700:100/37)