Linux: How to create an SSH tunnel as a systemd service
Much often you will need a constant SSH tunnel connection, to avoid the administrative load for those tunnels after a reboot is to…
Much often you will need a constant SSH tunnel connection, to avoid the administrative load for those tunnels after a reboot is to configure them as systemd services and use SSH keys to avoid passwords.
Also its nice and super helpfull to create the systemd service as a template that can accept tunnel parameters from a file, this allow very easily to manage your tunnels (add,delete,modify,start,stop).
This configuration requires ssh keys in order to communicate with the SSH Gateway
Create the following template file
/etc/systemd/system/secure-tunnel@.service
Content:[Unit]
Description=Setup a secure tunnel to %I
After=network.target[Service]
Environment="LOCAL_ADDR=localhost"
EnvironmentFile=/etc/default/secure-tunnel@%i
ExecStart=/usr/bin/ssh -NT -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -L ${LOCAL_ADDR}:${LOCAL_PORT}:${REMOTE_HOST}:${REMOTE_PORT} ${TUSER}@${TARGET}# Restart every >2 seconds to avoid StartLimitInterval failure
RestartSec=5
Restart=always[Install]
WantedBy=multi-user.target
Explanation of the file variables
- ${LOCAL_ADDR} ← The local ip to bind the tunnel
- ${LOCAL_PORT} ← The local port of the local ip
- ${REMOTE_HOST} ← The remote host end of the tunnel
- ${REMOTE_PORT} ← The remote host port end of the tunnel
- ${TARGET} ← The SSH gateway between the local machine and the remote server
- ${TUSER} ← The SSH username gateway
Creating the tunnel configuration file
Create the following file
/etc/default/secure-tunnel@example_tunnel1
This file will hold the actual tunnel configuration options, here is an example file
Content:TARGET=gateway1
TUSER=root
LOCAL_ADDR=127.0.0.1
LOCAL_PORT=49998
REMOTE_PORT=443
REMOTE_HOST=10.1.1.1
- LOCAL_ADDR ← The local ip to bind the tunnel
- LOCAL_PORT ← The local port of the local ip
- REMOTE_HOST ← The remote host end of the tunnel
- REMOTE_PORT ← The remote host port end of the tunnel
- TARGET ← The SSH gateway between the local machine and the remote server
- TUSER ← The SSH username gateway
As you can see there an one to one matching of the template and the configuration file options
How to manage the systemd tunnel services — common operations
- What to do after creating a new tunnel configuration file# systemctl daemon-reload
This will force systemctl to reload systemd manager configuration
- How to start a tunnel
Provide the tunnel configuration file as parameter after the systemctl start command
example_tunnel1- How to check if a tunnel runs
example_tunnel1You should see output indicating that the tunnel service is running and for how long
example_tunnel1Note: if a tunnel uptime is only some seconds whenever you check the status of a tunnel is an indication that there is a conectivity or configuration problem for this tunnel
- How to stop a tunnel
example_tunnel1Then re-running systemctl status secure-tunnel@example_tunnel1 should indicate that the tunnel is not up.
- How to configure a tunnel to start after a reboot
example_tunnel1- How to create a new tunnel
If your original template matches your tunneling purpose, then you can just copy the tunnel configuration file and do the changes you want to create the new tunnel, then you can start and enable the tunnel from systemctl.
I hope you found this article usefull.
