The problem
For accessing my home network, I have got an SSH connection which will open some tunnels. My proxy server is available via SSH and the services I don’t want to be online are accessible from the SSH proxy.
Since my company disallows VPN connections, I have decided to go that way.
The setup until now
I always setup the SSH tunnel manually. So every time I booted up my computer, I also started a terminal and typed ssh ssh-proxy. This was already minimal work - I defined the host in the ~/.ssh/config file so that I did not have to specify the tunnels and the remote IP.
My config file essentially looked something like this in a slimmed version:
Host ssh-proxy
HostName ssh-proxy.tech-tales.blog
User proxy_user
# Time Tracking
LocalForward 8001 time-tracking.tech-tales.blog:8001
# Proxmox Management UI
LocalForward 8006 proxmox-server.tech-tales.blog:8006
My new setup
Now I read an article that I could automate that - and I find the idea quite nice. So I did that and created the file /etc/systemd/system/proxy-server.service:
| |
So, what happens: I will run ssh ssh-proxy when starting the service. I will do that as user (and group) chris, which is my username on the system. That way, my configuration file will be read.
In case the service fails, it should restart (Restart=always), and it should wait $5$ seconds before restarting.
Further, I updated my config:
Host ssh-proxy
HostName ssh-proxy.tech-tales.blog
User proxy_user
SessionType none
ServerAliveInterval 30
ServerAliveCountMax 2
ExitOnForwardFailure yes
# Time Tracking
LocalForward 8001 time-tracking.tech-tales.blog:8001
# Proxmox Management UI
LocalForward 8006 proxmox-server.tech-tales.blog:8006
# ... and some more forwards
So, what changed?
- I added
SessionType none- This means that I will not execute a remote command. This is particularly interesting since I only want to do port forwarding. - I added
ServerAliveInterval 30- This essentially means that the client sends a heartbeat request to the server after 30 seconds of inactivity. If this request does not receive a response, it will stop the connection. - I added
ServerAliveCountMax 2- This means that if I have two successive heartbeants failing, then I will stop the connection. The default value here seems to be3.- Summing up the two
ServerAliveconfigurations: This means that after $30 \cdot 2 = 60$ seconds, the process will fail. Since I have defined the service to restart, it will hence reconnect after a minute (and five seconds delay).
- Summing up the two
- I added
ExitOnForwardFailure yes- This means that if the port forwarding is not successful, the connection will fail.
Finally, I only have to run sudo systemctl enable --now proxy-server.service and I am happy!