The problem

For accessing my home network, I have got an SSH connection which will open some tunnels. My proxy server is available via SSH and the services I don’t want to be online are accessible from the SSH proxy.

Since my company disallows VPN connections, I have decided to go that way.

The setup until now

I always setup the SSH tunnel manually. So every time I booted up my computer, I also started a terminal and typed ssh ssh-proxy. This was already minimal work - I defined the host in the ~/.ssh/config file so that I did not have to specify the tunnels and the remote IP.

My config file essentially looked something like this in a slimmed version:

Host ssh-proxy
    HostName ssh-proxy.tech-tales.blog
    User proxy_user

    # Time Tracking
    LocalForward 8001 time-tracking.tech-tales.blog:8001
    # Proxmox Management UI
    LocalForward 8006 proxmox-server.tech-tales.blog:8006

My new setup

Now I read an article that I could automate that - and I find the idea quite nice. So I did that and created the file /etc/systemd/system/proxy-server.service:

[Unit]
Description=SSH Tunnels
After=network.target

[Service]

ExecStart=/usr/bin/ssh ssh-proxy

User=chris
Group=chris

RestartSec=5
Restart=always

[Install]
WantedBy=multi-user.target

So, what happens: I will run ssh ssh-proxy when starting the service. I will do that as user (and group) chris, which is my username on the system. That way, my configuration file will be read.

In case the service fails, it should restart (Restart=always), and it should wait $5$ seconds before restarting.

Further, I updated my config:

Host ssh-proxy
    HostName ssh-proxy.tech-tales.blog
    User proxy_user

    SessionType none

    ServerAliveInterval 30
    ServerAliveCountMax 2

    ExitOnForwardFailure yes

    # Time Tracking
    LocalForward 8001 time-tracking.tech-tales.blog:8001
    # Proxmox Management UI
    LocalForward 8006 proxmox-server.tech-tales.blog:8006
    # ... and some more forwards

So, what changed?

  • I added SessionType none - This means that I will not execute a remote command. This is particularly interesting since I only want to do port forwarding.
  • I added ServerAliveInterval 30 - This essentially means that the client sends a heartbeat request to the server after 30 seconds of inactivity. If this request does not receive a response, it will stop the connection.
  • I added ServerAliveCountMax 2 - This means that if I have two successive heartbeants failing, then I will stop the connection. The default value here seems to be 3.
    • Summing up the two ServerAlive configurations: This means that after $30 \cdot 2 = 60$ seconds, the process will fail. Since I have defined the service to
  • I added ExitOnForwardFailure yes - This means that if the port forwarding is not successful, the connection will fail.

Finally, I only have to run sudo systemctl enable --now proxy-server.service and I am happy!