goals:

  • connect with autossh
  • start on boot with crontab|systemd.timer

client side - install software & create keypair

## create 4096 bit ssh rsa keypair
> ssh-keygen -b 4096

## install autossh
> pkg_add autossh

server side - edit /etc/ssh/sshd_conf

# allowed command must be configured in /root/.ssh/authorized_keys
PermitRootLogin forced-commands-only
# allow connect from forwarded ports
GatewayPorts yes
# seconds before sending a null packet to the client
ClientAliveInterval 600

edit /root/.ssh/authorized_keys to allow ssh tunnel only

## one command per line
command="echo 'Tunnel only!'" ssh-rsa AAAA...

client side - testing forward port 22, 80 & 443

## autossh
> autossh -M 30060 -N \
    -R 22:localhost:22 \
    -R 80:localhost:80 \
    -R 443:localhost:443 \
    -o "ServerAliveInterval 30" \
    -o "ServerAliveCountMax 3" \
    -p222 \
    root@example.com

client side - autostart on boot with crontab
edit /etc/cron.d/autossh

@reboot autossh -M 30060 -N -R 22:localhost:22 -R 80:localhost:80 -R 443:localhost:443 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -p222 root@example.com

done

use that part if you want to use only ports higher than 1023

server side - add user with useradd but without password

> useradd -m tunnel

server side - edit /home/tunnel/.ssh/authorized_keys to allow ssh tunnel only

## one command per line
command="echo 'Tunnel only!'" ssh-rsa AAAA...