Setting up a self-healing SSH tunnel for Raspberry Pi using Debian.
Posted on 2015-04-30 in sysadmin
I use quite a few raspberry pi's in locations that dont have the ability for me do incoming SSH to update / reboot / maintain them. This is how i set up a reverse SSH tunnel to them, allowing me to access them from anywhere with internet access!
If the site has a proxy, first you'll need to install a proxy puncher to allow you to bypass it.
1 |
|
Then install screen. Screen allows you to start a process running 'detached' from your current shell, so you dont have to be logged in to keep the tunnel up.
1 |
|
Create a user for your ssh tunnel. You could just use the default pi user, but i prefer to use a dedicated tunnel user.
1 |
|
Create tunnel config
1 2 |
|
Paste the following into the file. This forwards port 22 (ssh) and 80 (http) on the raspberry pi to ports 8022 and 8080 on your VPS.
1 2 3 4 5 6 7 8 9 |
|
NOTE: If you are not using a proxy, remove the corkscrew line and the port 443 line. The port 443 line above is only needed if you are behind a proxy and firewall that disallows port 22 outgoing. I have set up my SSH daemon on the VPS to listen to port 443 (the https port) as well as the normal 22 as this will manage to punch its way through most proxies.
The ServerAliveInterval
and ServerAliveMax
variables above basically say
"send a packet across the tunnel every 10 seconds. If you don't get
anything back after 3 tries, close the tunnel"
The above config also assumes you have set up a tunnel user on the machine you are SSHing to. If not, either create a tunnel user the same way we did above, or change the user line in the config to the username you will be using on the VPS side.
Generate your RSA key and upload to the VPS
1 2 3 4 |
|
At this point, you should be able to SSH to tunnel without typing in any passwords etc.
1 2 |
|
Set up our shell scripts to automatically start the tunnel.
1 2 3 4 5 6 7 8 9 10 11 |
|
The above script checks for an already open screen session with the name 'tunnel'. If it doesn't exist, it creates it. If it does exist it just ends. The screen session is launched in a detached state (in the background), and will automatically end when the SSH tunnel falls over.
Set up the crontab to automatically run our monitoring script once a minute
1 |
|
Your tunnel should come up shortly, woo!
To test it out, from your VPS, type
1 2 3 |
|
Brill, you can now SSH in from your VPS... But by default SSH tunnel ports are only available from localhost, so you'd have to log into your VPS every time you wanted to get into the pi. So, lets edit the SSH config file on your local machine!
1 2 3 4 |
|
This will allow you to type in ssh pi
on your local
machine, and will automatically ssh into your VPS, then SSH into
localhost. Sorted.