How to create persistent SSH tunnels with autossh
SSH Tunnelling

How to create persistent SSH tunnels with autossh

By Bartłomiej Szabłowski
Table of contents

Autossh is a utility that allows you to automatically reconnect and reestablish SSH sessions. It is particularly useful for maintaining an SSH connection over a potentially unstable or unreliable network connection, such as a VPN or a mobile network. Autossh can be used to keep a remote connection alive, allowing you to run long-running commands or keep a remote terminal open for an extended period of time. It can also be used to set up a reverse SSH tunnel, allowing you to securely access a network or device behind a firewall.

Prerequisites

  • Client needs to have autossh and ssh installed.
  • Server needs to accept ssh connections.

How to install autossh

On a Debian-based system, such as Ubuntu, you can install autossh using the apt package manager:

sudo apt update
sudo apt install autossh

On a Red Hat-based system, such as CentOS, you can install autossh using the yum package manager:

sudo yum update
sudo yum install autossh

On macOS, you can install autossh using Homebrew:

brew update
brew install autossh

On Windows, you can install autossh using the Chocolatey package manager:

choco install autossh

Alternatively, you can also install autossh from source by downloading the latest release from the project's GitHub page (https://github.com/invisible-island/autossh) and compiling it yourself. This may be necessary if you are using an older version of a operating system that is not supported by the package managers above.

Remote port forwarding with autossh

To establish a tunnel with autossh, you can use the following syntax. This will expose local port 8080 as port 9000 on the server, also, two monitoring ports will be used: 2000 and 2001.

autossh -M 2000 -R 9000:localhost:8080 -o ServerAliveInterval=30 user@example.com
Expose local port 8080 as port 9000 on the remote server

Once your SSH connection is open, you can confirm it's working by running the command below:

sudo lsof -i :9000
Check if any process is listening on port 9000
COMMAND   PID  USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
sshd    1337 ubnt   11u  IPv6 13486175      0t0  TCP ip6-localhost:9000 (LISTEN)
sshd    2137 ubnt   12u  IPv4 13486176      0t0  TCP localhost.localdomain:9000 (LISTEN)
Output of the lsof command
By default SSH will listen on localhost (loopback) only and you won't be able to access the exposed port outside of the machine's network. Click here to find out how to expose the port to the public.

Local port forwarding with autossh

To create a tunnel for forwarding a specific port on the remote server to your local machine:

autossh -M 2000 -N -L 3000:localhost:80 user@remote_server

This command creates a tunnel that forwards port 80 on the remote server to port 3000 on your local machine. You can then access the remote server's port 80 by connecting to localhost:3000 on your local machine.

How to make the autossh tunnel start automatically and survive system reboots

touch autossh-myapp.service
Create the service file, you can change its name to your needs
[Unit]
Description=AutoSSH - Expose local port 8080 as port 9000 on example.com
After=network.target

[Service]
Environment="AUTOSSH_GATETIME=0"
ExecStart=/usr/bin/autossh -M 2000 -R 9000:localhost:8080 -o ServerAliveInterval=30 user@example.com
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target
Copy and paste this into your .service file
sudo mv autossh-myapp.service /etc/systemd/system/
sudo systemctl enable autossh-myapp.service
Move the service file and enable system service
sudo systemctl status autossh-myapp.service
Confirm that the service is working
autossh-myapp.service - AutoSSH - Expose local port 8080 as port 9000 on example.com
     Loaded: loaded (/etc/systemd/system/autossh-myapp.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-12-13 13:04:52 CET; 2 weeks 5 days ago
   Main PID: 2198814 (autossh)
      Tasks: 2 (limit: 154312)
     Memory: 1.2M
     CGroup: /system.slice/autossh-myapp.service
             ├─ 868071 /usr/bin/ssh -L 2000:127.0.0.1:2000 -R 2000:127.0.0.1:2001 -R 9000:localhost:8080 -o ServerAliveInterval=30 user@example.com
             └─2198814 /usr/bin/autossh -M 2000 -R 9000:localhost:8080 -o ServerAliveInterval=30 user@example.com
Console output, as we can see the service is active (running)

Troubleshooting autossh issues

  1. Connection timeouts: If autossh is unable to establish a connection or the connection drops, you can also try adding the -vvv option to increase the verbosity of ssh's output, which may help you identify the cause of the connection issue.
  2. Authentication issues: If autossh is unable to authenticate to the remote server, make sure you are using the correct username and password, or that your SSH key is properly configured.
  3. Port forwarding issues: If you are using autossh to set up a tunnel or forward ports, make sure the remote server is properly configured to accept the connection and that there are no firewalls or other security measures blocking the connection, and that the port you're trying to expose is not used by another application. You can use lsof -i :port command.

Helpful resources

  1. The official documentation for autossh is a good starting point for learning about the tool and its options. You can find it here: https://www.harding.motd.ca/autossh/
  2. The autossh man page is also a useful resource for learning about the various options and commands available with autossh. You can access it by running the man autossh command on your terminal.
  3. The OpenSSH documentation includes information about SSH tunnels and port forwarding, which can be useful when working with autossh. You can find it here: https://www.ssh.com/academy/ssh/tunneling-example

Bartłomiej Szabłowski • 34 Articles

View Articles