I came across this today and it’s an interesting idea! While I’m not sure I endorse creating and maintaining a tunnel, especially as root, I’m sure there are use cases where it makes sense. If nothing else, defining the config files and their contents to create a service is worth seeing. All the details, including how to make it run after reboot are at https://medium.com/linuxstories/linux-how-to-create-an-ssh-tunnel-as-a-systemd-service-73e6e0fff19b
My local server died a little over a week ago (more about that in a future post) so I bought a new mini PC (love those little things – got one with an 11th gen Intel Celeron, 16GB RAM and 512GB SSD for $280). In setting it up I opted to keep my VNC sessions local to the new machine accessing them via SSH tunnels. In researching various ways to establish and maintain the tunnel I came across https://gist.github.com/scy/6781836 and (re)learned quite a few things but the really interesting bits are in the comments! From the use of -M to establish a “master” mode for connection sharing and how to use it, to some basic scripts to make it easier to use, to autossh (https://www.harding.motd.ca/autossh/), to a nice little script called (in the comments) ssh-fp.sh. I’ve adapted and adopted several for my own use and I recommend the article!
I’ve set up a VPN at home and, honestly, in my config, it’s a PAIN! I have 3 routers that need to have ports opened and then I need to make sure that certificates and passwords are all secure.
Then I found Tailscale.com! What a breath of fresh air. Why didn’t anyone think of this before? Create an account on tailscale.com then install the tailscale service on the machine you want to be a part of the VPN and run it. The service connects to the tailscale server and it becomes an immediately available VPN target, complete with its own hostname (which you can change) and its VPN IP address. If you enable their “MagicDNS” in your settings then the hostnames all resolve to their VPN IP addresses (i.e. the hostname is first checked against the hostnames on the VPN before being checked against other DNS resolvers). Voila! No config, no ports to open, no firewall rules to manage! Now, when you’re away from home, you can get to your home server with confidence.
It’s free for a single hobby/personal user. There are a few restrictions as to how many subnets you have available but, honestly, if you’re a home user, the restrictions probably won’t bother you. It’s multi-platform with binaries for Android, MacOS, iOS, Windows, and Linux so you can connect just about anything you want. They’re on github at https://github.com/tailscale and a place to discuss it at https://forum.tailscale.com/. And, yes, you can use tailscale to act as a subnet router – https://tailscale.com/kb/1019/subnets/ – to get to those devices (e.g. printers) on which you can’t install tailscale.
Apologies for the delay between postings but I prefer to try the things before I post about them and tailscale took a while.