# README – Persistent Home-Lab SSH Tunnel (autossh + systemd) This setup keeps multiple local ports automatically forwarded to your home lab machines **whenever you are away from home** (coffee shop, hotel, mobile hotspot, etc.). As soon as you come back home or connect to your WireGuard VPN, the tunnel **stops itself** – no duplicate tunnels, no wasted bandwidth. (this set up has been tested on my ubuntu HP laptop (kirin) ## What it does - Forwards these ports from your laptop → home network: - 3000 → ryzen7 Ollama - 8188 → ryzen7 ComfyUI - 3822 → ryzen7 SSH - 11922 → yazoo SSH - 9084 → yazoo Transmission-GM web UI - Uses key-based authentication (passwordless) - Survives suspend/resume, reboots, Wi-Fi changes, temporary disconnects - Automatically disables itself when you are already at home or on your own WireGuard VPN ## Files & Locations ``` ~/.ssh/start-my-tunnel.sh ← main script (this file) ~/.config/systemd/user/my-ssh-tunnel.service ← systemd user service ~/autossh-tunnel.log ← runtime log (optional but useful) ``` ## Prerequisites (done once) ```bash # Install autossh sudo apt update && sudo apt install autossh # Make sure your SSH key is in the jump box (oscara2.hopto.org) ssh-copy-id root@oscara2.hopto.org -p 4922 # (or manually paste ~/.ssh/id_ed25519.pub into /root/.ssh/authorized_keys on the jump box) ``` ## Installation steps (copy-paste) ```bash # 1. Save the script exactly as-is mkdir -p ~/.ssh curl -o ~/.ssh/start-my-tunnel.sh https://raw.githubusercontent.com/yourrepo/... # or just edit it manually chmod +x ~/.ssh/start-my-tunnel.sh # 2. Create the systemd user service mkdir -p ~/.config/systemd/user cat > ~/.config/systemd/user/my-ssh-tunnel.service <<'EOF' [Unit] Description=Persistent home-lab SSH tunnel (autossh) After=network-online.target Wants=network-online.target [Service] Type=simple Restart=always RestartSec=10 ExecStart=/home/%u/.ssh/start-my-tunnel.sh Environment="PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" [Install] WantedBy=default.target EOF # 3. Enable and start it systemctl --user daemon-reload systemctl --user enable --now my-ssh-tunnel.service ``` That’s it. From now on everything is 100 % automatic. ## How to check everything is working ```bash # Quick status systemctl --user status my-ssh-tunnel.service # Live logs journalctl --user -u my-ssh-tunnel.service -f # See the actual listening ports ss -ltnp | grep autossh # Or check the old-school log tail -f ~/autossh-tunnel.log ``` ## When the tunnel should NOT start (and it correctly doesn’t) | Condition | Detection method used | Variable in script | |-------------------------------------------|-----------------------------------------------------|--------------------------------| | Connected to home Wi-Fi “W739A” | SSID check via `iwgetid` | `HOME_SSID="W739A"` | | Your own WireGuard VPN is up | Interface `wg0` exists | `VPN_INTERFACE="wg0"` | | You can already reach an internal machine | Direct TCP connect test to 192.168.6.1:22 | `DIRECT_REACH_TEST` | You can comment-out or modify any of these checks if your setup changes. ## Updating the port list later Just edit the `FORWARDS=( ... )` array in `~/.ssh/start-my-tunnel.sh` and then restart the service: ```bash systemctl --user restart my-ssh-tunnel.service ``` ## Removing everything (if you ever want to) ```bash systemctl --user disable --now my-ssh-tunnel.service rm ~/.config/systemd/user/my-ssh-tunnel.service rm ~/.ssh/start-my-tunnel.sh systemctl --user daemon-reload ``` Enjoy seamless access to Ollama, ComfyUI, and your home servers from anywhere — with zero manual intervention.