While there are many solutions for remote access to a home network, such as TailScale or other VPNs, my needs are much more simple; only needing SSH access back to a single workstation.
As I already have a host with a static address on the internet from Digital Ocean, lets leverage that as a meet me node.
It is assumed that source and destination nodes have key pairs configured and operating normally for your user, and SSH password authentication disabled.
The destination machine requires two things done; First is creating a dedicated key pair for the remote tunnel back:
dest $ ssh-keygen -b 4096 -f ~/.ssh/id_rsa.port
and a service file to persist the process:
dest $ cat /etc/systemd/system/ssh-tunnel.service
[Unit]
Description=Reverse SSH connection
After=network.target
StartLimitIntervalSec=0
[Service]
Type=simple
ExecStart=/usr/bin/ssh -v -g -N -T -o "ServerAliveInterval 10" -o "ExitOnForwardFailure yes" -i ~/.ssh/id_rsa.port -R "localhost:8022:localhost:22" user@host
Restart=always
RestartSec=10s
[Install]
WantedBy=default.target
This step took a bit to figure out; if there is any sort of network hiccup, without the StartLimitIntervalSec=0, the service would fail and stop attempting. Which is awesome.
On the intermediate node the only change needed is to add the pubkey to the authorized keys list. This is restricted to only allow a port forward to the intermediate node:
jump $ cat .ssh/authorized_keys
...
command="/bin/false",no-agent-forwarding,no-X11-forwarding,permitopen="localhost:8022" ssh-rsa AAA[...]Yh
Once those two nodes are configured, enable the service on the destination:
sudo sytemctl enable ssh-tunnel
journalctl -f -u ssh-tunnel
At this point, the intermediate node should be listening on localhost:8022.
On the remote node, update .ssh/config with an entry to jump through:
host jump
ForwardAgent yes
# older versions dont support ProxyJump
# Hostname intermediate
# RemoteCommand ssh -p 8022 localhost -A
Hostname localhost
ProxyJump intermediate
RequestTTY force
User user
remote $ uname -a
Linux ceres 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64 GNU/Linux
remote $ ssh jump
Linux neptune 5.19.0-2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.11-1 (2022-09-24) x86_64
While it is not as flexible as mesh VPN doing actual IP routing, it works extremely well when you’re in a pinch on a low bandwidth connection.