While there are many solutions for remote access to a home machine, they never seem to meet my needs.

As I already have a persisted host on the internet from Digital Ocean, lets leverage that as a meet me node.

It is assumed that source and destination nodes have key pairs configured and operating normally for your user, and SSH password authentication disabled.

The destination machine requires two things done; First is creating a dedicated keypair for the remote tunnel back:

dest $ ssh-keygen -b 4096 -f ~/.ssh/id_rsa.port

and a service file to persist the process:

dest $ cat /etc/systemd/system/ssh-tunnel.service
Description=Reverse SSH connection

ExecStart=/usr/bin/ssh -v -g -N -T -o "ServerAliveInterval 10" -o "ExitOnForwardFailure yes" -i ~/.ssh/id_rsa.port -R "localhost:8022:localhost:22" user@host


This step took a bit to figure out; if there is any sort of network hiccup, without the StartLimitIntervalSec=0, the service would fail and stop attempting. Which is awesome when you’re 12 hours away from home.

On the intermediate node the only change needed is to add the pubkey to the authorized keys list. This is restricted to only allow a port forward to the intermediate node:

jump $ cat .ssh/authorized_keys
command="/bin/false",no-agent-forwarding,no-X11-forwarding,permitopen="localhost:8022" ssh-rsa AAA[...]Yh

Once those two nodes are configured, enable the service on the destination:

sudo sytemctl enable ssh-tunnel
journalctl -f -u ssh-tunnel

At this point, the intermediate node should be listening on localhost:8022.

On the remote node, update .ssh/config with an entry to jump through:

host jump
   ForwardAgent yes
   Hostname intermediate
   RemoteCommand ssh -p 8022 localhost -A
   RequestTTY force
   User user
remote $ uname -a
Linux ceres 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64 GNU/Linux

remote $ ssh jump
Linux neptune 5.19.0-2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.11-1 (2022-09-24) x86_64

Not nearly as elegant as a mesh VPN, but works well when you’re in a pinch on a low bandwidth connection.