While there are many solutions for remote access to a home machine, they never seem to meet my needs.
As I already have a persisted host on the internet from Digital Ocean, lets leverage that as a meet me node.
It is assumed that source and destination nodes have key pairs configured and operating normally for your user, and SSH password authentication disabled.
The destination machine requires two things done; First is creating a dedicated keypair for the remote tunnel back:
dest $ ssh-keygen -b 4096 -f ~/.ssh/id_rsa.port
and a service file to persist the process:
dest $ cat /etc/systemd/system/ssh-tunnel.service
[Unit]
Description=Reverse SSH connection
After=network.target
StartLimitIntervalSec=0
[Service]
Type=simple
ExecStart=/usr/bin/ssh -v -g -N -T -o "ServerAliveInterval 10" -o "ExitOnForwardFailure yes" -i ~/.ssh/id_rsa.port -R "localhost:8022:localhost:22" user@host
Restart=always
RestartSec=10s
[Install]
WantedBy=default.target
This step took a bit to figure out; if there is any sort of network hiccup, without the StartLimitIntervalSec=0, the service would fail and stop attempting. Which is awesome when you’re 12 hours away from home.
On the intermediate node the only change needed is to add the pubkey to the authorized keys list. This is restricted to only allow a port forward to the intermediate node:
jump $ cat .ssh/authorized_keys
...
command="/bin/false",no-agent-forwarding,no-X11-forwarding,permitopen="localhost:8022" ssh-rsa AAA[...]Yh
Once those two nodes are configured, enable the service on the destination:
sudo sytemctl enable ssh-tunnel
journalctl -f -u ssh-tunnel
At this point, the intermediate node should be listening on localhost:8022.
On the remote node, update .ssh/config with an entry to jump through:
host jump
ForwardAgent yes
Hostname intermediate
RemoteCommand ssh -p 8022 localhost -A
RequestTTY force
User user
remote $ uname -a
Linux ceres 5.10.0-18-amd64 #1 SMP Debian 5.10.140-1 (2022-09-02) x86_64 GNU/Linux
remote $ ssh jump
Linux neptune 5.19.0-2-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.19.11-1 (2022-09-24) x86_64
Not nearly as elegant as a mesh VPN, but works well when you’re in a pinch on a low bandwidth connection.