Skip to content

Instantly share code, notes, and snippets.

@AfroThundr3007730
Created June 23, 2019 17:48
Show Gist options
  • Save AfroThundr3007730/9bfdc305a8fceb805fb340dd1ca5b8c0 to your computer and use it in GitHub Desktop.
Save AfroThundr3007730/9bfdc305a8fceb805fb340dd1ca5b8c0 to your computer and use it in GitHub Desktop.
Create an on-demand SSH-based SOCKS5 proxy via systemd socket activation
#!/bin/bash
# These steps will allow the setup of an on-demand SSH proxy
# Three unit files will be created to serve this purpose:
# ssh-socks-helper.socket - The listening socket providing activation
# ssh-socks-helper.service - A systemd proxy to pass the socket fd
# ssh-socks.service - The actual SSH service providing the tunnel
cat <<'EOF' > ~/.config/systemd/user/ssh-socks-helper.socket
[Unit]
Description=Proxy Helper Socket for Bastion SOCKS5 Proxy
[Socket]
ListenStream=1080
[Install]
WantedBy=sockets.target
EOF
cat <<'EOF' > ~/.config/systemd/user/ssh-socks-helper.service
[Unit]
Description=Proxy Helper Service for Bastion SOCKS5 Proxy
Requires=ssh-socks-helper.socket
BindsTo=ssh-socks.service
After=ssh-socks.service
[Service]
ExecStartPre=/bin/sleep 5
ExecStart=/lib/systemd/systemd-socket-proxyd 127.0.0.1:10080
TimeoutStopSec=5
[Install]
WantedBy=multi-user.target
EOF
cat <<'EOF' > ~/.config/systemd/user/ssh-socks.service
[Unit]
Description=On-Demand Bastion SOCKS5 Proxy Service
[Service]
ExecStart=/usr/bin/ssh -aqND 10080 your.bastion.host
[Install]
WantedBy=multi-user.target
EOF
systemctl --user enable ssh-socks.service
systemctl --user enable ssh-socks-helper.service
systemctl --user enable ssh-socks-helper.socket
systemctl --user start ssh-socks-helper.socket
@MestreLion
Copy link

What is the systemd-socket-proxyd for? Couldn't the ssh-socks.service be bound directly to the socket service ?

@AfroThundr3007730
Copy link
Author

@MestreLion Sorry for the late reply.

The socket unit passes the traffic via file descriptor to the service unit instead of as a TCP socket, so systemd-socket-proxyd receives that FD and sends the traffic again to the listening SSH process. This extra step is only necessary for services that don't know how to receive traffic from a file descriptor or that expect to only interact via a listening network socket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment