ssh -NT -o ServerAliveInterval=60 -o ServerAliveCountMax=10 -i /var/services/homes/foouser/.ssh/id_rsa -R 8080:localhost:80 -R 4443:localhost:443 foouser@<VPS>

And all I need to do on the VPS is to configure ssh by simply adding the following:

Note: you could replace the * for "all hosts" with a specific host, but as my NAS is behind my router, which can change its IP address I stuck with "all hosts".

foouser@nas:~$ cat /etc/systemd/system/sshtunnel-web.service 
[Unit]
Description=SSH Tunnel for WebStation
After=network.target

[Service]
Restart=always
RestartSec=1
User=foouser
ExecStart=/bin/ssh \
    -NT \
    -o ServerAliveInterval=60 \
    -o ServerAliveCountMax=10 \
    -i /var/services/homes/foouser/.ssh/id_rsa \
    -R 8080:localhost:80 \
    -R 4443:localhost:443 \
    foouser@<VPS>

[Install]
WantedBy=multi-user.target

ssh -NT -o ServerAliveInterval=60 -o ServerAliveCountMax=10 -o ExitOnForwardFailure=yes -i /var/services/homes/foouser/.ssh/id_rsa -R 8080:localhost:80 -R 4443:localhost:443 foouser@<VPS>

To explain this command:

• -N - Do not execute a remote command; this is useful for just forwarding ports.
• -T - Disable pseudo-tty allocation.
• -R 8080:localhost:80 - Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side. In this case, it means forward port 80 of the remote server to port 8080 of the client.
• -i /path/to/key - Specify the path to ssh key used to establish the ssh session, without this you will have to enter username (if not supplied) and password to establish the ssh session.
• ServerAliveInterval - the number of seconds that the client will wait before sending a "server alive" message to the server to keep the connection alive.
• ServerAliveCountMax - the number of "server alive" messages which may be sent without reply from the server. If this threshold is reached ssh will disconnect from the server, terminating the session.
• ExitOnForwardFailure - if set to "yes", the connection shall be terminated if ssh cannot set up all requested dynamic, tunnel, local, and remote port forwardings, (e.g. if either end is unable to bind and listen on a specified port).
• foouser@<VPS> - Specifies the user account foouser used to establish the remote port forwarding ssh session with the server <VPS>.

It is also worth adding some ssh config options to the server (in my case, on my VPS) as well; by adding the following file if it doesn't already exist:

Note: you could replace the * (which means apply this config to "all hosts") with a specific host - In my case my NAS (i.e. the host that connects to my VPS) is behind my router; the public IP address of my router frequently changes as it's DHCP assigned (from my ISP) so I stuck with "all hosts".

foouser@nas:~$ cat /etc/systemd/system/sshtunnel-web.service 
[Unit]
Description=SSH Tunnel for WebStation
After=network.target

[Service]
Restart=always
RestartSec=1
User=foouser
ExecStart=/bin/ssh \
    -NT \
    -o ServerAliveInterval=60 \
    -o ServerAliveCountMax=10 \
    -o ExitOnForwardFailure=yes \
    -i /var/services/homes/foouser/.ssh/id_rsa \
    -R 8080:localhost:80 \
    -R 4443:localhost:443 \
    foouser@<VPS>

[Install]
WantedBy=multi-user.target

For those who don't want to (or) can't use AutoSSH...

I have a NAS that I want to reach from the internet, I can't use port forwarding because my ISP uses CGNAT (my public IP is not really my public IP, I'm behind another router I don't have any control over). Therefore, to reach my NAS, I have a VPS (which I rent from OVH for a very small monthly cost), and that has a fixed public IP address. So to reach my NAS from the internet, I simply need to create an SSH tunnel between my NAS and my VPS, that reliably stays open all the time (for round the clock access). However, I suffered from the SSH tunnel being "closed" due to inactivity (depsite the ssh process staying up). This can easily be overcome by having the client (in my case, the VPS) "ping" the server (in my case, the NAS) using the keep alive option.

To create an SSH Tunnel, I issue the following command (from the NAS):

ssh -NT -o ServerAliveInterval=60 -o ServerAliveCountMax=10 -i /var/services/homes/foouser/.ssh/id_rsa -R 8080:localhost:80 -R 4443:localhost:443 foouser@<VPS>

And all I need to do on the VPS is to configure ssh by simply adding the following:

[foouser@vps ~]$ cat /home/foouser/.ssh/config
Host *
    TCPKeepAlive yes
    ClientAliveInterval 30
    ClientAliveCountMax 9999

Note: you could replace the * for "all hosts" with a specific host, but as my NAS is behind my router, which can change its IP address I stuck with "all hosts".

SystemD Process (Synology NAS)

I also have this command (the one that starts the SSH tunnel as a systemd process, if anyone is interested, here is the script:

foouser@nas:~$ cat /etc/systemd/system/sshtunnel-web.service 
[Unit]
Description=SSH Tunnel for WebStation
After=network.target

[Service]
Restart=always
RestartSec=1
User=foouser
ExecStart=/bin/ssh \
    -NT \
    -o ServerAliveInterval=60 \
    -o ServerAliveCountMax=10 \
    -i /var/services/homes/foouser/.ssh/id_rsa \
    -R 8080:localhost:80 \
    -R 4443:localhost:443 \
    [email protected]

[Install]
WantedBy=multi-user.target

To start and enable the SSH Tunnel service:

foouser@nas:~$ sudo systemctl daemon-reload
foouser@nas:~$ sudo systemctl start sshtunnel-web.service
foouser@nas:~$ sudo systemctl enable sshtunnel-web.service

This has worked reliably for me for several months. This includes being reliable over several reboots of my home router, the VPS server, and the NAS.

For those who don't want to (or) can't use AutoSSH...

I have a NAS that I want to reach from the internet, I can't use port forwarding because my ISP uses CGNAT (my public IP is not really my public IP, I'm behind another router I don't have any control over). Therefore, to reach my NAS, I have a VPS (which I rent from OVH for a very small monthly cost), and that has a fixed public IP address. So to reach my NAS from the internet, I simply need to create an SSH tunnel between my NAS and my VPS, that reliably stays open all the time (for round the clock access). However, I suffered from the SSH tunnel being "closed" due to inactivity (depsite the ssh process staying up). This can easily be overcome by having the client (in my case, the VPS) "ping" the server (in my case, the NAS) using the keep alive option.

To create an SSH Tunnel, I issue the following command (from the NAS):

ssh -NT -o ServerAliveInterval=60 -o ServerAliveCountMax=10 -i /var/services/homes/foouser/.ssh/id_rsa -R 8080:localhost:80 -R 4443:localhost:443 foouser@<VPS>

And all I need to do on the VPS is to configure ssh by simply adding the following:

[foouser@vps ~]$ cat /home/foouser/.ssh/config
Host *
    TCPKeepAlive yes
    ClientAliveInterval 30
    ClientAliveCountMax 9999

Note: you could replace the * for "all hosts" with a specific host, but as my NAS is behind my router, which can change its IP address I stuck with "all hosts".

SystemD Process (Synology NAS)

I also have this command (the one that starts the SSH tunnel as a systemd process, if anyone is interested, here is the script:

foouser@nas:~$ cat /etc/systemd/system/sshtunnel-web.service 
[Unit]
Description=SSH Tunnel for WebStation
After=network.target

[Service]
Restart=always
RestartSec=1
User=foouser
ExecStart=/bin/ssh \
    -NT \
    -o ServerAliveInterval=60 \
    -o ServerAliveCountMax=10 \
    -i /var/services/homes/foouser/.ssh/id_rsa \
    -R 8080:localhost:80 \
    -R 4443:localhost:443 \
    foouser@<VPS>

[Install]
WantedBy=multi-user.target

To start and enable the SSH Tunnel service:

foouser@nas:~$ sudo systemctl daemon-reload
foouser@nas:~$ sudo systemctl start sshtunnel-web.service
foouser@nas:~$ sudo systemctl enable sshtunnel-web.service

This has worked reliably for me for several months. This includes being reliable over several reboots of my home router, the VPS server, and the NAS.