For the last 3 years to manage my ‘smart home’ (a couple of lights, heating, some sensors) I have been using Home Assistant running on Dell Wyse Z90D71. And to be honest - it is a great piece of code which works without issues since then. But after the month of using it2 I wanted to have it available through a mobile app - for example, to turn on the heating before I come back. Or make sure that, after leaving for groceries, a bathroom door is open so my cat can use his litter box. ;-)
I looked over the ways to expose Home Assistant online and found some services3, but in the end decided to make something my own. To do it I decided to use the things I already know and have - SSH, nginx and remote server in the cloud.
Despite the fact I wanted to tinker with it by myself I was lazy and searched for tools that would allow me to maintain a stable SSH tunnel.
After a short research, I found one that fits perfectly my needs -
autossh (that runs on top of the SSH) I can be sure that the SSH tunnel will be there.
Even if the terminal restarts or it will lose network for a couple of minutes (or days) -
autossh will restart the connection.
So I set it up and connected all the required stuff and it has worked without any issues5 since then.
So, no more introduction - below are step-by-step instructions on how to do it by yourself!
Steps outline and assumptions
To access service using SSH tunnel we will need a service and remote server that allow us
Exposing the application is pretty straightforward and can be described in a couple of steps:
- create a user on the local server (this is the server you have at home) and create a pair of SSH keys,
- create a user on the remote server (this is the server on the public internet, like VPS) and add the previously created key as an authorized one,
- test SSH connection,
- create a service to run and restart
autosshon the local server,
- configure reverse proxy on the remote server.
For the post, I assume the Linux distribution is Ubuntu Server (both local and remote server) and you have root rights on it (to configure accounts and reverse proxy).
autossh on Ubuntu is straightforward:
$ sudo apt install autossh
2. Terminal: Create user and key pair
Create a new account with username
autotunnel on the local server, then log in to this account:
$ sudo useradd -m -s /bin/bash autotunnel
$ sudo su -l autotunnel
Then log in to it on the server and create a new SSH key pair - it needs to be created without a password:
$ ssh-keygen -t ed25519 -C "autotunnel"
With default options public key will be by default saved in
3. Remote: Create a user and add the public key to the authorized ones
Commands as above:
$ sudo useradd -m -s /bin/bash autotunnel
$ sudo su -l autotunnel
After logging in you need to copy the value from terminal
~/.ssh/id_ed25519.pub into remote
~/.ssh/authorized_keys, and set proper permission to that file:
$ echo "ssh-ed25519 AAAAlotofletters autotunnel@tarkin" > ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys
4. Test connection!
After setting accounts and keys you need to test the connection. You can do that by simply connecting using SSH from the local server to the remote server:
$ ssh autotunnel@remote-tld
If you are trying to log in for the first time - and as this is a fresh account it probably will be the first time - you will need to confirm the authenticity of the remote host:
The authenticity of host 'remote-server.example.com (XX.XX.XX.XX)' can't be established.
ED25519 key fingerprint is SHA256:anotherAlotOfLetters.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Validate the key 6 and if it is correct - continue connecting. After a couple of seconds, you should be logged into the server.
If not - something bad happens or something is misconfigured - for sure it is worth checking if the SSH server allows authenticating with public keys!
5. Create a service to run and manage the connection
To make sure that the connection will start on the local server restart we can create a service that will be enabled and started.
To edit file
$ sudo nano /etc/systemd/system/autotunnel.service) and type the following content into it:
Description=Keep a tunnel to 'remote-server.example.com' to expose service from localhost:8123
ExecStart=/usr/bin/autossh -f -M 8124 -o ServerAliveInterval=30 -o ServerAliveCountMax=3 -N -R 32100:localhost:8123 firstname.lastname@example.org
ExecStop=/usr/bin/pkill -9 -u autotunnel
The above configuration assumes that we will run the service with user
Because you already tested the connection and the key does not require a password there are no additional, manual, steps needed to make a connection.
autossh in the same way as plain
ssh will create a tunnel from port
remote-server.example.com to local
(it is defined by
-R 32100:localhost:8123 part of
The only (but crucial!) difference is that it will make sure that the connection will be there.
If your local server suddenly becomes unavailable then it will try, continuously, to connect again.
Then reload services, enable and run service type:
$ sudo systemctl daemon-reload
$ sudo systemctl enable autotunnel.service
$ sudo systemctl start autotunnel.service
After a couple of seconds, we should be able to see that the service is running by typing
$ sudo systemctl status autotunnel.service.
6. Reverse proxy
To expose the service on the remote server we can use for example Caddy or nginx.
For the latter, the full example is available in a post How to expose local service using nginx and SSH.
The only required change is the port change - in the linked example we are using
8080 and above we need
In the case of the Home Assistant, it is required to allow Internet access in
System -> Network based on the external domain and port (configured e.g. with nginx as above).
And that is all - thanks to that solution I can expose any local service (like the mentioned Home Assistant) without requiring static IP, dynamic DNS and so on. I am very happy to have the possibility to turn on the heating before coming home or have an instant notification about water leaks.
A beast with an AMD processor, 4GB of RAM and 120GB SSD! But it cost me less than 200 Złoty (~40 Euro). ↩︎
That is correct - writing this post took me… a few hours typing and three years as an ‘I should write about that’ idea. ↩︎
Well, the remote server (VPS) is hosted by OVH and was turned off during the fire in a data centre (SBG), but that is a force majeure. ↩︎