中文版 | English |
This project provides a Docker-based solution to manage SSH tunnels using autossh
and a YAML configuration file. This setup allows you to easily expose local services to a remote server through an SSH tunnel or map remote services to a local port, making it convenient to access services behind a firewall. Additionally, it detects changes in config.yaml
and automatically reloads the service configuration.
config.yaml
file and support automatic service reload upon configuration changes.PUID
and PGID
environment variables to match host user permissions.linux/amd64
, linux/arm64/v8
, linux/arm/v7
, linux/arm/v6
, linux/386
, linux/ppc64le
, linux/s390x
, and linux/riscv64
.local_to_remote
) or mapping remote services to a local port (remote_to_local
).config.yaml
and automatically reload the service configuration.The packaged Docker images are available on Docker Hub. You can access them via the following link:
Feel free to use it and provide feedback!
For most users, you only need to download the Docker Compose file. You can either:
Option A: Download files directly
Create a new directory and download the required files:
mkdir autossh-tunnel
cd autossh-tunnel
# Download docker-compose.yaml (includes both autossh tunnel and web panel services)
curl -O https://oaklight.github.io/autossh-tunnel-dockerized/compose.yaml
# Create config directory
mkdir config
# Option 1: Download sample config (if you want to configure manually)
curl -o config/config.yaml.sample https://oaklight.github.io/autossh-tunnel-dockerized/config/config.yaml.sample
cp config/config.yaml.sample config/config.yaml
# Option 2: Create empty config (if you want to use web panel for configuration)
touch config/config.yaml
Note: The compose.yaml
file includes both the autossh tunnel service and the web panel service. The web panel is optional - you can disable it by commenting out the web
service section in the compose file if you prefer manual configuration.
Option B: Clone the repository (for developers)
If you want to modify the source code or build locally:
git clone https://github.com/Oaklight/autossh-tunnel-dockerized.git
cd autossh-tunnel-dockerized
Ensure your SSH keys are located in the ~/.ssh
directory. This directory should contain your private key files (e.g., id_ed25519
) and any necessary SSH configuration files.
Important: This project heavily relies on the ~/.ssh/config
file for SSH connection configuration. The SSH config file allows you to define connection parameters such as hostnames, usernames, ports, and key files for each remote host. Without proper SSH config setup, the tunnels may fail to establish connections.
For detailed SSH config file setup instructions, please refer to: SSH Config Configuration Guide
You have two options for configuring your SSH tunnels:
Edit the config.yaml
file to define your SSH tunnel mappings. Each entry should specify the remote host, remote port, local port, and direction (local_to_remote
or remote_to_local
).
Sample configuration:
tunnels:
# Expose local service to a remote server
- remote_host: "user@remote-host1"
remote_port: 22323
local_port: 18120
direction: local_to_remote
# Map remote service to a local port
- remote_host: "user@remote-host2"
remote_port: 8000
local_port: 8001
direction: remote_to_local
# Add more tunnels as needed
If you’re using the web panel (included in compose.yaml
), you can:
config/config.yaml
filehttp://localhost:5000
Important Notes for Web Panel Users:
config/backups/
every time you save changesconfig/config.yaml
file must exist (even if empty) for the autossh tunnel service to work properlyIf you want to bind remote port or local service to a specific IP address, use the ip:port
format.
Bind the remote port to a specific IP address (e.g., 192.168.45.130
):
tunnels:
- remote_host: "user@remote-host1"
remote_port: "192.168.45.130:22323" # Bind remote to 192.168.45.130
local_port: 18120 # Local service port
direction: local_to_remote
Bind the local service to a specific IP address (e.g., 192.168.1.100
):
tunnels:
- remote_host: "user@remote-host1"
remote_port: 22323 # Remote port
local_port: "192.168.1.100:18120" # Bind local to 192.168.1.100
direction: local_to_remote
tunnels:
- remote_host: "user@remote-host1"
remote_port: "192.168.45.130:22323" # Bind remote to 192.168.45.130
local_port: "192.168.1.100:18120" # Bind local to 192.168.1.100
direction: local_to_remote
This allows you to flexibly control the IP addresses to which tunnels bind, meeting different network environments and security needs.
Important: Before running the containers, make sure to set the correct PUID
and PGID
values in your environment or compose.yaml
file to match your host user’s UID and GID. This ensures proper file permissions for the SSH keys and configuration files.
You can check your user’s UID and GID with:
id
To set the values, you can either:
Set environment variables:
export PUID=$(id -u)
export PGID=$(id -g)
Edit the compose.yaml file directly:
environment:
- PUID=1000
- PGID=1000
docker compose up -d
# build
docker compose -f compose.dev.yaml build
# run
docker compose -f compose.dev.yaml up -d
Once the container is running, you can access the local service via the specified port on the remote server (e.g., remote-host1:22323
) or access the remote service through the local port (e.g., localhost:8001
).
The project includes an optional web-based configuration panel for easier tunnel management. The web panel is included in the default compose.yaml
file but can be disabled if not needed.
config.yaml
fileconfig/backups/
Once the containers are running, access the web panel at: http://localhost:5000
The web panel automatically creates backups in config/backups/
every time you save changes. You may need to manually clean up old backup files to prevent disk space issues.
To add more SSH tunnels, simply add more entries to the config.yaml
file. Each entry should follow this format:
- remote_host: "user@remote-host"
remote_port: <remote_port>
local_port: <local_port>
direction: <local_to_remote or remote_to_local> (default: remote_to_local)
If you need to customize the Docker environment, you can modify the Dockerfile
. For example, you can install additional packages or change the base image.
The entrypoint.sh
script is responsible for reading the config.yaml
file and starting SSH tunnels. If you need to add extra functionality or change how tunnels are managed, you can modify this script.
When enabling the -R
parameter, remote ports are by default bound to localhost
. If you want to access the tunnel via other IP addresses on the remote server, you need to enable the GatewayPorts
option in the remote server’s sshd_config
:
# Edit /etc/ssh/sshd_config
GatewayPorts clientspecified # Allow clients to specify binding address
GatewayPorts yes # Or bind to all network interfaces
Restart the SSH service:
sudo systemctl restart sshd
Enabling GatewayPorts
may expose services to the public. Ensure to take appropriate security measures, such as configuring firewall or enabling access control.
Ensure the .ssh
directory and its contents have the appropriate permissions:
chmod 700 .ssh
chmod 600 .ssh/*
If you encounter permission issues when running Docker commands, make sure your user is in the docker
group:
sudo usermod -aG docker $USER
Check Docker container logs for any errors:
docker compose logs -f
This project is licensed under the MIT License. See the LICENSE file for details.
Contributions to the project are welcome via issues or pull requests. Happy tunneling!