Autossh Startup Script for Multiple Tunnels

When an encrypted VPN is not available, the next best solution is usually port-forwarding one or more port(s) through an SSH tunnel. The down-side of SSH is that by itself it cannot maintain a persistent connection — network issues may force the tunnel to stop responding, or even drop completely. Autossh is a small front-end for SSH that can monitor the connection, and restart the tunnel if it drops or stops responding. I found that the startup scripts available for autossh on the internet were a little too basic for my needs — I wanted autossh to start multiple connections, and to start/stop each one individually if I needed — so I wrote my own.

You’ll first need to install autossh — if you’re on an rpm-based distro, you can probably use `yum install autossh`.

The /etc/autossh/ directory contains the tunnel config file(s). You would typically have one configuration file per host. The filename can be whatever you like, but shorter filenames are probably best, since you can (optionally) use them on the command-line (for example `/etc/init.d/autossh start dbhost1 dbhost2`). If you don’t specify any filename(s) on the command-line, then all the config files are started, and all autossh processes are stopped.

Here’s an example host config file. You’ll have to make sure the LocalUser’s public SSH key has been added to the RemoteUser’s ~/.ssh/authorized_keys file., and you should try an `su – {localuser} -c ‘ssh -i {identityfile} -p {remoteport} {remoteuser}@{remotehost}’` command first, before using the /etc/init.d/autossh script, just to make sure everything is working as it should. Remember that to listen on ports lower than 1024, either locally or remote, you will have to use root on that side.

# Check connection every 10 seconds, and after 3 tries (30 seconds), drop and
# let autossh re-connect.
#
ServerAliveInterval="10"
ServerAliveCountMax="3"
StrictHostKeyChecking="no"

LocalUser="root"
IdentityFile="~/.ssh/domain.com"

RemoteUser="dbuser"
RemoteHost="db1.domain.com"
RemotePort="22"

# Array of ports to be forwarded:
# 
# Example: Forward port 3307, listening on 127.0.0.1 on the remote side, to
# 127.0.0.1 port 3306 on the local side. Forward port 8081, listening on
# 127.0.0.1 on the local side, to 10.100.1.60 port 80 on the remote side.
#
ForwardPort=(
    "R 127.0.0.1:3307:127.0.0.1:3306"
    "L 127.0.0.1:8081:10.100.1.60:80"
)

The /etc/init.d/autossh script was written for CentOS, but should work fine — with little or no modifications — on most rpm-based distributions. You will probably want to add the script to your startup / shutdown process with a `chkconfig –add autossh` command, and you can view a short usage message by executing the script without any parameters.

$ /etc/init.d/autossh
Usage: /etc/init.d/autossh {start|stop|restart|status} {config names...}
#!/bin/bash
#
# autossh . Startup script for autossh

# chkconfig: 2345 25 40
# description: Maintain persistent SSH tunnels
# processname: autossh
# pidfile: /var/run/autossh.pid

# Copyright 2012 - Jean-Sebastien Morisset - https://surniaulula.com/
#
# https://surniaulula.com/2012/12/10/autossh-startup-script-for-multiple-tunnels/
#
# This script is free software; you can redistribute it and/or modify it under
# the terms of the GNU General Public License as published by the Free Software
# Foundation; either version 3 of the License, or (at your option) any later
# version.
#
# This script is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
# details at http://www.gnu.org/licenses/.

# Changelog:
#
# 2013/06/21 - Reset the $forward_list variable at the start() to prevent the
# accumulation of ports for each config loop. Also added support for socks
# proxies. Thanks to Chris for pointing out the issue in the comments.

# Source function library
. /etc/init.d/functions

RETVAL=0
prog="autossh"
autossh="/usr/bin/autossh"

[ ! -d /var/run/$prog ] && mkdir -p /var/run/$prog

start() {
	config="$1"
	cfname=`basename $config`
	forward_list=""

	# make sure we have a config file
	if [ ! -f "$config" ]
	then
		failure
		echo "$prog $cfname: $config missing"
		return 1
	fi

	. $config

	# make sure all variables have been defined in config
	for var in \
		ServerAliveInterval ServerAliveCountMax StrictHostKeyChecking \
		LocalUser IdentityFile RemoteUser RemoteHost RemotePort
	do eval "
		if [ -z \$$var ]
		then
			failure
			echo \"$prog $cfname: $var variable empty\"
			return 1
		fi
		"
	done

	if [ ${#ForwardPort[*]} -eq 0 ]
	then
		failure
		echo "$prog $cfname: ForwardPort array empty"
		return 1
	fi

	for fwd in "${ForwardPort[@]}"
	do
		case "$fwd" in
		D\ *:*|R\ *:*:*:*|L\ *:*:*:*) forward_list+="-$fwd " ;;
		*)	failure
			echo "$prog $cfname: $fwd format unknown"
			return 1
			;;
		esac
	done

	# define the pidfile variable for autossh (created by autossh)
	# check if pidfile already exists -- don't start another instance if pidfile exists
	AUTOSSH_PIDFILE="/var/run/$prog/$cfname.pid"
	if [ -e $AUTOSSH_PIDFILE ]
	then
		failure
		echo "$prog $cfname: $AUTOSSH_PIDFILE already exists"
		return 1
	fi

	echo -n "Starting $prog $cfname: "

	# before switching-users, make sure pidfile is created and user has write permission
	touch $AUTOSSH_PIDFILE
	chown $LocalUser $AUTOSSH_PIDFILE

	# start autossh as the user defined in the config file
	# the pidfile must be re-defined in the new environment
	su - $LocalUser -c "
		AUTOSSH_PIDFILE=$AUTOSSH_PIDFILE;
		AUTOSSH_PORT=0;
		export AUTOSSH_PIDFILE AUTOSSH_PORT;
		$autossh -q -N -p $RemotePort \
		-i $IdentityFile \
		-o ServerAliveInterval=$ServerAliveInterval \
		-o ServerAliveCountMax=$ServerAliveCountMax \
		-o StrictHostKeyChecking=$StrictHostKeyChecking \
		$forward_list $RemoteUser@$RemoteHost -f;"

	# check to make sure pidfile was created
	if [ ! -f $AUTOSSH_PIDFILE ]
	then
		failure
		echo "`basename $AUTOSSH_PIDFILE` not created"
		return 1
	fi

	success
	echo
	touch /var/lock/subsys/$prog
}

stop() {
	config="$1"
	# if no config names (on the command-line), stop all autossh processes
	if [ -z "$config" ]
	then
		echo -n "Stopping all $prog: "
		killproc $autossh
		RETVAL=$?
		echo
		if [ $RETVAL -eq 0 ]
		then
			rm -f /var/lock/subsys/$prog
			rm -f /var/run/$prog/*.pid
		fi
	else
		cfname="`basename $config`"
		pidfile="/var/run/$prog/$cfname.pid"
		if [ ! -f $pidfile ]
		then
			failure
			echo "$prog $cfname: $pidfile missing"
			return 1
		else
			echo -n $"Stopping $prog $cfname: "
			killproc -p "/var/run/$prog/$cfname.pid" "$prog $cfname"
			RETVAL=$?
			echo
			[ $RETVAL -eq 0 ] && rm -f /var/run/$prog/$cfname.pid
		fi
	fi
	return $RETVAL
}

# save the action name, and shift the command-line array
# all remaining command-line arguments could be config names
action="$1"
shift

case "$action" in
start)
	if [ -z "$1" ]
	then
		# if no config names on the command-line, start all /etc/autossh/ configs found
		for config in `echo /etc/$prog/${cfname:='*'}`
		do $action $config; done
	else
		# start only the config files specified on the command-line
		for cfname in "$@"
		do $action /etc/$prog/$cfname; done
	fi
	;;
stop)
	if [ -z "$1" ]
	then
		# if no config names on the command-line, stop all autossh processes
		$action
	else
		# stop only the config files specified on the command-line
		for cfname in "$@"
		do $action /etc/$prog/$cfname; done
	fi
	;;
restart)
	# re-execute this script, with the stop and start action names instead
	$0 stop "$@"
	$0 start "$@"
	;;
status)
	if [ -z "$1" ]
	then
		# if no config names on the command-line, show all autossh pids
		status $autossh
		RETVAL=$?
	else
		# only show the status of config files specified on the command-line
		for cfname in "$@"
		do
			config="/etc/$prog/$cfname"
			# if the config file is missing, echo an error message
			if [ -f $config ]
			then
				cfname="`basename $config`"
				pidfile="/var/run/$prog/$cfname.pid"
				# if the pidfile is missing, echo an error message
				if [ -f $pidfile ]
				then
					status -p "$pidfile" "$prog $cfname"
					RETVAL=$?
				else
					echo "$pidfile missing"
					RETVAL=1
				fi
			else
				echo "$config missing"
				RETVAL=1
			fi
		done
	fi
	;;
*)
	echo "Usage: $0 {start|stop|restart|status} {config names...}"
	RETVAL=1
	;;
esac
exit $RETVAL

You can download the autossh script here.

Find this content useful? Share it with your friends!