Permanent "whole house WLAN VPN", including reconnect upon SSH failure

[Endre Stølsvik]

Hi!

Man, I love this tool! Never heard about it, but when I started researching my new little project, it immediately surfarced! Really really cool!

What I'm setting up is a Raspberry Pi 3 as WLAN Access Point, where all clients that want to appear as coming from the remote IP-adress only needs to connect to that special AP.

With sshuttle, this went really smooth! I just followed the AP-guide at https://frillip.com/using-your-raspberry-pi-3-as-a-wifi-access-point-with-hostapd/, started sshuttle with the "-l 0.0.0.0:0" option, enabled ip kernel forward (NOT needing the extra iptables entries from the mentoined blog post!), and that was it! Wow.

However I wonder what is the recommended setup for a "permanent VPN" that comes up when this Raspi VPN AP boots. I guess it needs to be started as a service (init.d?). Or maybe from cron, refer to my next point about reconnects? Also the ssh-keys must be open, and specified. I also guess we should start ssh with "keep-alive" packets, to avoid any stateful element along my way to tear down the TCP connection.

Is there a recommended way for such a permanent setup, or a recommended guide?

But the important point is this: Can sshuttle itself do reconnect if it determines that the SSH connection has gone down? Or are there some other smart way to accomplish this? I was thinking about making a watchdog-thing that send a request once per minute, and if that didn't go through for e.g. 5 minutes, restarted the sshuttle.

But such a setup always requires lots of tweaking to get right, I feel. One must watch out for starting hundreds of instances, thus kill any existing upon restart, do some sane logging to enable debugging etc etc. So if this could be handled by the tool itself, that would be kick ass

Ideas?

Thanks a bunch for this tool, and for any replies! ;-)

Endre.

[flash...@gmail.com]

Endre, did you develop a watchdog-thing? I had a similar need and went with a supervisord based thing - no-YOU-talk-to-the-hand. supervisord buys you some logging, keep alive and rpc features that you might find useful as I did.