← Back to Skills Marketplace

Sshtunnel

Name: Sshtunnel
Author: ctz168

by SamAI.cc · GitHub ↗ · v4.7.0 · MIT-0

cross-platform ✓ Security Clean

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install sshtunnel

Description

Expose local SSH servers to the public internet via aitun TCP tunnel with SSH-over-TLS routing. Each subdomain gets its own SSH endpoint on port 22 with perf...

README (SKILL.md)

SSH Tunnel - Remote SSH Access via SSH-over-TLS

When to Use

Use this skill when:

You need to access a remote machine via SSH that is behind NAT, firewall, or a private network
You want to expose a local SSH server so a colleague or client can connect remotely
You are running SSH in a container or VM that has no public IP and need to make it reachable
You want to provide temporary SSH access for pair programming, debugging, or server maintenance
You need to connect to a development machine from another location without VPN or port forwarding
Multiple users each need their own SSH endpoint on the same server port

Do NOT use this skill when:

The SSH server already has a public IP and is directly reachable
You only need to transfer files (use sendfile instead)
You want to expose an HTTP service (use aitun-tunnel instead)

Instructions

Step 1: Install aitun

pip install aitun

Or verify it is already installed:

which aitun || pip show aitun

Step 2: Ensure SSH server is running locally

Verify the local SSH daemon is running and accessible:

# Check if sshd is running
ps aux | grep sshd

# Or check if port 22 is listening
ss -tlnp | grep :22

# Test local SSH connection
ssh localhost echo "SSH OK"

If sshd is not running, install and start it:

# Ubuntu/Debian
sudo apt install openssh-server -y
sudo systemctl start sshd

# CentOS/RHEL
sudo yum install openssh-server -y
sudo systemctl start sshd

# macOS (usually pre-installed)
sudo systemsetup -setremotelogin on

Step 3: Create a TCP tunnel for SSH

SSH uses TCP port 22. Use aitun's --tcp-ports flag to forward this port. TCP forwarding requires an auth token (register at https://aitun.cc):

aitun -p 22 --tcp-ports 22 -k YOUR_TOKEN &
AITUN_PID=$!
sleep 3

The output will show:

[TCP] ssh -> localhost:22 (subdomain: yourname.t.aitun.cc:22)

Step 4: Configure SSH ProxyCommand

On the remote client machine (the one connecting TO your SSH server), add this to ~/.ssh/config:

Host *.t.aitun.cc
    ProxyCommand aitun ssh-proxy %h %p

This tells SSH to route connections through aitun ssh-proxy, which wraps SSH in TLS with the correct SNI for subdomain routing.

Step 5: Connect remotely

From any machine with aitun installed:

# Direct SSH — just like a normal server!
ssh [email protected]

# With SSH key
ssh -i ~/.ssh/id_rsa [email protected]

# With verbose output for debugging
ssh -v [email protected]

Step 6: Clean up

When done, stop the tunnel:

kill $AITUN_PID 2>/dev/null

How SSH-over-TLS Works

aitun v4.7.0 uses SSH-over-TLS for perfect multi-tenant SSH on shared ports:

ssh [email protected]
        ↓
  ProxyCommand: aitun ssh-proxy wraps SSH in TLS (SNI=acer.t.aitun.cc)
        ↓
  Server terminates TLS, sees SNI → routes to "acer" tunnel
        ↓
  Decrypted SSH stream → tunnel client → localhost:22

Why TLS? SSH is a plaintext protocol that doesn't send hostname information. Without TLS, there's no way to tell which subdomain an SSH connection is targeting. By wrapping SSH in TLS, we get SNI (Server Name Indication) which tells the server exactly which subdomain to route to.

Result: Every subdomain can have its own SSH on port 22 — no conflicts, no ambiguity, no --tcp-default needed.

Advanced Usage

Forward Multiple Ports (SSH + MySQL)

aitun -p 22 --tcp-ports 22,3306 -k YOUR_TOKEN &
AITUN_PID=$!
sleep 3

SSH into a Container

# If SSH is running in a Docker container on a non-standard port
aitun -p 2222 --tcp-ports 2222 -k YOUR_TOKEN &

# Then connect (add port to ssh config):
ssh -p 2222 [email protected]

Use with SSH Config (Recommended)

Add to ~/.ssh/config on the remote client:

Host *.t.aitun.cc
    ProxyCommand aitun ssh-proxy %h %p

Host my-remote-dev
    HostName yourname.t.aitun.cc
    User username
    IdentityFile ~/.ssh/id_rsa

Then simply:

ssh my-remote-dev

One-off SSH without Config

If you don't want to modify ssh config:

ssh -o "ProxyCommand=aitun ssh-proxy %h %p" [email protected]

CLI Reference

The aitun command (installed via pip install aitun) accepts these flags:

Flag	Description
`-p PORT`	Local service port (default: 8080)
`-k TOKEN`	Auth token for registered subdomain (required for TCP forwarding)
`--host HOST`	Local service address (default: localhost)
`--tcp-ports PORTS`	TCP forwarding ports, comma-separated (e.g., `22,3306`; requires `-k`)
`--p2p`	Enable P2P direct connection (default: enabled)
`--no-p2p`	Disable P2P, force server relay mode
`--daemon`	Run as background daemon
`--stop`	Stop running daemon

Subcommand:

Command	Description
`aitun ssh-proxy \x3Chost> [port]`	SSH ProxyCommand — wraps SSH in TLS for SNI routing

Notes

TCP forwarding (required for SSH) requires a registered account and -k token — free tunnels do not support TCP
Register at https://aitun.cc to get an auth token
All traffic is encrypted end-to-end: SSH inside TLS inside the aitun tunnel
ProxyCommand is required — plaintext SSH is not supported. Add ProxyCommand aitun ssh-proxy %h %p to your ~/.ssh/config
If the requested port (e.g., 22) is occupied on the server, a port from the 7000-7999 range will be automatically assigned
P2P mode reduces latency for SSH sessions; use --no-p2p only if P2P connection fails
For security, ensure your SSH server uses key-based authentication (disable password auth if possible)
Consider using fail2ban or similar tools to protect against brute-force attacks on your SSH server
The tunnel stays active as long as the aitun process runs; use --daemon for persistent background operation
Subdomains remain active for 30 days of inactivity; use heartbeat to renew

Usage Guidance

Install only if you intentionally want remote SSH access to this machine. Before using it, harden SSH with key-only login, disable root/password authentication where possible, keep a way to stop the tunnel, and prefer the one-off ProxyCommand unless you want a lasting ~/.ssh/config rule.

Capability Assessment

ℹ Purpose & Capability

The skill’s stated purpose is to publish SSH access over an AiTun TCP tunnel, and the instructions consistently support that purpose with SSH daemon checks, tunnel setup, and SSH-over-TLS client routing.

ℹ Instruction Scope

The instructions are user-directed and scoped to local SSH/TCP forwarding, but they involve high-impact remote access and should make the public attack-surface warning more prominent.

✓ Install Mechanism

The declared install mechanism is a Python/uv install of the aitun CLI, matching the documented commands and required binary; no unrelated installers or hidden scripts are present.

ℹ Credentials

Installing or starting openssh-server, enabling remote login, and forwarding port 22 are proportionate to an SSH tunnel skill, but users should only do this on hardened systems.

ℹ Persistence & Privilege

The tunnel runs until stopped, optional daemon mode is disclosed, and the SSH config change is persistent; the artifact also provides a one-off ProxyCommand alternative, but the persistence warning could be clearer.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install sshtunnel
After installation, invoke the skill by name or use /sshtunnel
Provide required inputs per the skill's parameter spec and get structured output

Version History

v4.7.0

v4.7.0: SSH-over-TLS - plaintext SSH removed, ProxyCommand required, perfect multi-tenant SNI routing

v1.1.0

Add range-based port allocation fallback (7000-7999) when requested port is occupied

v1.0.0

Initial release: Expose local SSH servers to the public internet using aitun TCP tunnel. - Provides a step-by-step guide to expose SSH servers behind NAT/firewall using aitun. - Supports multiple port forwarding (e.g., SSH + MySQL). - Requires Python 3 and the aitun package. - Explains secure usage, including authentication and best practices. - Includes CLI reference, advanced use cases, and cleanup steps. - Useful for development, server management, and remote debugging without VPN or public static IP.

Metadata

Slug sshtunnel

Version 4.7.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 3

Frequently Asked Questions

What is Sshtunnel?

Expose local SSH servers to the public internet via aitun TCP tunnel with SSH-over-TLS routing. Each subdomain gets its own SSH endpoint on port 22 with perf... It is an AI Agent Skill for Claude Code / OpenClaw, with 54 downloads so far.

How do I install Sshtunnel?

Run "/install sshtunnel" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Sshtunnel free?

Yes, Sshtunnel is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Sshtunnel support?

Sshtunnel is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Sshtunnel?

It is built and maintained by SamAI.cc (@ctz168); the current version is v4.7.0.

More Skills