[Feature] Add ability to set up a reverse SSH tunnel to stream RTSP

[ad-on-is]

I can't believe what I just accomplished, and I'm so proud to share with you guys.

I searched for a way for the yicam to push its RTSP stream to frigate instead of frigate pulling from the cam.

After days of headache and asking claudeai and chatgpt, and a bit of googling, I finally found the solution, which was simple, but hard enough for someone with limited networking knowledge.

/This will allow you to place the yicam in your parents house in one city, and publish its RTSP stream to your self-hosted frigate server elsewhere.

So, first of all, the cam needs a loopback network interface with 127.0.0.1 as IP.

ifconfig lo 127.0.0.1 && ifconfig lo up

Finally, with an ssh reverse tunnel, the RTSP stream can be forwarded to any machine.

ssh -NR 7554:0.0.0.0:554 user@200.100.100.100 (or any IP that the yicam has access to)

The machine that accepts the tunnel, needs the following config in /etc/ssh/sshd_config

GatewayPorts yes
PermitTunnel yes
AllowTcpForwarding yes

While this might sound like a security desaster at first, I think it can be accomplished with some strongly restricted docker-containers that expose the SSH port publicly.

I was thinking, that maybe this could be implemented in the next version of yi-hack, where the loopback device is created automatically, while the SSH address can be configured via UI.

[ad-on-is]

@alienatedsec With some help of claude.ai, I managed to write a hopefully bullet-proof bash script, for the tunnel.

It uses SSH to create a reverse-tunnel to example.com on port 2222, exposing port 554 to 10001.
In frigate, I then can use rtsp://example.com:10001 to view the camera stream. Basically an alternative to the yi-cloud.

I was thinking, maybe there could be a setting in the UI, to expose rtsp (554), web (80) and ssh (22) this way, so the camera is accessible from everywhere outside the network.

I've already tested it with Frigate NVR and it works flawlessly.

Usage

nohup /tmp/sd/yi-hack-v5/start-tunnel.sh -h user@example.com -p 2222 -l 554 -t 10001

start-tunnel.sh

#!/bin/sh

# Default configuration
REMOTE_HOST=""
REMOTE_PORT=22
LOCAL_PORT=3000
TUNNEL_PORT=8080
CHECK_INTERVAL=60  # Check every 60 seconds
TIMEOUT=10  # Timeout for connection checks (in seconds)
MAX_RETRIES=5  # Maximum number of consecutive failed attempts
BACKOFF_TIME=300  # Time to wait after max retries (5 minutes)
LOG_FILE="/tmp/sd/yi-hack-v5/reverse_tunnel.log"  # Log file path

# Function to display usage information
usage() {
    echo "Usage: $0 -h <username@host> [-p <remote_port>] [-l <local_port>] [-t <tunnel_port>]"
    echo "  -h : Remote host in the format username@host (required)"
    echo "  -p : Remote port (default: 22)"
    echo "  -l : Local port to forward (default: 3000)"
    echo "  -t : Tunnel port on remote host (default: 8080)"
    echo "  -i : Check interval in seconds (default: 60)"
    echo "  -f : Log file path (default: /var/log/reverse_tunnel.log)"
    exit 1
}

# Parse command-line options
while getopts "h:p:l:t:i:f:" opt; do
    case $opt in
        h) REMOTE_HOST="$OPTARG" ;;
        p) REMOTE_PORT="$OPTARG" ;;
        l) LOCAL_PORT="$OPTARG" ;;
        t) TUNNEL_PORT="$OPTARG" ;;
        i) CHECK_INTERVAL="$OPTARG" ;;
        f) LOG_FILE="$OPTARG" ;;
        *) usage ;;
    esac
done

# Check if required parameters are provided
if [ -z "$REMOTE_HOST" ]; then
    echo "Error: Remote host is required."
    usage
fi

# Extract hostname from REMOTE_HOST
REMOTE_HOSTNAME=$(echo "$REMOTE_HOST" | cut -d '@' -f2)

# Function to log messages
log_message() {
    echo "$(date '+%Y-%m-%d %H:%M:%S') - $1" >> "$LOG_FILE"
    echo "$1"
}

# Function to create the SSH reverse tunnel
create_tunnel() {
    ssh -f -y -N -R *:${TUNNEL_PORT}:0.0.0.0:${LOCAL_PORT} -p ${REMOTE_PORT} \
        -o ExitOnForwardFailure=yes \
         ${REMOTE_HOST}
    if [ $? -eq 0 ]; then
        log_message "Tunnel started successfully."
        return 0
    else
        log_message "Failed to start tunnel."
        return 1
    fi
}

# Function to check if the tunnel is active
check_tunnel() {
    ps | grep "ssh.*${REMOTE_HOST}.*${TUNNEL_PORT}:0.0.0.0:${LOCAL_PORT}" | grep -v grep > /dev/null
    return $?
}

# Function to check server reachability (using ping)
check_server() {
    if ping -c 1 -W ${TIMEOUT} ${REMOTE_HOSTNAME} > /dev/null 2>&1; then
        return 0
    else
        return 1
    fi
}

# Function to ensure only one instance is running
ensure_single_instance() {
    SCRIPT_NAME=$(basename "$0")
    if pidof "$SCRIPT_NAME" | grep -v $$ >/dev/null; then
        log_message "An instance of $SCRIPT_NAME is already running. Exiting."
        exit 1
    fi
}

# Function to kill the SSH process
kill_ssh_process() {
    local pid=$(ps | grep "ssh.*${REMOTE_HOST}.*${TUNNEL_PORT}:0.0.0.0:${LOCAL_PORT}" | grep -v grep | awk '{print $1}')
    if [ ! -z "$pid" ]; then
        kill $pid
        log_message "Killed SSH process with PID $pid"
    else
        log_message "No matching SSH process found to kill"
    fi
}

# Trap to handle script termination
cleanup() {
    log_message "Script is terminating. Cleaning up..."
    kill_ssh_process
    exit 0
}

# Set up trap
trap cleanup SIGINT SIGTERM

# Ensure single instance
ensure_single_instance

# Log the configuration
log_message "Starting tunnel with configuration:"
log_message "Remote Host: $REMOTE_HOST"
log_message "Remote Hostname: $REMOTE_HOSTNAME"
log_message "Remote Port: $REMOTE_PORT"
log_message "Local Port: $LOCAL_PORT"
log_message "Tunnel Port: $TUNNEL_PORT"
log_message "Check Interval: $CHECK_INTERVAL seconds"
log_message "Log File: $LOG_FILE"

# Main loop
retry_count=0
while true; do
    if ! check_server; then
        log_message "Remote server is unreachable. Waiting before retry..."
        sleep ${CHECK_INTERVAL}
        ((retry_count++))
        if [ $retry_count -ge $MAX_RETRIES ]; then
            log_message "Max retries reached. Backing off for ${BACKOFF_TIME} seconds."
            sleep ${BACKOFF_TIME}
            retry_count=0
        fi
        continue
    fi

    if ! check_tunnel; then
        log_message "Tunnel is not active. Starting SSH reverse tunnel..."
        if create_tunnel; then
            retry_count=0
        else
            ((retry_count++))
            if [ $retry_count -ge $MAX_RETRIES ]; then
                log_message "Max retries reached. Backing off for ${BACKOFF_TIME} seconds."
                sleep ${BACKOFF_TIME}
                retry_count=0
            fi
        fi
    else
        log_message "Tunnel is active."
        retry_count=0
    fi

    sleep ${CHECK_INTERVAL}
done