Open tunnel

You will use secure tunneling to ssh into your EC2 instance. On your source device you will use the port 2333 for the ssh connection.

Subscribe to cmd/sectunnel/# in the AWS IoT Core console

In a Cloud9 terminal:

Change to the directory where everything is installed to use secure tunneling

cd ~/secure-tunneling

Create a tunnel and publish the CAT to the shadow of the listener agent

./ -e localhost:22 -p 2333 \
	--local-proxy ./localproxy_amzn_x86_64 \
	--region-iot $REGION \
	--region-tun $REGION \
	-t '$aws/things/tunneling-listener-agent/shadow/update' -l 60

Meaning of the commandline parameters:

  • -e localhost:22 the endpoint where the tunnel on the target device should connect to. In this case the ssh daemon running on localhost
  • -p 2333 the port on the source device to access the tunnel
  • --local-proxy ./localproxy_amzn_x86_64 the local proxy to use. That makes the tunnel-manger written in Python easy to use on different system architectures or operating systems
  • --region-iot $REGION AWS region where your listener agent is connected to
  • --region-tun $REGION AWS region where you want to create the tunnel. The tunnel manager allows it to use a tunnel in another region than the listener agent is connected to.
  • -t '$aws/things/tunneling-listener-agent/shadow/update' topic where the tunnel-manger should publish the CAT and endpoint for the listener agent
  • -l 60 duration for tunnel in minutes

When you encounter an error like “error opening tunnel: An error occurred (ForbiddenException) when calling the Publish operation: The security token included in the request is invalid” you didn’t disable the AWS managed temporary credentials for your AWS Cloud9 environment. Fix it

When the tunnel manager starts it produces several logging statements. From the loggings you can find the id of the tunnel that has been created. You should find a statement that looks similar to:

...INFO: - <module>: calling open_tunnel
response: {'tunnelId': '4acbbbce-565e-45e2-8b5e-9841e0ab07a3',...

Verify that the tunnel has been created in another terminal:

aws iotsecuretunneling list-tunnels

In the output of this command you should find a tunnel id that matches the tunnel id from your tunnel manager loggings:

    "tunnelSummaries": [
            "tunnelId": "4acbbbce-565e-45e2-8b5e-9841e0ab07a3",...

Look at shadow from device tunnel-listener-agent

aws iot-data get-thing-shadow --thing-name tunneling-listener-agent tunneling-listener-agent-shadow.json

jq '' tunneling-listener-agent-shadow.json

The shadow should have a reported state the tunnel start has been initiated.

Look at the messages published to cmd/sectunnel/#. You should find information about the tunnel on your destination device.