# Open a tunnel and start SSH session to remote device
<a name="secure-tunneling-tutorial-open-tunnel"></a>

In these tutorials, you'll learn how to remotely access a device that's behind a firewall. You can't start a direct SSH session into the device because the firewall blocks all inbound traffic. The tutorials show you how you can open a tunnel and then use that tunnel to start an SSH session to a remote device.

## Prerequisites for the tutorials
<a name="tunneling-tutorial-prerequisites"></a>

The prerequisites for running the tutorial can vary depending on whether you use the manual or quick setup methods for opening a tunnel and accessing the remote device. 

**Note**  
For both setup methods, you must allow outbound traffic on port 443. 
+ For information about prerequisites for the quick setup method tutorial, see [Prerequisites for quick setup method](tunneling-tutorial-quick-setup.md#tunneling-tutorial-quick-prerequisites).
+ For information about prerequisites for the manual setup method tutorial, see [Prerequisites for manual setup method](tunneling-tutorial-manual-setup.md#tunneling-tutorial-manual-prerequisites). If you use this setup method, you must configure the local proxy on your source device. To download the local proxy source code, see [Local proxy reference implementation on GitHub](https://github.com/aws-samples/aws-iot-securetunneling-localproxy).

## Tunnel setup methods
<a name="tunneling-tutorial-setup-methods"></a>

In these tutorials, you'll learn about the manual and quick setup methods for opening a tunnel and connecting to the remote device. The following table shows the difference between the setup methods. After you create the tunnel, you can use an in-browser command line interface to SSH into the remote device. If you misplace the tokens or the tunnel gets disconnected, you can send new access tokens to reconnect to the tunnel.


**Quick and manual setup methods**  

| Criteria | Quick setup | Manual setup | 
| --- | --- | --- | 
| Tunnel creation | Create a new tunnel with default, editable configurations. To access your remote device, you can only use SSH as the destination service. | Create a tunnel by manually specifying the tunnel configurations. You can use this method to connect to the remote device using services other than SSH. | 
| Access tokens | The destination access token will be automatically delivered to your device on the [reserved MQTT topic](https://docs.aws.amazon.com/iot/latest/developerguide/reserved-topics.html#reserved-topics-secure), if a thing name is specified when creating the tunnel. You don't have to download or manage the token on your source device. | You'll have to manually download and manage the token on your source device. The destination access token is automatically delivered to the remote device on the [reserved MQTT topic](https://docs.aws.amazon.com/iot/latest/developerguide/reserved-topics.html#reserved-topics-secure), if a thing name is specified when creating the tunnel.  | 
| Local proxy | A web-based local proxy is automatically configured for you for interacting with the device. You don't have to manually configure the local proxy. | You'll have to manually configure and launch the local proxy. To configure the local proxy, you can either use the AWS IoT Device Client or download the [Local proxy reference implementation on GitHub](https://github.com/aws-samples/aws-iot-securetunneling-localproxy). | 

## Tunnel creation methods in AWS IoT console
<a name="tunneling-tutorial-flows"></a>

The tutorials in this section show you how to create a tunnel using the AWS Management Console and the [OpenTunnel](https://docs.aws.amazon.com/iot/latest/apireference/) API. If you configure the destination when creating a tunnel, AWS IoT secure tunneling delivers the destination client access token to the remote device over MQTT and the reserved MQTT topic, `$aws/things/RemoteDeviceA/tunnels/notify`). On receiving the MQTT message, the IoT agent on the remote device starts the local proxy in destination mode. For more information, see [Reserved topics](reserved-topics.md).

**Note**  
You can omit the destination configuration if you want to deliver the destination client access token to the remote device through another method. For more information, see [Configuring a remote device and using IoT agent](configure-remote-device.md).

In the AWS IoT console, you can create a tunnel using either of the following methods. For information about tutorials that will help you learn to create a tunnel using these methods, see [Tutorials in this section](secure-tunneling-tutorial.md#tunneling-tutorial-overview).
+ 

**[Tunnels hub](https://console.aws.amazon.com/iot/home#/tunnels)**  
When you create the tunnel, you'll be able to specify whether to use the quick setup or the manual setup methods for creating the tunnel and provide the optional tunnel configuration details. The configuration details also include the name of the destination device and the service that you want to use for connecting to the device. After you create a tunnel, you can either SSH within the browser or open a terminal outside the AWS IoT console to access your remote device.
+ 

**Thing details page**  
When you create the tunnel, you'll also be able to specify whether to use the most recent, open tunnel or create a new tunnel for the device, in addition to choosing the setup methods and providing any optional tunnel configuration details. You can't edit the configuration details of an existing tunnel. You can use the quick setup method to rotate the access tokens and SSH into the remote device within the browser. To open a tunnel using this method, you must have created an IoT thing (for example, `RemoteDeviceA`) in the AWS IoT registry. For more information, see [Register a device in the AWS IoT registry](https://docs.aws.amazon.com/iot/latest/developerguide/register-device.html). 

**Topics**
+ [Prerequisites for the tutorials](#tunneling-tutorial-prerequisites)
+ [Tunnel setup methods](#tunneling-tutorial-setup-methods)
+ [Tunnel creation methods in AWS IoT console](#tunneling-tutorial-flows)
+ [Open a tunnel and use browser-based SSH to access remote device](tunneling-tutorial-quick-setup.md)
+ [Open a tunnel using manual setup and connect to remote device](tunneling-tutorial-manual-setup.md)

# Open a tunnel and use browser-based SSH to access remote device
<a name="tunneling-tutorial-quick-setup"></a>

You can use the quick setup or the manual setup method for creating a tunnel. This tutorial shows how to open a tunnel using the quick setup method and use the browser-based SSH to connect to the remote device. For an example that shows how to open a tunnel using the manual setup method, see [Open a tunnel using manual setup and connect to remote device](tunneling-tutorial-manual-setup.md).

Using the quick setup method, you can create a new tunnel with default configurations that can be edited. A web-based local proxy is configured for you and the access token is automatically delivered to your remote destination device using MQTT. After creating a tunnel, you can start interacting with your remote device using a command line interface within the console.

With the quick setup method, you must use SSH as the destination service to access the remote device. For more information about the different setup methods, see [Tunnel setup methods](secure-tunneling-tutorial-open-tunnel.md#tunneling-tutorial-setup-methods).

## Prerequisites for quick setup method
<a name="tunneling-tutorial-quick-prerequisites"></a>
+ The firewalls that the remote device is behind must allow outbound traffic on port 443. The tunnel that you create will use this port to connect to the remote device.
+ You have an IoT device agent (see [IoT agent snippet](configure-remote-device.md#agent-snippet)) running on the remote device that connects to the AWS IoT device gateway and is configured with an MQTT topic subscription. For more information, see [connect a device to the AWS IoT device gateway](https://docs.aws.amazon.com/iot/latest/developerguide/sdk-tutorials.html).
+ You must have an SSH daemon running on the remote device.

## Open a tunnel
<a name="open-tunnel-quick"></a>

You can open a secure tunnel using the AWS Management Console, the AWS IoT API Reference, or the AWS CLI. You can optionally configure a destination name but it's not required for this tutorial. If you configure the destination, secure tunneling will automatically deliver the access token to the remote device using MQTT. For more information, see [Tunnel creation methods in AWS IoT console](secure-tunneling-tutorial-open-tunnel.md#tunneling-tutorial-flows).

**To open a tunnel using the console**

1. Go to the [Tunnels hub of the AWS IoT console](https://console.aws.amazon.com/iot/home#/tunnels) and choose **Create tunnel**.  
![\[AWS IoT console showing an empty list of tunnels with options to create, close, or delete tunnels.\]](http://docs.aws.amazon.com/iot/latest/developerguide/images/tunnels-page.png)

1. For this tutorial, choose **Quick setup** as the tunnel creation method and then choose **Next**.
**Note**  
If you create a secure tunnel from the details page of a thing you created, you can choose whether to create a new tunnel or use an existing one. For more information, see [Open a tunnel for remote device and use browser-based SSH](tunneling-tutorial-existing-tunnel.md).  
![\[Setup method section with options for quick setup using SSH or manual setup, explaining the quick setup automatically configures proxy and access token.\]](http://docs.aws.amazon.com/iot/latest/developerguide/images/tunnels-choose-quick.PNG)

1. Review and confirm the tunnel configuration details. To create a tunnel, choose **Confirm and create**. If you want to edit these details, choose **Previous** to go back to the previous page and then confirm and create the tunnel.
**Note**  
When using quick setup, the service name can't be edited. You must use **SSH** as the **Service**.

1. To create the tunnel, choose **Done**. 

   For this tutorial, you don't have to download the source or destination access tokens. These tokens can only be used once to connect to the tunnel. If your tunnel gets disconnected, you can generate and send new tokens to your remote device for reconnecting to the tunnel. For more information, see [Resend tunnel access tokens](tunneling-tutorial-manual-setup.md#resend-access-tokens).  
![\[A dialog showing source and destination access tokens for creating a secure tunnel connection, with instructions on rotating and resending tokens if needed.\]](http://docs.aws.amazon.com/iot/latest/developerguide/images/tunnel-success.png)

**To open a tunnel using the API**  
To open a new tunnel, you can use the [OpenTunnel](https://docs.aws.amazon.com/iot/latest/apireference/API_iot-secure-tunneling_OpenTunnel.html) API operation.

**Note**  
You can create a tunnel using the quick setup method only from the AWS IoT console. When you use the AWS IoT API Reference API or the AWS CLI, it will use the manual setup method. You can open the existing tunnel that you created and then change the setup method of the tunnel to use the quick setup. For more information, see [Open an existing tunnel and use browser-based SSH](tunneling-tutorial-existing-tunnel.md#tunneling-tutorial-existing-convert-tunnel).

The following shows an example of how to run this API operation. Optionally, if you want to specify the thing name and the destination service, use the `DestinationConfig` parameter. For an example that shows how to use this parameter, see [Open a new tunnel for the remote device](tunneling-tutorial-existing-tunnel.md#tunneling-tutorial-existing-open-tunnel).

```
aws iotsecuretunneling open-tunnel
```

Running this command creates a new tunnel and provides you the source and destination access tokens. 

```
{
    "tunnelId": "01234567-89ab-0123-4c56-789a01234bcd",
    "tunnelArn": "arn:aws:iot:us-east-1:123456789012:tunnel/01234567-89ab-0123-4c56-789a01234bcd",
    "sourceAccessToken": "<SOURCE_ACCESS_TOKEN>",
    "destinationAccessToken": "<DESTINATION_ACCESS_TOKEN>"
}
```

## Using the browser-based SSH
<a name="tunneling-tutorial-quick-browser"></a>

After you create a tunnel using the quick setup method, and your destination device has connected to the tunnel, you can access the remote device using a browser-based SSH. Using the browser-based SSH, you can directly communicate with the remote device by entering commands into an in-context command line interface within the console. This feature makes it easier for you to interact with the remote device because you don't have to open a terminal outside the console or configure the local proxy. 

**To use the browser-based SSH**

1. Go to the [Tunnels hub of the AWS IoT console](https://console.aws.amazon.com/iot/home#/tunnels) and choose the tunnel that you created to view its details.

1. Expand the **Secure Shell (SSH)** section and then choose **Connect**.

1. Choose whether you want to authenticate into the SSH connection by providing your username and password, or, for more secure authentication, you can use your device's private key. If you're authenticating using the private key, note that only PEM formatted (256 and 512) RSA keys work with AWS IoT Secure Tunneling SSH console. 
   + To connect using your username and password, choose **Use password**. You can then enter your username and password and start using the in-browser CLI.
   + To connect using your destination device's private key, choose **Use private key**. Specify your username and upload the device's private key file, and then choose **Connect** to start using the in-browser CLI.  
![\[Form dialog box to connect via browser CLI with private key, showing a username field and an option to choose or use a pre-selected private key file.\]](http://docs.aws.amazon.com/iot/latest/developerguide/images/tunnel-browser-private-key.png)

After you've authenticated into the SSH connection, you can quickly get started with entering commands and interact with the device using the browser CLI, as the local proxy has already been configured for you.

![\[Code snippet showing React hooks for managing state and preferences in a JavaScript application.\]](http://docs.aws.amazon.com/iot/latest/developerguide/images/tunnel-browser-cli.PNG)


If the browser CLI stays open after the tunnel duration, it might time out, causing the command line interface to get disconnected. You can duplicate the tunnel and start another session to interact with the remote device within the console itself.

## Troubleshooting issues when using the browser-based SSH
<a name="tunneling-tutorial-browser-troubleshoot"></a>

The following shows how to troubleshoot some issues that you might run into when using the browser-based SSH.
+ 

**You see an error instead of the command line interface**  
You might be seeing the error because your destination device got disconnected. You can choose **Generate new access tokens** to generate new access tokens and send the tokens to your remote device using MQTT. The new tokens can be used to reconnect to the tunnel. Reconnecting to the tunnel clears the history and refreshes the command line session.
+ 

**You see a tunnel disconnected error when authenticating using private key**  
You might be seeing the error because your private key might not have been accepted by the destination device. To troubleshoot this error, check the private key file that you uploaded for authentication. If you still see an error, check your device logs. You can also try reconnecting to the tunnel by sending new access tokens to your remote device.
+ 

**Your tunnel was closed when using the session**  
If your tunnel was closed because it stayed open for more than the specified duration, your command line session might get disconnected. A tunnel cannot be reopened once closed. To reconnect, you must open another tunnel to the device.

  You can duplicate a tunnel to create a new tunnel with the same configurations as the closed tunnel. You can duplicate a closed tunnel from the AWS IoT console. To duplicate the tunnel, choose the tunnel that was closed to view its details, and then choose **Duplicate tunnel**. Specify the tunnel duration that you want to use and then create the new tunnel.

## Cleaning up
<a name="tunnel-cleanup-quick"></a>
+ 

**Close tunnel**  
We recommend that you close the tunnel after you've finished using it. A tunnel can also become closed if it stayed open for longer than the specified tunnel duration. A tunnel cannot be reopened once closed. You can still duplicate a tunnel by choosing the closed tunnel and then choosing **Duplicate tunnel**. Specify the tunnel duration that you want to use and then create the new tunnel.
  + To close an individual tunnel or multiple tunnels from the AWS IoT console, go to the [Tunnels hub](https://console.aws.amazon.com/iot/home#/tunnels), choose the tunnels that you want to close, and then choose **Close tunnel**.
  + To close an individual tunnel or multiple tunnels using the AWS IoT API Reference API, use the [CloseTunnel](https://docs.aws.amazon.com/iot/latest/apireference/API_iot-secure-tunneling_CloseTunnel.html) API.

    ```
    aws iotsecuretunneling close-tunnel \ 
        --tunnel-id "01234567-89ab-0123-4c56-789a01234bcd"
    ```
+ 

**Delete tunnel**  
You can delete a tunnel permanently from your AWS account. 
**Warning**  
Deletion actions are permanent and can't be undone.
  + To delete an individual tunnel or multiple tunnels from the AWS IoT console, go to the [Tunnels hub](https://console.aws.amazon.com/iot/home#/tunnels), choose the tunnels that you want to delete, and then choose **Delete tunnel**.
  + To delete an individual tunnel or multiple tunnels using the AWS IoT API Reference API, use the [CloseTunnel](https://docs.aws.amazon.com/iot/latest/apireference/API_iot-secure-tunneling_CloseTunnel.html) API. When using the API, set the `delete` flag to `true`.

    ```
    aws iotsecuretunneling close-tunnel \ 
        --tunnel-id "01234567-89ab-0123-4c56-789a01234bcd"
        --delete true
    ```

# Open a tunnel using manual setup and connect to remote device
<a name="tunneling-tutorial-manual-setup"></a>

When you open a tunnel, you can choose the quick setup or the manual setup method for opening a tunnel into the remote device. This tutorial shows how to open a tunnel using the manual setup method and configure and start the local proxy to connect to the remote device.

When you use the manual setup method, you must manually specify the tunnel configurations when creating the tunnel. After creating the tunnel, you can SSH within the browser or open a terminal outside the AWS IoT console. This tutorial shows how to use the terminal outside the console to access the remote device. You'll also learn how to configure the local proxy and then connect to the local proxy to interact with the remote device. To connect to the local proxy, you must download the source access token when creating the tunnel.

With this setup method, you can use services other than SSH, such as FTP to connect to the remote device. For more information about the different setup methods, see [Tunnel setup methods](secure-tunneling-tutorial-open-tunnel.md#tunneling-tutorial-setup-methods).

## Prerequisites for manual setup method
<a name="tunneling-tutorial-manual-prerequisites"></a>
+ The firewalls that the remote device is behind must allow outbound traffic on port 443. The tunnel that you create will use this port to connect to the remote device.
+ You have an IoT device agent (see [IoT agent snippet](configure-remote-device.md#agent-snippet)) running on the remote device that connects to the AWS IoT device gateway and is configured with an MQTT topic subscription. For more information, see [connect a device to the AWS IoT device gateway](https://docs.aws.amazon.com/iot/latest/developerguide/sdk-tutorials.html).
+ You must have an SSH daemon running on the remote device.
+ You have downloaded the local proxy source code from [GitHub](https://github.com/aws-samples/aws-iot-securetunneling-localproxy) and built it for the platform of your choice. We'll refer to the built local proxy executable file as `localproxy` in this tutorial.

## Open a tunnel
<a name="open-tunnel"></a>

You can open a secure tunnel using the AWS Management Console, the AWS IoT API Reference, or the AWS CLI. You can optionally configure a destination name but it's not required for this tutorial. If you configure the destination, secure tunneling will automatically deliver the access token to the remote device using MQTT. For more information, see [Tunnel creation methods in AWS IoT console](secure-tunneling-tutorial-open-tunnel.md#tunneling-tutorial-flows).

**To open a tunnel in the console**

1. Go to the [Tunnels hub of the AWS IoT console](https://console.aws.amazon.com/iot/home#/tunnelhub) and choose **Create tunnel**.  
![\[AWS IoT console showing an empty list of tunnels with options to create, close, or delete tunnels.\]](http://docs.aws.amazon.com/iot/latest/developerguide/images/tunnels-page.png)

1. For this tutorial, choose **Manual setup** as the tunnel creation method and then choose **Next**. For information about using the **quick setup** method to create a tunnel, see [Open a tunnel and use browser-based SSH to access remote device](tunneling-tutorial-quick-setup.md).
**Note**  
If you create a secure tunnel from the details page of a thing, you can choose whether to create a new tunnel or use an existing one. For more information, see [Open a tunnel for remote device and use browser-based SSH](tunneling-tutorial-existing-tunnel.md).  
![\[Two options for setting up a tunnel connection: Quick setup (SSH) or Manual setup, which requires configuring a local proxy and managing access tokens.\]](http://docs.aws.amazon.com/iot/latest/developerguide/images/tunnels-choose-manual.PNG)

1. (Optional) Enter the configuration settings for your tunnel. You can also skip this step and proceed to the next step to create a tunnel. 

   Enter a tunnel description, a tunnel timeout duration, and resource tags as key-value pairs to help you identify your resource. For this tutorial, you can skip the destination configuration.
**Note**  
You won't be charged based on the duration for which you keep a tunnel open. You only incur charges when creating a new tunnel. For pricing information, see **Secure Tunneling** in [AWS IoT Device Management pricing](https://aws.amazon.com/iot-device-management/pricing/).

1. Download the client access tokens and then choose **Done**. The tokens will not be available to download after you choose **Done**.

   These tokens can only be used once to connect to the tunnel. If you misplace the tokens or the tunnel gets disconnected, you can generate and send new tokens to your remote device for reconnecting to the tunnel.  
![\[Source and destination access tokens for creating a secure tunnel connection, with instructions on rotating and resending tokens if needed.\]](http://docs.aws.amazon.com/iot/latest/developerguide/images/tunnel-success.png)

**To open a tunnel using the API**  
To open a new tunnel, you can use the [OpenTunnel](https://docs.aws.amazon.com/iot/latest/apireference/API_iot-secure-tunneling_OpenTunnel.html) API operation. You can also specify additional configurations using the API, such as the tunnel duration and the destination configuration.

```
aws iotsecuretunneling open-tunnel \ 
    --region us-east-1 \ 
    --endpoint https://api.us-east-1.tunneling.iot.amazonaws.com
```

Running this command creates a new tunnel and provides you the source and destination access tokens. 

```
{
    "tunnelId": "01234567-89ab-0123-4c56-789a01234bcd",
    "tunnelArn": "arn:aws:iot:us-east-1:123456789012:tunnel/01234567-89ab-0123-4c56-789a01234bcd",
    "sourceAccessToken": "<SOURCE_ACCESS_TOKEN>",
    "destinationAccessToken": "<DESTINATION_ACCESS_TOKEN>"
}
```

## Resend tunnel access tokens
<a name="resend-access-tokens"></a>

The tokens that you obtained when creating a tunnel can only be used once to connect to the tunnel. If you misplace the access token or the tunnel gets disconnected, you can resend new access tokens to the remote device using MQTT at no additional charge. AWS IoT secure tunneling will revoke the current tokens and return new access tokens for reconnecting to the tunnel.

**To rotate the tokens from the console**

1. Go to the [Tunnels hub of the AWS IoT console](https://console.aws.amazon.com/iot/home#/tunnels) and choose the tunnel that you created.

1. In the tunnel details page, choose **Generate new access tokens** and then choose **Next**.

1. Download the new access tokens for your tunnel and choose **Done**. These tokens can be used only once. If you misplace these tokens or the tunnel gets disconnected, you can resend new access tokens.  
![\[Access tokens for source and destination devices with options to copy or download them. Text explains that rotating tokens revokes current tokens and generates new single-use tokens for reconnecting a disconnected tunnel.\]](http://docs.aws.amazon.com/iot/latest/developerguide/images/tunnel-token-rotated.PNG)

**To rotate access tokens using the API**  
To rotate the tunnel access tokens, you can use the [RotateTunnelAccessToken](https://docs.aws.amazon.com/iot/latest/apireference/API_iot-secure-tunneling_RotateTunnelAccessToken.html) API operation to revoke the current tokens and return new access tokens for reconnecting to the tunnel. For example, the following command rotates the access tokens for the destination device, *`RemoteThing1`*. 

```
aws iotsecuretunneling rotate-tunnel-access-token \ 
    --tunnel-id <tunnel-id> \ 
    --client-mode DESTINATION \ 
    --destination-config thingName=<RemoteThing1>,services=SSH \ 
    --region <region>
```

Running this command generates the new access token as shown in the following example. The token is then delivered to the device using MQTT to connect to the tunnel, if the device agent is set up correctly.

```
{
    "destinationAccessToken": "destination-access-token", 
    "tunnelArn": "arn:aws:iot:region:account-id:tunnel/tunnel-id"
}
```

For examples that show how and when to rotate the access tokens, see [Resolving AWS IoT secure tunneling connectivity issues by rotating client access tokens](iot-secure-tunneling-troubleshooting.md).

## Configure and start the local proxy
<a name="start-local-proxy"></a>

To connect to the remote device, open a terminal on your laptop and configure and start the local proxy. The local proxy transmits data sent by the application running on the source device by using secure tunneling over a WebSocket secure connection. You can download the local proxy source from [GitHub](https://github.com/aws-samples/aws-iot-securetunneling-localproxy).

After you configure the local proxy, copy the source client access token, and use it to start the local proxy in source mode. Following shows an example command to start the local proxy. In the following command, the local proxy is configured to listen for new connections on port 5555. In this command:
+ `-r` specifies the AWS Region, which must be the same Region where your tunnel was created.
+ `-s` specifies the port to which the proxy should connect.
+ `-t` specifies the client token text.

```
./localproxy -r us-east-1 -s 5555 -t source-client-access-token
```

Running this command will start the local proxy in source mode. If you receive the following error after running the command, set up the CA path. For information, see [Secure tunneling local proxy on GitHub](https://github.com/aws-samples/aws-iot-securetunneling-localproxy).

```
Could not perform SSL handshake with proxy server: certificate verify failed
```

The following shows a sample output of running the local proxy in `source` mode.

```
...
...

Starting proxy in source mode
Attempting to establish web socket connection with endpoint wss://data.tunneling.iot.us-east-1.amazonaws.com:443
Resolved proxy  server IP: 10.10.0.11
Connected successfully with proxy server
Performing SSL handshake with proxy server	
Successfully completed SSL handshake with proxy server
HTTP/1.1 101 Switching Protocols

...

Connection: upgrade
channel-id: 01234567890abc23-00001234-0005678a-b1234c5de677a001-2bc3d456
upgrade: websocket

...

Web socket session ID: 01234567890abc23-00001234-0005678a-b1234c5de677a001-2bc3d456
Web socket subprotocol selected: aws.iot.securetunneling-2.0
Successfully established websocket connection with proxy server: wss://data.tunneling.iot.us-east-1.amazonaws.com:443
Setting up web socket pings for every 5000 milliseconds
Scheduled next read:

...

Starting web socket read loop continue reading...
Resolved bind IP: 127.0.0.1
Listening for new connection on port 5555
```

## Start an SSH session
<a name="start-ssh-session"></a>

Open another terminal and use the following command to start a new SSH session by connecting to the local proxy on port 5555.

```
ssh username@localhost -p 5555
```

You might be prompted for a password for the SSH session. When you are done with the SSH session, type **exit** to close the session.

## Cleaning up
<a name="tunnel-cleanup-manual"></a>
+ 

**Close tunnel**  
We recommend that you close the tunnel after you've finished using it. A tunnel can also become closed if it stayed open for longer than the specified tunnel duration. A tunnel cannot be reopened once closed. You can still duplicate a tunnel by opening the closed tunnel and then choosing **Duplicate tunnel**. Specify the tunnel duration that you want to use and then create the new tunnel.
  + To close an individual tunnel or multiple tunnels from the AWS IoT console, go to the [Tunnels hub](https://console.aws.amazon.com/iot/home#/tunnels), choose the tunnels that you want to close, and then choose **Close tunnel**.
  + To close an individual tunnel or multiple tunnels using the AWS IoT API Reference API, use the [CloseTunnel](https://docs.aws.amazon.com/iot/latest/apireference/API_iot-secure-tunneling_CloseTunnel.html) API operation.

    ```
    aws iotsecuretunneling close-tunnel \ 
        --tunnel-id "01234567-89ab-0123-4c56-789a01234bcd"
    ```
+ 

**Delete tunnel**  
You can delete a tunnel permanently from your AWS account.
**Warning**  
Deletion actions are permanent and can't be undone.
  + To delete an individual tunnel or multiple tunnels from the AWS IoT console, go to the [Tunnels hub](https://console.aws.amazon.com/iot/home#/tunnels), choose the tunnels that you want to delete, and then choose **Delete tunnel**.
  + To delete an individual tunnel or multiple tunnels using the AWS IoT API Reference API, use the [CloseTunnel](https://docs.aws.amazon.com/iot/latest/apireference/API_iot-secure-tunneling_CloseTunnel.html) API operation. When using the API, set the `delete` flag to `true`.

    ```
    aws iotsecuretunneling close-tunnel \ 
        --tunnel-id "01234567-89ab-0123-4c56-789a01234bcd"
        --delete true
    ```