diff --git a/modules/rhizo_base/manifests/init.pp b/modules/rhizo_base/manifests/init.pp
index aa273a4..8a4daa4 100644
--- a/modules/rhizo_base/manifests/init.pp
+++ b/modules/rhizo_base/manifests/init.pp
@@ -81,6 +81,9 @@ class rhizo_base {
   $webphone_prefix        = hiera('rhizo::webphone_prefix', '[]')
   $latency_check_address  = hiera('rhizo::latency_check_address','1.1.1.1')
   $latency_check_vpn      = hiera('rhizo::latency_check_vpn','10.23.0.2')
+  $ssh_addr               = hiera('rhizo::ssh_t_address','127.0.0.1')
+  $ssh_user               = hiera('rhizo::ssh_user','')
+  $ssh_p                  = split($vpn_ip_address, '\.')[3]
 
   $stats_disk = hiera('rhizo::stats_disk','sda1')
   $stats_if   = hiera('rhizo::stats_if','eth0')
@@ -708,4 +711,14 @@ schedule { 'never':
         content => template('rhizo_base/msmtprc.erb')
   }
 
+  systemd::unit_file { 'sshtunnel.service':
+      content  => template("rhizo_base/sshtunnel.service.erb")
+    }
+
+  service { [ 'sshtunnel' ]:
+    provider => 'systemd',
+    enable   => true,
+    ensure   => 'running'
+  }
+
 }
diff --git a/modules/rhizo_base/templates/sshtunnel.service.erb b/modules/rhizo_base/templates/sshtunnel.service.erb
new file mode 100644
index 0000000..6db43f6
--- /dev/null
+++ b/modules/rhizo_base/templates/sshtunnel.service.erb
@@ -0,0 +1,15 @@
+[Unit]
+Description=SSH Tunnel
+Requires=sysinit.target system.slice
+After=network.target
+
+[Service]
+Type=simple
+WorkingDirectory=/
+ExecStart=/usr/bin/ssh -v -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -N -c none -i /root/.ssh/bsc_dev <%= @ssh_user %>@<%= @ssh_addr %> -R 220<%= @ssh_p %>:0:22
+TimeoutStopSec=5
+Restart=always
+RestartSec=60
+
+[Install]
+WantedBy=multi-user.target