On-demand SSH Socks proxy through systemd user units with socket-activation doesn't restart as wished

To reach an isolated network I use an [tag:SSH] -D [tag:socks] [tag:proxy]. In order to avoid having to type the details every time I added them to ~/.ssh/config: $ awk '/Host socks-proxy/' RS= ~/.ssh/config Host socks-proxy Hostname pcit BatchMode yes RequestTTY no Compression yes DynamicForward localhost:9118 Then I created a [tag:systemd-user] service unit definition file: $ cat ~/.config/systemd/user/SocksProxy.service [Unit] Description=SocksProxy Over Bridge Host [Service] ExecStart=/usr/bin/ssh -Nk socks-proxy [Install] WantedBy=default.target I let the daemon reload the new service definitions, enabled the new service, started it, checked its status, and verified, that it is listening: $ systemctl --user daemon-reload $ systemctl --user list-unit-files | grep SocksP SocksProxy.service disabled $ systemctl --user enable SocksProxy.service Created symlink from ~/.config/systemd/user/default.target.wants/SocksProxy.service to ~/.config/systemd/user/SocksProxy.service. $ systemctl --user start SocksProxy.service $ systemctl --user status SocksProxy.service ● SocksProxy.service - SocksProxy Over Bridge Host Loaded: loaded (/home/alex/.config/systemd/user/SocksProxy.service; enabled) Active: active (running) since Thu 2017-08-03 10:45:29 CEST; 2s ago Main PID: 26490 (ssh) CGroup: /user.slice/user-1000.slice/user@1000.service/SocksProxy.service └─26490 /usr/bin/ssh -Nk socks-proxy $ netstat -tnlp | grep 118 tcp 0 0 127.0.0.1:9118 0.0.0.0:* LISTEN tcp6 0 0 ::1:9118 :::* LISTEN This works as intended. Then I wanted to avoid having to manually start the service, or running it permanently with [tag:autossh], by using [tag:systemd] [tag:socket-activation] for on-demand (re-)spawning. That didn't work, I think (my version of) ssh cannot receive socket file-descriptors. I found the documentation ((http://0pointer.de/blog/projects/socket-activation.html),(http://0pointer.de/blog/projects/socket-activation2.html)) , and [an example](https://unix.stackexchange.com/questions/352495/systemd-on-demand-start-of-services-like-postgresql-and-mysql-that-do-not-yet-s) for using the [systemd-socket-proxyd](https://www.freedesktop.org/software/systemd/man/systemd-socket-proxyd.html)-tool to create 2 "wrapper" services, a "service" and a "socket": $ cat ~/.config/systemd/user/SocksProxyHelper.socket [Unit] Description=On Demand Socks proxy into Work [Socket] ListenStream=8118 #BindToDevice=lo #Accept=yes [Install] WantedBy=sockets.target $ cat ~/.config/systemd/user/SocksProxyHelper.service [Unit] Description=On demand Work Socks tunnel After=network.target SocksProxyHelper.socket Requires=SocksProxyHelper.socket SocksProxy.service After=SocksProxy.service [Service] #Type=simple #Accept=false ExecStart=/lib/systemd/systemd-socket-proxyd 127.0.0.1:9118 TimeoutStopSec=5 [Install] WantedBy=multi-user.target $ systemctl --user daemon-reload This *seems* to work, until ssh dies or gets killed. Then it won't re-spawn at the next connection attempt when it should. ### Questions: 1. Can /usr/bin/ssh really not accept systemd-passed sockets? Or only newer versions? Mine is the [one from up2date Debian 8.9](https://packages.debian.org/jessie/openssh-client) . 2. Can only units of root use the BindTodevice option? 3. Why is my proxy service not respawning correctly on first new connection after the old tunnel dies? 4. Is this the right way to set-up an "on-demand ssh socks proxy"? If, not, how do you do it?