Working Notes: a commonplace notebook for recording & exploring ideas.
Home. Site Map. Subscribe. More at expLog. — Kunal

Resilient Emacs TRAMP over Eternal Terminal

This note is from a discussion with claude to be able to easily rely on just et for tramp on emacs.

TRAMP doesn't need SSH - it just needs a process whose stdin/stdout is connected to a remote shell. We use ET for a resilient tunnel and socat to provide the shell, with mutual TLS so other users on the box can't hijack the socket.

Architecture

Emacs TRAMP -> socat (local) -> ET tunnel (survives network changes) -> socat+TLS (remote) -> bash

1. Generate TLS certs (once)

Same cert on all machines - you're authenticating yourself to yourself.

mkdir -p ~/.et
openssl req -x509 -newkey ec -pkeyopt ec_paramname:prime256v1 \
  -keyout ~/.et/shell.key -out ~/.et/shell.crt \
  -days 3650 -nodes -subj '/CN=et-shell'
chmod 600 ~/.et/shell.key

Copy ~/.et/shell.key and ~/.et/shell.crt to every machine.

2. Remote: socat as a systemd user service

## ~/.config/systemd/user/et-shell.service
[Unit]
Description=ET shell listener

[Service]
Type=simple
Restart=always
RestartSec=3
ExecStart=/usr/bin/socat \
  OPENSSL-LISTEN:9999,bind=127.0.0.1,reuseaddr,fork,\
cert=%%h/.et/shell.crt,key=%%h/.et/shell.key,cafile=%%h/.et/shell.crt,verify=1 \
  EXEC:/bin/bash,pty,stderr,setsid,sigint,sane

systemctl --user daemon-reload
systemctl --user enable --now et-shell

## Optional: keep running even when logged out
sudo loginctl enable-linger $USER

3. Connect with ET + tunnel

Each server gets a unique local port, all mapping to remote 9999:

et -t 9001:9999 user@server-a
et -t 9002:9999 user@server-b
et -t 9003:9999 user@server-c

4. Emacs TRAMP config

(add-to-list 'tramp-methods
  '("et"
    (tramp-login-program "socat")
    (tramp-login-args
     (("-" "OPENSSL:localhost:%p,cert=//.et/shell.crt,key=//.et/shell.key,cafile=//.et/shell.crt,verify=1")))
    (tramp-remote-shell "/bin/bash")
    (tramp-remote-shell-args ("-i"))
    (tramp-default-port 9999)))

Open files with the port specifying which server:

/et:localhost#9001:/path/on/server-a
/et:localhost#9002:/path/on/server-b

5. Verify

## Remote: is socat running?
systemctl --user status et-shell
ss -tlnp | grep 9999

## Local: is ET tunnel forwarding?
ss -tlnp | grep 9001

## Local: does the full chain work?
socat - OPENSSL:localhost:9001,cert=//.et/shell.crt,key=//.et/shell.key,cafile=//.et/shell.crt,verify=1
## should get a bash prompt - type `hostname` to confirm

Notes

• ET uses SSH for initial handshake, then maintains a resilient encrypted channel (default port 2022, or whatever you set in /etc/et.cfg)
• The socat listener has no auth of its own - the TLS mutual cert requirement prevents other local users from connecting
• bind=127.0.0.1 ensures socat is never exposed on the network
• TRAMP is shell-agnostic at the transport layer; it sends shell commands over whatever pipe you give it - use bash, not sh, since TRAMP emits bash-isms
• TLS overhead is ~1-2ms for the handshake, negligible after that

• letters/2026-03-29
• notes/ssh_tunnels
• notes/nix
• notes/ipc
• letters/2024-03-10
• notes/pm/prd
• notes/python/rpc
• notes/configs_keyboards
• notes/rooflines