Add documentation for accessing homelab services via SSH tunnel on iOS, SSH to Synology NAS, and SFTP file transfer on iPhone and iPad

Author: isontheline

documentation/src/docs/documentation/guides/homelab-ssh-tunnel-ios.md

@@ -0,0 +1,108 @@
+---
+title: Access Your Homelab Remotely via SSH Tunnel on iOS
+---
+
+# Access Your Homelab Remotely via SSH Tunnel on iOS
+
+Your homelab runs services you don't want exposed to the internet — a Proxmox dashboard, a Grafana instance, a private Git server, an internal wiki. SSH tunneling lets you reach all of them securely from your iPhone or iPad, without a VPN appliance, without opening extra firewall ports, and without a subscription.
+
+This guide shows you how to use WebSSH's port forwarding features to access homelab services from anywhere.
+
+## How SSH Tunneling Works
+
+An SSH tunnel creates an encrypted channel between your iOS device and a server you control (the "jump host" — typically a VPS or a machine in your homelab with SSH exposed). Once the tunnel is established, WebSSH forwards traffic through it, letting you reach internal services as if you were on your home network.
+
+Two modes are available in WebSSH:
+
+| Mode | Use case |
+|---|---|
+| **Local Port Forwarding** | Access a specific service on a specific port |
+| **Dynamic Port Forwarding** | Use your server as a SOCKS proxy for multiple services at once |
+
+## Prerequisites
+
+You need one machine accessible from the internet over SSH. This is your entry point:
+
+- A **VPS** (DigitalOcean, Hetzner, Linode, etc.) with SSH enabled
+- Or a homelab machine with a port forwarded from your router
+
+!!! tip "A small VPS is all you need"
+    A €4/month VPS is enough to act as a jump host. All your homelab traffic goes through it encrypted — the VPS never sees the content, just the forwarded connection.
+
+## Local Port Forwarding — Access One Service
+
+Local Port Forwarding (LPF) maps a port on your iPhone to a port on a remote server. Once active, any connection WebSSH makes to `localhost:LOCAL_PORT` goes through the SSH tunnel to `REMOTE_HOST:REMOTE_PORT`.
+
+**Example: access a Proxmox web UI running on `192.168.1.10:8006`**
+
+1. Open **WebSSH** and go to the **Tunnel** tab
+2. Tap **+** to create a new tunnel
+3. Fill in the SSH connection details for your jump host
+4. In the **Port Forwarding** field, enter:
+   ```
+   8006:192.168.1.10:8006
+   ```
+5. Save the tunnel and tap it to start it
+6. Open WebSSH's built-in browser and navigate to `https://localhost:8006`
+
+!!! tip "Port Forwarding syntax"
+    The format is `LOCAL_PORT:REMOTE_HOST:REMOTE_PORT`. The remote host is resolved from the perspective of the SSH server — so `localhost` means the SSH server itself, and `192.168.1.10` means a machine on the same LAN as the SSH server.
+
+**More examples:**
+
+| Forward Rule | What it does |
+|---|---|
+| `3000:localhost:3000` | Grafana on the jump host itself |
+| `8080:192.168.1.50:80` | Web UI on a NAS at 192.168.1.50 |
+| `5432:192.168.1.20:5432` | PostgreSQL on an internal server |
+
+See [Local Port Forwarding](/documentation/help/networking/local-port-forwarding/) for the full documentation.
+
+## Dynamic Port Forwarding — Access Everything at Once
+
+Dynamic Port Forwarding (DPF) turns your jump host into a SOCKS proxy. All connections made within WebSSH are routed through it — useful when you need to reach multiple internal services without creating one tunnel per service.
+
+1. Go to the **Tunnel** tab in WebSSH
+2. Tap **+** to create a new tunnel
+3. Fill in the SSH connection details for your jump host
+4. In the **Port Forwarding** field, enter `*` (an asterisk)
+5. Save and start the tunnel
+6. Now open any SSH or SFTP connection inside WebSSH — it will go through the tunnel and can reach internal addresses
+
+!!! warning "DPF only routes WebSSH traffic"
+    Dynamic Port Forwarding routes connections made within WebSSH only. Other apps on your iPhone (Safari, etc.) are not affected. 
+
+See [Dynamic Port Forwarding](/documentation/help/networking/dynamic-port-forwarding/) for the full documentation.
+
+## Securing Your Jump Host
+
+If your jump host is exposed to the internet, take a few minutes to harden it:
+
+- **Use key-based SSH authentication** — disable password login in `/etc/ssh/sshd_config` with `PasswordAuthentication no`
+- **Use a non-standard SSH port** — reduces automated scan noise
+- **Set up fail2ban** — automatically bans IPs with repeated failed login attempts
+- **Keep the system updated** — `apt update && apt upgrade` regularly
+
+See [SSH Public / Private Key Pair](/documentation/help/SSH/public-private-key/) for setting up key auth with WebSSH.
+
+## Troubleshooting
+
+??? question "Tunnel connects but I can't reach the internal service"
+    Check that the port forwarding rule uses the correct remote address. The remote host is resolved from the SSH server's perspective. If the service is on the same machine as the SSH server, use `localhost`. If it's on another machine, use its LAN IP.
+
+??? question "Connection refused on the local port"
+    The tunnel must be running (green/active) before you try to connect. Tap the tunnel to start it, then make your connection.
+
+??? question "Tunnel drops after a few minutes of inactivity"
+    SSH connections can time out. Configure `ServerAliveInterval` in your ssh_config file on the server side, or use tmux on the jump host to keep sessions alive.
+
+??? question "I need to access multiple homelab machines"
+    Use Dynamic Port Forwarding (`*`) — this creates a SOCKS proxy so WebSSH can route to any internal address through a single tunnel. Alternatively, set up multiple Local Port Forwarding rules separated by commas (e.g. `8006:192.168.1.10:8006,3000:192.168.1.20:3000`).
+
+## Related Documentation
+
+- [Port Forwarding overview](/documentation/help/networking/port-forwarding/)
+- [Local Port Forwarding](/documentation/help/networking/local-port-forwarding/)
+- [Dynamic Port Forwarding](/documentation/help/networking/dynamic-port-forwarding/)
+- [VPN-Over-SSH](/documentation/help/networking/vpn-over-ssh/)
+- [Port Knocking](/documentation/help/networking/port-knocking/) — hide your SSH port until you knock

documentation/src/docs/documentation/guides/no-subscription-ssh-client-ios.md

@@ -0,0 +1,72 @@
+---
+title: Best SSH Client for iOS Without a Subscription
+---
+
+# Best SSH Client for iOS Without a Subscription
+
+Most SSH clients on the App Store have quietly moved to subscription pricing. You pay monthly or annually — or you lose access to your connections, your keys, and your tunnels. If you're looking for a capable SSH and SFTP client for iPhone or iPad that you buy once and own forever, this page is for you.
+
+## The Problem with Subscription SSH Clients
+
+Subscription-based apps make financial sense for the developer, but they create a real problem for the user:
+
+- **Ongoing cost** — a $9.99/month SSH client costs more per year than most desktop tools
+- **Held hostage** — if you stop paying, your saved connections and keys may become inaccessible
+- **Privacy concerns** — some sync your server credentials to the developer's cloud infrastructure
+
+If you use SSH professionally, you're already paying for servers, VPNs, and tooling. Your SSH client shouldn't be another recurring line item.
+
+## WebSSH: One Purchase, No Subscription
+
+WebSSH has been on the App Store since **2012** — over a decade of continuous updates, maintained by a single developer, funded entirely by one-time purchases.
+
+!!! abstract "What you get with a single purchase"
+    - WebSSH PRO on **all your Apple devices** (iPhone, iPad, Mac, and even Vision Pro) with the same Apple ID
+    - Every future update included — no "PRO 2.0" upsell
+    - Family Sharing support — up to 6 family members, no extra cost
+    - No ads, no data collection, no marketing tracking
+
+The free version is generous: full SSH, SFTP, and Telnet support, with one saved connection. If you need more saved connections, the PRO upgrade is a one-time purchase.
+
+## Feature Comparison
+
+See the [full feature comparison](/documentation/pricing/) for FREE vs PRO details.
+
+## Your Data Stays on Your Device
+
+WebSSH stores your connections, credentials, and private keys locally on your device. Sync across your own Apple devices happens through your personal iCloud account — your data never passes through any third-party server.
+
+This matters when you're storing SSH private keys and server credentials. You should know exactly where that data lives.
+
+**Keep connections organised:**
+
+Use groups and tags to organise servers by environment (production, staging, homelab) or client. See [Arrange Connections Inside Folders](/documentation/help/howtos/arrange-connections-inside-folders/).
+
+## Student and Educator Discounts
+
+If the one-time price is a barrier, discounts are available for students and educators. [Contact me](/documentation/contact-me/) for a discount code.
+
+## Frequently Asked Questions
+
+??? question "If I buy on iPhone, do I get it on iPad too?"
+    Yes. One purchase unlocks PRO on all devices using the same Apple ID — iPhone, iPad, Mac, and Vision Pro.
+
+??? question "Does WebSSH support Apple Family Sharing?"
+    Yes. One purchase can be shared with up to 6 family members through Apple's Family Sharing feature.
+
+??? question "Will future versions be free updates or paid upgrades?"
+    All updates to WebSSH have been free since 2012. There has never been a paid major version upgrade.
+
+??? question "What happens if I delete the app?"
+    Your purchase is tied to your Apple ID. Reinstall WebSSH and restore your purchase from **Settings → App Store → Restore Purchase**. See [Restore Purchases](/documentation/help/restore-purchases/).
+
+??? question "Can I try before I buy?"
+    Yes. The free version of WebSSH is fully functional with one saved connection. Use it as long as you need before deciding.
+
+## Get Started
+
+- [Download WebSSH on the App Store](https://apps.apple.com/us/app/webssh-sysadmin-tools/id497714887)
+- [SSH into a Synology NAS from iPhone or iPad](/documentation/guides/synology-ssh-iphone-ipad/)
+- [SSH into a Raspberry Pi from iPhone or iPad](/documentation/guides/raspberry-pi-ssh-ios/)
+- [Access Your Homelab via SSH Tunnel on iOS](/documentation/guides/homelab-ssh-tunnel-ios/)
+- [Transfer Files via SFTP on iPhone and iPad](/documentation/guides/sftp-file-transfer-iphone/)

documentation/src/docs/documentation/guides/raspberry-pi-ssh-ios.md

@@ -0,0 +1,128 @@
+---
+title: How to SSH into a Raspberry Pi from iPhone or iPad
+---
+
+# How to SSH into a Raspberry Pi from iPhone or iPad
+
+The Raspberry Pi is a staple of home labs, automation projects, and self-hosted services. WebSSH turns your iPhone or iPad into a capable terminal — so you can check logs, restart services, or run commands on your Pi without needing a laptop nearby.
+
+This guide covers everything from enabling SSH on the Pi to connecting securely from iOS with a private key.
+
+## Prerequisites
+
+### Enable SSH on Your Raspberry Pi
+
+SSH is disabled by default on recent Raspberry Pi OS images. Enable it before trying to connect.
+
+**If you have physical access to the Pi:**
+
+1. Open a terminal on the Pi (or connect a keyboard and monitor)
+2. Run `sudo raspi-config`
+3. Navigate to **Interface Options → SSH → Enable**
+4. Reboot: `sudo reboot`
+
+**Headless setup (no monitor needed):**
+
+Before first boot, place an empty file named `ssh` (no extension) in the `/boot` partition of the SD card. The Pi will enable SSH automatically on first boot.
+
+### Find Your Pi's IP Address
+
+From another device on the same network, you can find the Pi's IP with:
+
+```bash
+ping raspberrypi.local
+```
+
+Or check your router's DHCP table. The Pi's hostname is `raspberrypi` by default (or whatever you set it to).
+
+!!! tip "Set a static IP"
+    For a device you'll connect to regularly, assign a static IP in your router's DHCP settings or configure a static address on the Pi itself. This way the address never changes.
+
+## Add the Connection in WebSSH
+
+1. Open **WebSSH** on your iPhone or iPad
+2. Tap **+** to create a new connection
+3. Fill in the fields:
+    - **Name:** e.g. `Pi - Home Lab`
+    - **Host:** your Pi's IP address or `raspberrypi.local`
+    - **Port:** `22` (default)
+    - **Username:** `pi` (default) or whatever user you created
+4. Choose **Password** or **Private Key** for authentication
+5. Tap **Save**, then tap the connection to connect
+
+!!! warning "Change the default password"
+    The default `pi` user with password `raspberry` is well known. If you haven't already, change it with `passwd` before exposing SSH to any network.
+
+## Use Key-Based Authentication (Recommended)
+
+A private key is both more secure and more convenient than a password. Here's how to set it up using WebSSH:
+
+**Step 1 — Generate a key in WebSSH:**
+
+1. Go to **Settings** (gear icon)
+2. Tap **SSH Keys → + → Generate**
+3. Choose **ED25519**
+4. Tap the key to copy the public key
+
+**Step 2 — Authorize the key on the Pi:**
+
+Connect once with a password, then run:
+
+```bash
+mkdir -p ~/.ssh
+echo "PASTE_YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys
+chmod 700 ~/.ssh
+chmod 600 ~/.ssh/authorized_keys
+```
+
+**Step 3 — Update your WebSSH connection:**
+
+Edit the connection and switch authentication to your private key. You won't be asked for a password again.
+
+## Connecting to Your Pi from Outside Your Home
+
+By default, your Pi is only reachable from your local network. To reach it from anywhere:
+
+**Option 1 — Port forwarding (simple, less secure):**
+
+Forward port `22` (or a custom port) from your router to the Pi's local IP. Then connect using your public IP or a dynamic DNS hostname.
+
+!!! warning "If you expose SSH to the internet"
+    Use key-based auth only. Disable password authentication in `/etc/ssh/sshd_config` by setting `PasswordAuthentication no`.
+
+**Option 2 — SSH tunnel through a VPS (more secure):**
+
+If you have a cheap VPS or cloud server, you can set up a reverse tunnel so the Pi connects outward to the VPS, and you SSH into the VPS to reach the Pi. This avoids opening any ports on your home router.
+
+**Option 3 — Tailscale or WireGuard:**
+
+Install a VPN like Tailscale on the Pi and your iPhone. No port forwarding needed; everything is encrypted peer-to-peer.
+
+## Multiple Terminals at Once
+
+WebSSH lets you open multiple SSH sessions simultaneously. Useful when you need one terminal for logs and another for commands:
+
+1. Connect to your Pi
+2. Tap the terminal icon to open another session
+3. See [Launching Multiple Terminals](/documentation/help/howtos/launching-multiple-terminals/) for details
+
+## Troubleshooting
+
+??? question "ssh: connect to host raspberrypi.local port 22: Connection refused"
+    SSH is not enabled. Connect a monitor and keyboard to the Pi, run `sudo raspi-config` and enable SSH under Interface Options.
+
+??? question "raspberrypi.local doesn't resolve"
+    mDNS (Bonjour) may not be working on your network. Use the Pi's IP address directly instead. Find it in your router's DHCP table or run `hostname -I` on the Pi.
+
+??? question "Permission denied (publickey)"
+    The public key isn't correctly installed on the Pi. Check that `~/.ssh/authorized_keys` contains your key, and that permissions are `700` for `~/.ssh` and `600` for `authorized_keys`.
+
+??? question "Connection drops when I switch apps"
+    This is an iOS background execution limit. On iPad, use Split View or Slide Over to keep WebSSH visible. See [tmux](/documentation/help/howtos/tmux/create-attach-existing-tmux-session/) to keep your session alive server-side regardless of the iOS connection state.
+
+## Related Documentation
+
+- [SSH Public / Private Key Pair](/documentation/help/SSH/public-private-key/)
+- [Local Port Forwarding](/documentation/help/networking/local-port-forwarding/) — access services running on the Pi (web UI, databases, etc.)
+- [tmux — Create or Attach to an Existing Session](/documentation/help/howtos/tmux/create-attach-existing-tmux-session/)
+- [Launching Multiple Terminals](/documentation/help/howtos/launching-multiple-terminals/)