diff --git a/Dockerfile b/Dockerfile
index b65d232..9b1bb72 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,16 +10,19 @@ LABEL org.opencontainers.image.version="$IMAGE_VERSION"
 ENV KILL_SWITCH=on \
     VPN_LOG_LEVEL=3 \
     HTTP_PROXY=off \
-    SOCKS_PROXY=off
+    SOCKS_PROXY=off \
+    SSH_TUNNEL=off
 
 RUN apk add --no-cache \
         bash \
         bind-tools \
         dante-server \
         openvpn \
-        tinyproxy
+        tinyproxy \
+        openssh
 
-RUN mkdir -p /data/vpn
+RUN mkdir -p /data/vpn \
+             /data/ssh
 
 COPY data/ /data
 
diff --git a/data/scripts/entry.sh b/data/scripts/entry.sh
index d746783..b0d9f2d 100755
--- a/data/scripts/entry.sh
+++ b/data/scripts/entry.sh
@@ -31,6 +31,7 @@ echo "
 Kill switch: ${KILL_SWITCH:-off}
 HTTP proxy: ${HTTP_PROXY:-off}
 SOCKS proxy: ${SOCKS_PROXY:-off}
+SSH tunnel: ${SSH_TUNNEL:-off}
 Keep /etc/resolv.conf unchanged: ${KEEP_DNS_UNCHANGED:-no}
 Proxy username secret: ${PROXY_PASSWORD_SECRET:-none}
 Proxy password secret: ${PROXY_USERNAME_SECRET:-none}
@@ -212,6 +213,10 @@ if [[ "$SOCKS_PROXY" == "on" ]]; then
     /data/scripts/dante_wrapper.sh &
 fi
 
+if [[ "$SSH_TUNNEL" == "on" ]]; then
+    /data/scripts/sshtunnel_wrapper.sh &
+fi
+
 openvpn_args=(
     "--config" "$config_file_modified"
     "--auth-nocache"
diff --git a/data/scripts/sshtunnel_wrapper.sh b/data/scripts/sshtunnel_wrapper.sh
new file mode 100755
index 0000000..ca387b7
--- /dev/null
+++ b/data/scripts/sshtunnel_wrapper.sh
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+echo -e "Running SSH Tunnel.\n"
+
+until ip link show tun0 2>&1 | grep -qv "does not exist"; do
+    sleep 1
+done
+
+passwd -d root
+adduser -D -s /bin/ash tunnel
+passwd -d tunnel
+chown -R tunnel:tunnel /home/tunnel
+ssh-keygen -A
+mkdir /home/tunnel/.ssh
+cp /data/ssh/id_rsa.pub /home/tunnel/.ssh/authorized_keys
+
+/usr/sbin/sshd -D