diff --git a/modules/ssh-tunnel-compose.yml b/modules/ssh-tunnel-compose.yml
new file mode 100644
index 0000000..5ca9989
--- /dev/null
+++ b/modules/ssh-tunnel-compose.yml
@@ -0,0 +1,17 @@
+version: "3.7"
+
+services:
+  ssh-tunnel:
+    image: docker.verbis.dkfz.de/cache/samply/ssh-tunnel
+    container_name: bridgehead-ccp-ssh-tunnel
+    environment:
+      SSH_TUNNEL_USERNAME: "${SSH_TUNNEL_USERNAME}"
+      SSH_TUNNEL_HOST: "${SSH_TUNNEL_HOST}"
+      SSH_TUNNEL_PORT: "${SSH_TUNNEL_PORT:-22}"
+    volumes:
+      - "/etc/bridgehead/ssh-tunnel.conf:/ssh-tunnel.conf:ro"
+    secrets:
+      - privkey
+secrets:
+  privkey:
+    file: /etc/bridgehead/pki/ssh-tunnel.priv.pem
diff --git a/modules/ssh-tunnel-setup.sh b/modules/ssh-tunnel-setup.sh
new file mode 100644
index 0000000..eb49f1c
--- /dev/null
+++ b/modules/ssh-tunnel-setup.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+if [ -n "$ENABLE_SSH_TUNNEL" ]; then
+	log INFO "SSH Tunnel setup detected -- will start SSH Tunnel."
+	OVERRIDE+=" -f ./$PROJECT/modules/ssh-tunnel-compose.yml"
+fi
diff --git a/modules/ssh-tunnel.md b/modules/ssh-tunnel.md
new file mode 100644
index 0000000..4240b19
--- /dev/null
+++ b/modules/ssh-tunnel.md
@@ -0,0 +1,19 @@
+# SSH Tunnel Module
+
+This module enables SSH tunneling capabilities for the Bridgehead installation.
+The primary use case for this is to connect bridgehead components that are hosted externally due to security concerns.
+To connect the new components to the locally running bridgehead infra one is supposed to write a docker-compose.override.yml changing the urls to point to the corresponding forwarded port of the ssh-tunnel container.
+
+## Configuration Variables
+
+- `ENABLE_SSH_TUNNEL`: Required to enable the module
+- `SSH_TUNNEL_USERNAME`: Username for SSH connection
+- `SSH_TUNNEL_HOST`: Target host for SSH tunnel
+- `SSH_TUNNEL_PORT`: SSH port (defaults to 22)
+
+## Configuration Files
+
+The module requires the following files to be present:
+
+- `/etc/bridgehead/ssh-tunnel.conf`: SSH tunnel configuration file. Detailed information can be found [here](https://github.com/samply/ssh-tunnel?tab=readme-ov-file#configuration).
+- `/etc/bridgehead/pki/ssh-tunnel.priv.pem`: The SSH private key used to connect to the `SSH_TUNNEL_HOST`. **Passphrases for the key are not supported!**
\ No newline at end of file