diff --git a/ccp/modules/ssh-tunnel-compose.yml b/ccp/modules/ssh-tunnel-compose.yml
new file mode 100644
index 0000000..8c979d3
--- /dev/null
+++ b/ccp/modules/ssh-tunnel-compose.yml
@@ -0,0 +1,17 @@
+version: "3.7"
+
+services:
+  ssh-tunnel:
+    # For now use the docker hub image, until it is properly replicated
+    image: samply/ssh-tunnel:latest
+    container_name: bridgehead-ccp-ssh-tunnel
+    environment:
+      SSH_TUNNEL_USERNAME: "${SSH_TUNNEL_USERNAME}"
+      SSH_TUNNEL_HOST: "${SSH_TUNNEL_HOST}"
+    volumes:
+      - "/etc/bridgehead/ssh-tunnel.conf:/ssh-tunnel.conf:ro"
+    secrets:
+      - privkey
+secrets:
+  privkey:
+    file: /etc/bridgehead/pki/ssh-tunnel.priv.pem
diff --git a/ccp/modules/ssh-tunnel-setup.sh b/ccp/modules/ssh-tunnel-setup.sh
new file mode 100644
index 0000000..8cedd50
--- /dev/null
+++ b/ccp/modules/ssh-tunnel-setup.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+  if [ -n "$ENABLE_SSH_TUNNEL" ]; then
+    log INFO "SSH Tunnel setup detected -- will start SSH Tunnel."
+    OVERRIDE+=" -f ./$PROJECT/modules/ssh-tunnel-compose.yml"
+  fi