Make sshd listen to a specific interface

On my machine I'm using OpenVPN which use the tun0 interface. I want sshd to listen only on this interface.

I know, I can specify the IP address to listen to in

/etc/ssh/sshd_config

with a

ListenAddress 0.0.0.0

directive. But my IP address will change, so I cannot choose an IP here which is always valid. I know that I can start the daemon only when the VPN is up - that's not the problem.

How can I make sshd only listen on a specific interface (tun0)?

You can't do that directly as sshd only understands IP addresses. You may be able to knock something together using an openvpn up script

-up cmd Shell command to run after successful TUN/TAP device open (pre --user UID change). The up script is useful for specifying route commands which route IP traffic destined for private subnets which exist at the other end of the VPN connection into the tunnel...

See also the --down option to clean up and the relevant parts of the documentation detailing script security etc.

You'll find the IP address of the tun device is passed to the script as an environment variable. Also sshd takes options on the command line of the form

-oSomeOption=SomeValue

-o option Can be used to give options in the format used in the configuration file. This is useful for specifying options for which there is no separate command-line flag. For full details of the options, and their values, see sshd_config(5)

So you could use

-o ListenAddress=<some address>

Presumably you have some out of band method of talking to your VPS so that when this breaks you can contact the server.