Simple SSH Tunnels: Securely Forward Ports with EaseSSH (Secure Shell) is best known for encrypted remote login, but one of its most powerful and underused features is port forwarding — commonly called SSH tunneling. SSH tunnels let you securely forward network traffic from one system to another through an encrypted channel, protecting sensitive data, bypassing network restrictions, and enabling secure access to internal services without exposing them to the public internet. This article explains what SSH tunnels are, how they work, common use cases, step-by-step examples, best practices, and troubleshooting tips so you can set them up confidently and securely.
What is an SSH tunnel?
An SSH tunnel is an encrypted connection created by SSH that forwards network traffic from a local port to a remote host or vice versa. There are three main types:
- Local port forwarding (L): Forwards a local port to a remote destination. Useful for accessing internal services from your local machine.
- Remote port forwarding ®: Forwards a remote port on the server to a service on your local machine. Useful for exposing a local service to a remote network.
- Dynamic port forwarding (D): Creates a SOCKS proxy that forwards many different connections through the SSH server, useful for routing arbitrary TCP traffic.
How SSH tunneling works (plain overview)
When you create an SSH tunnel, SSH listens on a given port (local or remote). Traffic sent to that port is encrypted and forwarded over the SSH connection to the other side, where it is decrypted and sent to the final destination. Because the tunnel is encrypted, intermediate network devices can’t read or tamper with the traffic. SSH handles authentication (passwords or keys), encryption, and the forwarding itself.
Common use cases
- Securely access internal web interfaces (e.g., admin dashboards, databases) without opening them to the internet.
- Securely browse the web through a remote network using a SOCKS proxy (dynamic forwarding).
- Bypass restrictive firewalls or censorship by routing traffic through a server you control.
- Connect to an internal database or service during development without changing network configuration.
- Expose a local development server to a remote colleague temporarily using remote forwarding.
Prerequisites
- SSH client installed (most Unix-like systems have OpenSSH; Windows 10+ includes OpenSSH client; PuTTY available on Windows).
- SSH access to a server (username, host, and authentication method — password or SSH key).
- Permission on the SSH server to create port forwards (some servers restrict remote forwarding).
Examples: local, remote, and dynamic forwarding
Below are practical examples using OpenSSH (ssh command). Replace user, server.example.com, and ports as needed.
- Local port forwarding — access a remote internal service locally
ssh -L 8080:internal.service.local:80 [email protected]
- Opens local port 8080. Visiting http://localhost:8080 on your machine will forward through the SSH server to internal.service.local:80.
- Remote port forwarding — expose a local service to a remote host
ssh -R 9000:localhost:3000 [email protected]
- Opens remote port 9000 on server.example.com. Connections to server.example.com:9000 are forwarded to your local machine on port 3000.
- Dynamic port forwarding — create a SOCKS proxy
ssh -D 1080 [email protected]
- Opens a local SOCKS proxy at localhost:1080. Configure your browser or system proxy to use SOCKS5 at localhost:1080 to route traffic through the SSH server.
Tip: Add -N to prevent running a remote shell (useful when only tunneling):
ssh -N -L 8080:internal.service.local:80 [email protected] Authentication and keys
Using SSH key authentication (public/private key pairs) is more secure and convenient than passwords. Generate a key pair with:
ssh-keygen -t ed25519 -C "[email protected]" Copy the public key to the server:
ssh-copy-id [email protected] Then connect using the key:
ssh -i ~/.ssh/id_ed25519 -L 8080:internal.service.local:80 [email protected] Security best practices
- Use SSH keys (prefer ed25519 or RSA 4096).
- Disable password authentication on servers you control.
- Restrict which users can forward ports in sshd_config (AllowTcpForwarding, PermitOpen).
- Use strong passphrases or an SSH agent for private keys.
- Limit remote forwarded ports to specific addresses (GatewayPorts and PermitOpen).
- Monitor SSH logs for unusual port forwarding activity.
- Keep SSH server software up to date.
Common issues and troubleshooting
- “Connection refused” when connecting to forwarded port: Check whether the target service is running and listening on the expected interface/port.
- Remote port not reachable: Server may block GatewayPorts; check /etc/ssh/sshd_config and set GatewayPorts yes (careful—this can expose services).
- Permission denied for forwarding: The server may have AllowTcpForwarding set to no or ForceCommand preventing tunnels.
- DNS/resolution issues: Use IPs in tunnels or ensure the server can resolve internal hostnames.
- Firewalls: Ensure firewall rules allow the forwarded ports.
Useful commands:
- Check active tunnels locally:
ss -tnlp | grep ssh - View SSH server logs (often /var/log/auth.log or journalctl -u sshd).
When not to use SSH tunnels
- For high-performance production proxies — dedicated VPNs or proxies are often more appropriate.
- To bypass legal or policy restrictions — ensure you comply with laws and organizational policies.
- For complex multi-user proxying at scale — use purpose-built solutions (VPN, reverse proxy, or load balancer).
Quick checklist for setting up a simple local tunnel
- Ensure SSH access to a server.
- Choose an available local port (e.g., 8080).
- Run: ssh -N -L
: : user@server - Point your client (browser, app) to localhost:
- Close tunnel with Ctrl+C when done or run in background with autossh for persistence.
SSH tunnels are a lightweight, secure, and flexible way to forward ports and protect network traffic. With key-based authentication, careful server configuration, and a few simple commands you can quickly secure access to internal resources or route traffic through trusted infrastructure.
Leave a Reply