ZeroData Tools
Tools
JSON to CSV Custom Map nested JSON arrays into clean CSV files by visually selecting the exact columns you want. JSON Formatter Format and validate JSON instantly with no uploads, no server calls, and no stored data. JSON Validator Validate JSON instantly before deploys with local processing and zero server calls. YAML Validator Validate YAML files and catch indentation errors instantly with no uploads or backend processing. Base64 Encoder Encode or decode Base64 strings instantly with zero uploads. URL Encoder Encode and decode query parameters locally for APIs, redirects, and forms. HTML Formatter Pretty-print messy markup and inspect structure without exposing page code. CSS Minifier Shrink stylesheets for production with browser-only processing and instant output.
← Back to Blog DevOps

SSH Tunnel Guide: Local, Remote, and Dynamic Port Forwarding

· 18 min read
Need a quick solution?

Build your complex SSH tunneling commands visually in your browser with no syntax errors:

SSH (Secure Shell) is the foundational protocol of remote server administration. While most developers use it primarily to spawn an interactive terminal session on a remote Linux machine, SSH possesses incredibly powerful, built-in networking capabilities. A critical, non-negotiable skill for any DevOps engineer, backend developer, or system administrator is mastering the SSH tunnel.

An SSH tunnel allows you to securely route (or "forward") arbitrary network traffic between your local machine and a remote network by encrypting it inside an SSH connection. If you are struggling with complex port forwarding syntax, you can instantly build your commands using our free SSH Tunnel Generator. It requires no server uploads and processes everything locally on your machine, ensuring complete privacy while you map out your internal infrastructure.

In modern cloud environments—like AWS, Google Cloud, and Azure—infrastructure is increasingly isolated within Virtual Private Clouds (VPCs) with strict inbound firewall rules. The SSH tunnel acts as your secure skeleton key, allowing you to bypass these restrictions safely without exposing internal services to the public internet.

In this comprehensive SSH tunnel guide, we will dissect the three core types of port forwarding: Local, Remote, and Dynamic. We will explore real-world use cases, provide clear technical diagrams, and walk through advanced troubleshooting steps for the most notorious connection errors. By the end of this guide, you will have a deep, functional understanding of how to bend network traffic to your will using nothing but native SSH commands.

What Exactly is an SSH Tunnel?

At its core, an SSH tunnel is an encrypted TCP connection established between an SSH client (your local machine) and an SSH server (the remote host). Through a process formally known as port forwarding, the SSH client captures network traffic directed at a specific port on your machine and transports it through the encrypted pathway to a specific port on the remote end.

Think of an SSH tunnel as a highly secure, invisible pipe passing through a hostile environment (the public internet). Because the traffic inside the pipe is encrypted by the SSH protocol's cryptographic ciphers (such as ChaCha20-Poly1305 or AES-256-GCM), anyone intercepting the data packets only sees randomized ciphertext.

This mechanism achieves two primary goals simultaneously:

  1. Encryption: It allows you to securely transmit unencrypted protocols (like HTTP, FTP, Telnet, or VNC) over untrusted public networks.
  2. Routing: It bypasses strict corporate or cloud firewalls that drop all traffic except traffic destined for port 22 (the default SSH port).

If you want to understand the foundational architecture of SSH before diving into tunneling mechanics, we highly recommend reading our SSH Complete Guide for an exhaustive deep dive into SSH keys, identity management, ciphers, and key exchange algorithms.

Why Use an SSH Tunnel? Real-World Scenarios

SSH tunnels are indispensable, daily tools for several critical DevOps, software development, and security scenarios. Rather than opening firewall ports for every service, you can leverage a single SSH bastion host to access your entire network.

  • Securing Legacy Applications: Many internal administrative panels or legacy applications lack native TLS/HTTPS support. By tunneling their traffic through SSH, you provide a robust, modern layer of encryption without needing to modify the application's source code or configure reverse proxies.
  • Accessing Isolated Databases across VPCs: Strict cloud firewalls should entirely block access to internal databases (e.g., PostgreSQL on port 5432, MySQL on 3306, Redis on 6379). An SSH tunnel allows your local database GUI tool (like DBeaver or DataGrip) to connect to these databases securely by piggybacking on the allowed SSH port of a web server in the same VPC.
  • Exposing Local Development Environments: When you need to share a locally hosted web app with a client, test mobile app connectivity to a local API, or test a third-party webhook (like Stripe or GitHub), you can use remote port forwarding to securely expose your localhost to the public internet via a remote VPS.
  • Privacy, Anonymity, and Geo-Bypassing: Dynamic port forwarding can instantly turn any remote SSH server into a secure SOCKS5 proxy. This allows you to browse the internet from the perspective (and IP address) of that remote server, masking your local IP address and bypassing local network restrictions (like a coffee shop's Wi-Fi firewall).

At ZeroData Tools, our core philosophy is privacy-first processing. When working with sensitive network configurations—like IP addresses, hostnames, and port maps—you should never paste your architectural details into random online utilities that process your data on their backend servers. That is exactly why our SSH Tunnel Generator operates entirely in your browser via client-side JavaScript. Using SSH tunnels embraces this exact same zero-trust philosophy: encrypt the traffic locally, transit it securely, and never expose internal infrastructure directly to the wild internet.

1. Local Port Forwarding (-L)

Local port forwarding is by far the most common type of SSH tunnel. It forwards a port on your local machine (the SSH client) to a specific destination host and port via the remote SSH server.

You use local port forwarding when you want to access a remote resource (like an internal database, a private web server, or a monitoring dashboard) that is inaccessible directly from your machine, but is accessible from the SSH server you are logging into.

The Command Syntax

ssh -L [local_bind_ip:]local_port:destination_host:destination_port user@ssh_server
  • local_bind_ip: (Optional) The interface on your machine to bind to. Usually defaults to 127.0.0.1 (localhost).
  • local_port: The port you will connect to on your own local laptop/workstation.
  • destination_host: The IP or hostname of the target machine, resolved from the perspective of the SSH server.
  • destination_port: The port on the target machine you want to reach.
  • user@ssh_server: The credentials and address of the jump host or bastion server you are logging into to create the tunnel.

Visual Architecture Diagram

[Your Local Laptop] ===(Encrypted SSH Tunnel)===> [Bastion SSH Server] ---> [Target Destination Host]
localhost:8080                                      203.0.113.10              10.0.1.5:3306

Real-World Use Case 1: Accessing a Private Database

Imagine you have a production MySQL database running on an internal AWS network IP (10.0.1.5) on port 3306. Following security best practices, the database is in a private subnet and is completely blocked from the internet. However, you have SSH access to a bastion web server (203.0.113.10) that resides in a public subnet within the same VPC.

To connect your local database GUI to this private database, you set up a local port forward: 

ssh -N -f -L 3306:10.0.1.5:3306 [email protected]

What this command actually does:

  1. It opens port 3306 on your local laptop, creating a listening socket.
  2. Any TCP traffic sent to localhost:3306 is encrypted and sent to 203.0.113.10 over the established SSH connection.
  3. The SSH server decrypts the traffic and forwards it to 10.0.1.5 on port 3306 over the internal AWS network.

You can now point your local database client to 127.0.0.1 (localhost) on port 3306, and it will interact with the remote production database seamlessly and securely.

Real-World Use Case 2: Accessing the SSH Server's Own Localhost

Sometimes, the destination host is the SSH server itself. For example, a web application, an admin panel (like pgAdmin or a Jenkins dashboard), might be running locally on the remote server bound strictly to 127.0.0.1:8080. It is blocked by the cloud firewall and the local host binding. You can tunnel it to your machine's port 9000: 

ssh -N -L 9000:localhost:8080 [email protected]

Notice that destination_host is set to localhost. Because this is evaluated on the remote server, it refers to the remote server itself. Now, opening http://localhost:9000 in your local browser will display the remote web application securely.

2. Remote Port Forwarding (-R)

Remote port forwarding does the exact opposite of local port forwarding. It forwards a port on the remote SSH server back to a specific destination host and port from the perspective of your local machine.

You use remote port forwarding when you want to allow someone on the outside (or the remote server itself) to access a service running locally on your machine or deeply inside your private corporate network. This is effectively a DIY version of services like Ngrok or Cloudflare Tunnels.

The Command Syntax

ssh -R [remote_bind_ip:]remote_port:destination_host:destination_port user@ssh_server
  • remote_bind_ip: (Optional) The interface on the remote server to bind to. Usually defaults to 127.0.0.1.
  • remote_port: The port that will be opened and listening on the remote SSH server.
  • destination_host: The target machine (usually localhost, referring to your local laptop).
  • destination_port: The port of the local service you want to expose.

Visual Architecture Diagram

[Target Destination Host] <--- [Your Local Laptop] <===(Encrypted SSH Tunnel)=== [Remote SSH Server]
localhost:3000                 (Initiates SSH)                                     Public IP:8080

Real-World Use Case: Exposing Local Webhooks for Development

You are developing a Node.js or Python API locally on port 3000. You are integrating Stripe payments and need to test incoming webhooks to verify payment success events. Stripe cannot send HTTP requests to localhost:3000 on your laptop because you are behind a home router with Network Address Translation (NAT) and a dynamic IP.

If you have a cheap public VPS (e.g., vps.example.com), you can create a remote tunnel to securely expose your local environment to the public internet: 

ssh -N -R 8080:localhost:3000 [email protected]

What this command actually does:

  1. It tells the remote VPS to open port 8080 and listen for incoming traffic.
  2. When Stripe sends a webhook payload to http://vps.example.com:8080, the VPS grabs that traffic.
  3. The VPS securely sends the traffic back through the established SSH tunnel to your laptop.
  4. Your laptop forwards the traffic to localhost:3000, successfully hitting your local Node.js API.

The Crucial Security Step: The GatewayPorts Setting

By default, for strict security reasons, the SSH daemon on the remote server will only bind the remote forwarded port to its own loopback interface (127.0.0.1). This means in the example above, only the VPS itself (by running curl localhost:8080) could access the tunnel.

To allow external internet traffic (like Stripe's servers) to hit the forwarded port, you must edit the SSH server's configuration file (usually located at /etc/ssh/sshd_config) and add or modify this directive: 

GatewayPorts yes

After saving the file, restart the SSH daemon to apply the changes (sudo systemctl restart sshd on systemd-based Linux systems). Now, remote port forwarding will bind to 0.0.0.0, accepting external connections from any IP. Use this with caution, as it exposes your local port to the entire internet.

3. Dynamic Port Forwarding (-D)

Dynamic port forwarding transforms your SSH client into a powerful, local SOCKS proxy server (usually SOCKS4 or SOCKS5). Unlike Local or Remote forwarding—which statically map a single port to a single pre-defined destination—Dynamic forwarding routes all traffic sent to the local proxy port across the SSH tunnel, and resolves the destinations dynamically on the remote side.

The Command Syntax

ssh -D [local_bind_ip:]local_port user@ssh_server
  • local_port: The port on your laptop that will act as the listening SOCKS proxy server.

Visual Architecture Diagram

[Web Browser] ---> [Local SOCKS Proxy] ===(Encrypted Tunnel)===> [Remote SSH Server] ---> [Any Website]
                   localhost:1080                                                           (The Internet)

Real-World Use Case: Secure Browsing and IP Masking

Suppose you are working from an airport lounge or a coffee shop on an untrusted, unencrypted public Wi-Fi network. You want to ensure your web browsing is encrypted to prevent packet sniffing. Alternatively, perhaps you need to access corporate cloud resources (like an AWS S3 bucket) that are IP-restricted by a security group to only allow traffic from your company's designated VPN server.

You can start a dynamic SSH tunnel to your trusted server: 

ssh -N -D 1080 [email protected]

Next, you must configure your application to use the proxy. For example, in Firefox:

  1. Go to Settings > Network Settings.
  2. Select "Manual proxy configuration".
  3. Set the SOCKS Host to 127.0.0.1 and the Port to 1080.
  4. Select SOCKS v5 and optionally check "Proxy DNS when using SOCKS v5" to ensure DNS queries are also sent through the tunnel (preventing DNS leaks).

When you navigate to https://example.com, your browser sends the request to the local SOCKS proxy. The SSH client encrypts the request, sends it to the remote server, and the remote server fetches example.com on your behalf. To the website (and to AWS security groups), it appears as though the traffic is originating directly from the IP address of trusted-server.com, entirely bypassing the local coffee shop network's visibility and restrictions.

You can also test this quickly in the terminal using curl: 

curl -x socks5h://localhost:1080 http://ifconfig.me

SSH Command Flags Explained

When building SSH tunnels, you will frequently pair the primary forwarding flags (-L, -R, -D) with operational modifiers to streamline the connection process. You can mix and match these effortlessly using our visual SSH Command Builder tool to ensure you never make a syntax error.

  • -N (No Command): Instructs the SSH client not to start a shell session or execute remote commands. This is absolutely essential for dedicated tunnels, otherwise you will just be sitting in a remote terminal prompt.
  • -f (Fork to Background): Sends the SSH process to the background right after authentication completes. This is great for keeping tunnels alive while freeing up your current terminal window for other tasks.
  • -T (Disable Pseudo-TTY): Prevents terminal allocation. Often paired with -N to save resources on the server side.
  • -q (Quiet): Suppresses warnings and diagnostic messages. Useful for automated scripts.
  • -g (Gateway Ports): Allows remote hosts on your local network to connect to your locally forwarded ports (binds local forwards to 0.0.0.0 instead of 127.0.0.1).
  • -C (Compression): Requests compression of all data. This can improve performance on slow connections, but may increase CPU usage.

The ultimate, invisible, background SSH tunnel command usually looks exactly like this: 

ssh -f -N -q -L 3306:10.0.1.5:3306 user@bastion-server

Persisting Tunnels with SSH Config Files

Typing these verbose commands daily is inefficient and error-prone. You can persist your port forwarding rules in your local ~/.ssh/config file. When you connect to the host alias, the tunnels are established automatically. Use our SSH Config Generator to build these configuration profiles easily without reading man pages.

Here is a comprehensive example configuration that sets up a local forward, a remote forward, and a dynamic proxy all at once: 

Host dev-tunnel
  HostName 203.0.113.10
  User admin
  IdentityFile ~/.ssh/id_rsa
  ServerAliveInterval 60
  # Forward local port 3306 to internal DB
  LocalForward 3306 10.0.1.5:3306
  # Forward remote port 8080 to local Node app
  RemoteForward 8080 localhost:3000
  # Create local SOCKS proxy on port 1080
  DynamicForward 1080

With this saved, executing the simple command ssh -N dev-tunnel instantly sets up all three tunnels simultaneously, fully authenticated using your RSA key. The ServerAliveInterval 60 directive ensures the tunnel doesn't drop due to inactivity by sending a null packet every 60 seconds.

Advanced Troubleshooting and Common Errors

When working extensively with SSH tunnels, you will inevitably encounter errors. Here is how to diagnose and resolve the most common issues:

1. "bind: Address already in use"

This error indicates that the local port you are trying to forward (e.g., 3306) is currently occupied by another process on your operating system.

  • Cause: You already have a local MySQL server running on your laptop, or a previous SSH tunnel was sent to the background using the -f flag and is still running invisibly.
  • Fix: You can either choose a different local port (e.g., use -L 3307:10.0.1.5:3306) or find and kill the conflicting process. On macOS/Linux, find the PID holding the port using lsof -i :3306 or netstat -tuln | grep 3306, and then terminate it using kill -9 PID.

2. "Connection refused"

This happens when the SSH tunnel is successfully established, but the destination service at the end of the tunnel is not accepting your TCP connections.

  • Cause: The database or web server is down, a firewall on the destination host is blocking the connection from the SSH server, or the service is bound strictly to localhost (127.0.0.1) on the destination machine instead of a reachable network interface (like 0.0.0.0 or its VPC IP).
  • Fix: Log into the SSH server directly and run curl -v telnet://destination_host:destination_port to verify if the server itself can reach the target. Adjust the target service's bind address if necessary.

3. "Channel 3: open failed: administratively prohibited"

This highly specific, verbose error means the SSH server's administrator has explicitly blocked port forwarding capabilities.

  • Cause: The remote /etc/ssh/sshd_config file has directives like AllowTcpForwarding no or PermitOpen restrictions set.
  • Fix: You must gain administrative (root) access to the remote server and change AllowTcpForwarding yes, then restart the SSH service. If you are not the administrator, you will have to request this change.

4. Tunnel Keeps Disconnecting or Timing Out

If your tunnel drops after a few minutes of inactivity, NAT routers or stateful firewalls in between you and the server are dropping idle connections.

  • Fix: Add the -o ServerAliveInterval=60 flag to your SSH command, or add ServerAliveInterval 60 to your ~/.ssh/config file. This forces the client to send a keep-alive packet every 60 seconds.

Conclusion

Mastering SSH port forwarding transforms how you interact with isolated remote infrastructure. Whether you are utilizing Local forwarding to access hidden VPC databases, Remote forwarding to expose local webhook development environments, or Dynamic forwarding for secure proxy browsing, the SSH tunnel is an incredibly versatile and indispensable tool for modern DevOps.

Remember, you do not need to memorize the complex syntax. Utilize our browser-based ZeroData tools to generate your commands and configurations securely, without ever compromising your infrastructure data to third-party servers.

Frequently Asked Questions

What is an SSH tunnel?
An SSH tunnel is an encrypted connection created between a local machine and a remote server through which unencrypted traffic can be securely routed. It uses port forwarding to map network ports from one machine to another over the secure SSH protocol, effectively bypassing firewalls and securing data in transit.
What is the difference between local and remote port forwarding?
Local port forwarding (-L) forwards traffic from your local machine to a remote destination via an SSH server. Remote port forwarding (-R) reverses this, forwarding traffic from the remote SSH server back to your local machine or network. Local is for accessing remote resources; remote is for exposing local resources.
How does dynamic port forwarding work?
Dynamic port forwarding (-D) sets up a local SOCKS proxy server on your machine. It routes all traffic sent to that local proxy port through the SSH connection and out to the internet from the remote server's perspective, dynamically resolving destinations without needing to specify individual host and port mappings.
Why do I get a 'bind: Address already in use' error?
This error occurs when the local or remote port you are trying to forward is already being used by another application or an existing, lingering SSH tunnel session. You need to kill the existing process (using tools like lsof or netstat) or choose a different port.
Why is my remote port forwarding not accessible from the internet?
By default, remote port forwarding only binds to the remote server's loopback interface (localhost or 127.0.0.1). To expose the forwarded port to external networks, you must enable the 'GatewayPorts yes' directive in the SSH server's sshd_config file and restart the SSH service.
What does the -N flag do in SSH tunneling?
The -N flag instructs the SSH client not to execute a remote command and prevents an interactive shell from opening. This is explicitly used for port forwarding when you only want to create a tunnel in the background without running a shell session on the target server.
Are SSH tunnels completely secure?
SSH tunnels are highly secure as they encrypt the transit of data using the same strong cryptography as regular SSH sessions. However, the overall security also depends on the strength of your SSH keys, the cryptographic ciphers configured on the server, and the security posture of the endpoint destination.