SSH is for remote server access, but it can also forward network ports. This is called SSH tunneling. You can securely access remote services, bypass firewalls, or encrypt unencrypted protocols.

This guide covers three types of SSH tunnels with practical examples.

What Is SSH Tunneling?

SSH tunneling forwards network traffic through an encrypted SSH connection. It has three common use cases:

  • Local port forwarding – Forward a port on your local machine to a remote server.
  • Remote port forwarding – Expose a local service to the internet via a remote server.
  • Dynamic port forwarding – Create a SOCKS5 proxy that routes traffic through the remote server.

Prerequisites

You need a VPS with SSH access and a local machine with SSH client (Linux/macOS have it built‑in; Windows users can use PowerShell or WSL).

We'll assume the remote VPS IP is 192.168.1.100, local port 8080, and remote port 3306 (MySQL). Adjust to your needs.

Local Port Forwarding

Situation: A database (MySQL) on your VPS listens on 127.0.0.1:3306, not publicly accessible. You want to connect to it from your local machine securely.

ssh -L 8080:localhost:3306 user@192.168.1.100

After running this, connect your local MySQL client to 127.0.0.1:8080. Traffic is encrypted through SSH, then forwarded to the VPS's MySQL port.

Use case: Access remote databases, internal dashboards, or intranet sites.

Remote Port Forwarding

Situation: You have a local web server on port 3000 and want to expose it to the internet via your VPS.

ssh -R 9000:localhost:3000 user@192.168.1.100

Anyone can now access http://192.168.1.100:9000, which shows your local web server. Useful for sharing a development site with teammates or clients.

Security note: By default, the remote server only accepts connections from itself. To allow external access, set GatewayPorts yes in /etc/ssh/sshd_config on the VPS.

Dynamic Port Forwarding (SOCKS5 Proxy)

Situation: You want to browse the web as if your traffic originates from the VPS (bypassing local restrictions).

ssh -D 1080 user@192.168.1.100

This creates a SOCKS5 proxy on localhost:1080. Configure your browser to use this proxy, and all traffic routes through the VPS.

Use case: Secure browsing on public Wi‑Fi, accessing geo‑blocked content, or masking your IP.

Persistent Tunnels with autossh

SSH tunnels can break. Use autossh to automatically restart them.

sudo apt install autossh -y
autossh -M 0 -NL 8080:localhost:3306 user@192.168.1.100

The -M 0 disables the monitoring port; otherwise it works like regular SSH.

Troubleshooting Common Issues

Port already in use: Choose a different local port. Check with netstat -tulpn | grep :8080.

Connection refused: The remote service isn't listening on the expected interface. Ensure MySQL binds to 0.0.0.0 or 127.0.0.1.

GatewayPorts no: For remote forwarding, the remote port may only accept local connections. Set GatewayPorts yes on the VPS's /etc/ssh/sshd_config and restart SSH.

Next Steps

SSH tunneling is a powerful tool. Combine it with SSH keys and fail2ban for security. You can even use it to encrypt services that don't natively support SSL, like VNC or MongoDB.

Need a VPS to practice on? Check our recommended VPS providers.

Latest release

How to Set Up SSH Tunneling – Secure
How to Set Up a Cron Job on Ubuntu –
How to Install LAMP Stack on Ubuntu 24
How to Set Up a Firewall with UFW on U
How to Secure Your VPS – 10 Essential
How to Install Node.js on Ubuntu 24.04
How to Set Up Automatic Backups on You
How to Choose the Right VPS in 2026 –

Hot content

Recommendation