Port Forwarding and Proxying Using OpenSSH

Updated on January 18, 2019
Port Forwarding and Proxying Using OpenSSH header image


SSH, also known as Secure Shell, can be used for much more than obtaining a remote shell. This article will demonstrate how SSH can be used for port forwarding and proxying.

The only prerequisites are an OpenSSH server (installed by default on Vultr Linux images) and an OpenSSH client (available on Linux, BSD and MS Windows.)


An SSH proxy is mainly used to proxy web traffic. For example, it can be used to secure your web traffic against an unsafe local network.

SSH port forwarding is often used to access services that are not publicly accessible. For instance, you could have a system administration web interface running on your server, such as Webmin, but only listening for connections on localhost for security reasons. In that case, you can use SSH to forward connections on a chosen port from your local machine to the port on which the service is listening server-side, thus granting you remote access to this particular service through the SSH tunnel. Another common scenario where SSH port forwarding is used, is accessing services on a remote private network through an SSH tunnel to a host on that private network.


Both proxying and port forwarding do not require any special configuration on your server. However, the usage of key-based authentication is always recommended with SSH. Please read How Do I Generate SSH keys.

SSH proxy

Creating an SSH proxy is very simple, the general syntax is as follows:

ssh -D [bind-address]:[port] [username]@[server]

Where [bind-address] is the local address to listen on, [port] is the local port to listen on, [username] is your username on your server, and [server] is the IP address or hostname of your server. If [bind-address] is not specified, SSH will default to localhost which is desirable in most cases.

Here's a practical example:

ssh -D 8080 root@your_server

In order to use this proxy, you have to configure your browser to use SOCKSv5 as proxy type and 8080 as the proxy port.

SSH port forwarding

The general syntax of the command is the ensuing:

ssh -L [localport]:[remotehost]:[remoteport] [username]@[server]

Where [localport] is the port on which the SSH client will listen, [remotehost] is the IP address of the host to which the connections will be forwarded. This would be if you are tunneling connections to your server. Finally, [remoteport] is the port number on the server that is used by the service you're connecting to.

Example 1:

Consider having an important web service running on port 10000 on your server, but it is not publicly accessible. The following command would be used to establish an SSH tunnel to that service.

ssh -L 80: root@your_server

You will now be able to connect by typing in your local browser.

Example 2:

You have two Vultr servers on a private network. One is running a Linux distribution, the other is running MS Windows. On the Windows instance, an RDP server is running but not exposed to the internet for security reasons. Assuming is the private IP address of the Windows machine, you can use the following command to connect to the Remote Desktop server via a port on your computer:

ssh -L 3389: root@your_server

Any RDP connection from your computer to itself will now be tunneled through your Linux server to your Windows server.