SSH Tunneling

SSH Tunneling

SSH tunneling (port forwarding) lets you route TCP traffic through an encrypted SSH connection. This allows you to securely access services that are not exposed to the internet (databases, internal dashboards), expose local services to remote servers, and create encrypted proxies. It is one of the most useful advanced SSH features for day-to-day administration work.

What is SSH tunneling?

Local port forwarding:
  Your machine:3306 → [SSH tunnel] → SSH server → Database:3306
  Access the remote DB as if it were local: mysql -h 127.0.0.1 -P 3306

Remote port forwarding:
  Remote machine:8080 → [SSH tunnel] → Your machine → Local app:3000
  Expose your local development server to a remote host

Dynamic port forwarding (SOCKS):
  Browser → [SOCKS proxy on :1080] → [SSH tunnel] → SSH server → Internet
  All browser traffic routed through the remote server

Local port forwarding

# -L LOCAL_PORT:REMOTE_HOST:REMOTE_PORT
# Access remote MySQL (port 3306) as if it were local:
ssh -L 3306:localhost:3306 user@db-server

# In another terminal: connect to the database
mysql -h 127.0.0.1 -P 3306 -u myapp -p

# Access an internal web app (accessible from db-server but not from you):
ssh -L 8080:internal-webapp:80 user@jump-server
# Now browse to http://localhost:8080

# Run tunnel in background (-f = background, -N = no remote command)
ssh -fN -L 8080:internal-webapp:80 user@jump-server

# Find the background SSH process
ps aux | grep "ssh -fN"

Remote port forwarding

# -R REMOTE_PORT:LOCAL_HOST:LOCAL_PORT
# Expose your local development server (port 3000) on the remote server's port 8080:
ssh -R 8080:localhost:3000 user@remote-server

# Anyone on remote-server can now access your local app:
# curl http://localhost:8080 (from remote-server terminal)

# Allow external access to the remote port (requires GatewayPorts yes in sshd_config):
ssh -R 0.0.0.0:8080:localhost:3000 user@remote-server
# Now accessible from anywhere at remote-server-ip:8080

⚠️ WARNING: Remote port forwarding with GatewayPorts yes exposes a port on the remote server to the internet. Only enable this for specific use cases and ensure the service on that port has its own authentication. Disable AllowTcpForwarding in sshd_config on servers where tunneling should not be permitted.

Dynamic port forwarding (SOCKS proxy)

# -D creates a SOCKS5 proxy on a local port
# All traffic routed through the SSH server
ssh -D 1080 user@ssh-server

# Configure your browser to use SOCKS5 proxy at 127.0.0.1:1080
# In Firefox: Settings → Network → Manual proxy → SOCKS Host: 127.0.0.1:1080

# Use curl through the SOCKS proxy
curl --socks5 127.0.0.1:1080 https://api.internal-service.com

Keeping tunnels alive with autossh

sudo apt install -y autossh

# autossh automatically restarts the SSH tunnel if it drops
autossh -M 0 -fN -L 3306:localhost:3306 user@db-server
# -M 0: disable monitoring port (use ServerAliveInterval instead)
# Add to /etc/ssh/config: ServerAliveInterval 60

# Create a systemd service for a persistent tunnel:
sudo nano /etc/systemd/system/ssh-tunnel-db.service

autossh systemd service

[Unit]
Description=AutoSSH tunnel to DB server
After=network-online.target

[Service]
User=irfan
ExecStart=/usr/bin/autossh -M 0 -N -L 3306:localhost:3306 db-server
Restart=always
RestartSec=5
Environment="AUTOSSH_GATETIME=0"

[Install]
WantedBy=multi-user.target

sudo systemctl enable --now ssh-tunnel-db

Conclusion

Local port forwarding (-L) is the most useful tunnel type for admins: access databases, dashboards, and internal services as if they were running locally. Remote port forwarding (-R) is useful for exposing development servers. For persistent tunnels, use autossh wrapped in a systemd service so it automatically reconnects after network interruptions. When tunneling is not needed, disable it in sshd_config with AllowTcpForwarding no to reduce the server's attack surface.