This wiki was updated to MediaWiki 1.37. If you notice any issues, please report them to admin[at]

SDB:OpenSSH tunnels

Jump to: navigation, search
Icon-update.png Update to version: 13.1
This article needs to be tested for a newer version. If you are using this guide on the newer version and you find the guide up-to-date to this version, please add the version number to the Knowledge bar. Please refer to version related jobs: SDB pages for more information.

Tested on openSUSE


Most programs making use of TCP connections can be passed over a secure tunnel using OpenSSH. This is used to multiplex additional TCP connections over a single ssh connection. It is useful for concealing connections and encrypting protocols which are otherwise unsecured, and for bypassing firewalls. UDP connections may sometimes be tunneled with the aid of programs such as netcat. Examples of easily tunneled programs include the X Window System, HTTP using a proxy and VNC. An X Window System tunnel is often created automatically between two Unix computers, so GUI programs from remote computers can be run simply by typing their names.


You must have an up and running SSHD and SSH. Also you have to be familiar with configuring them. If not, please refer to openSSH and Configure openSSH

Port Forwarding

One of the most common ways to tunnel applications, is by port forwarding. You could, by example forward port 139, to tunnel SMB connections, or port 80 to tunnel a web server. Both localhost ports and remote address ports can be forwarded. This can be handy if you would like to forward your router's website which is located in your SSHD server network. In order to allow Port forwarding, edit /etc/ssh/ssh_config with your favorite editor and set, if it isn't already:

AllowTcpForwarding yes

The setting of which and how ports are to be forwarded is done in one of the SSH config files or on the command line. In this examples we will use the personal configuration file ~/.ssh/config. Putting the options in /etc/ssh/sshd_config will work the same, but will be applicable for all users.

Local Forward

On a *NIX system, forwarding to a port lower than 1024 is a privileged actions and can often only be done by root. As a normal user you can still forward lower ports, but you will have to "bind" them on a higher port on the host where the port is forwarded to.

Local Forward means: forwarding a port from the server and "bind" it to a port on the client. Ports will by default be binded to the "localhost:port" address. If you specify an interface address (which must be an existing address of one of your computer's network interfaces) it will be binded to this address and can be accessed by other hosts, where your firewall allows. This will be a typical setting of a defined host based port forward. As normal user edit ~/.ssh/config with your favorite editor:

## These are just settings to define a host. Use "Host *" if you want to configure it for all hosts. You can define as must host as you like.
Host ssh-server
   Port 2222
## Here we will define the Local Forwards ##
# This forwards a POP3 server that is active on "ssh-server"
   LocalForward 1110 ssh-server:110
# This forwards a web server (eg your router) which is not active on "ssh-server"
   LocalForward 8080
# This forwards a squid proxy server that is active on "ssh-server" and binds it to an interface adress.
   LocalForward ssh-server:3128 

Remote Forward

Remote Forward means: forwarding a port from the client and "bind" it to a port on the server. Port binding behauvior is identical to Local Forward. This option will come in handy if you would like to make a service available to your SSHD server, which is only available in your local network. In addition to above examples:

# This forwards a local NFS server to "ssh-server".
   RemoteForward 1025 localhost:1025
# This forwards a local SSHD server to "ssh-server" and binds it to an interface address on "ssh-server"
   RemoteForward localhost:22

Dynamic Forward / creating SOCKS

Dynamic Forward gives you the possibility to create an "ad-hoc" proxy server. This is to support more flexible proxying than is possible with ordinary port forwarding. With this option only the "bind" address and port on the client are specified. All connection requests on this address will automatically be forwarded to the applicable address and port on the server side. When no "bind" address is specified, it will by default "bind" on localhost.

SOCKS tunneling is supported by the following popular programs: Chrome, Gnome-shell, and many others

In addition to above examples:

# This establishes a SOCKS server that listens on "localhost:1080".
   DynamicForward 1080
# This establishes a SOCKS server that listens on "", where your Firewall allows.
# The command line flag would be:
   $ ssh -D 5555

GatewayPorts option

To prevent anybody else from using your local forwarded ports, ports are usually "bind" to the localhost address. The GatewayPorts option gives you to choice to change this. Setting this option to yes will change the default "bind" to the wildcard address, meaning all your configured addresses. (local and external interfaces). You can add this line to one of you configuration files to enable it.:

GatewayPorts yes

tun-based VPN

Icon-expand.png This article is a stub!
This article needs to be expanded. You are welcome to help in line with the Style Guidelines.

Beginning with version 4.3, OpenSSH implements an OSI layer 2/3 "tun"-based VPN. This is the most flexible of OpenSSH's tunneling capabilities, allowing applications to transparently access remote network resources without "socksification."

See also

External links