In the world of development and system administration, few tools are as quietly powerful as SSH port forwarding. At first glance, it can seem like an obscure command-line trick — something only network engineers care about. But once you grasp what it actually does, it becomes one of those “how did I ever work without this?” moments.
SSH port forwarding, or SSH tunneling, lets you create secure pathways between your local machine and remote servers. Instead of connecting to a database, service, or application directly, you route the connection through an encrypted SSH channel. This not only keeps your data secure but can also bypass firewalls and restrictive networks. In simpler terms, it’s like borrowing your SSH connection to safely carry any other kind of network traffic.
The Three Types of SSH Port Forwarding
1. Local Port Forwarding — Your Everyday Tunnel
Local port forwarding is the most common type. It allows you to connect to a remote service as if it were running on your own machine. Suppose you’re working remotely and need to connect to a company database that’s only accessible from inside the office network.
You can create a secure tunnel like this:
ssh -L 5432:db.company.com:5432 john@office-server.company.com
Now, by connecting to localhost:5432, you’re effectively talking to the office database through an encrypted channel — no VPNs, no complex setup, just one SSH command.
Short syntax:
ssh -L 8080:localhost:80 user@server
Long syntax:
ssh -L localhost:8080:localhost:80 user@server
2. Remote Port Forwarding — Sharing Local Services
Remote port forwarding works in the opposite direction. It allows a remote server to access a service running locally on your system.
For instance, imagine you’re testing a webhook integration. The service provider needs to send requests to your app, but your local machine isn’t publicly reachable. With remote forwarding, you can bridge that gap:
ssh -R 0.0.0.0:8080:localhost:80 john@my-public-server.com
Now, when the service sends a webhook to my-public-server.com:8080, it’s securely forwarded to your local app on port 80. No deployment needed — real-time testing made simple.
3. Dynamic Port Forwarding — Turning SSH into a Proxy
Dynamic port forwarding is where SSH becomes even more flexible. It sets up a SOCKS proxy, allowing your browser or applications to route traffic through an encrypted tunnel.
ssh -D 1080 john@home-server.com
After setting your browser’s proxy to localhost:1080, all traffic routes securely through your home server. This method is often used for debugging, testing network paths, or accessing region-specific resources.
Real-World Scenarios
Accessing Databases Behind Firewalls
Developers frequently deal with databases hidden behind bastion hosts. SSH port forwarding makes accessing them trivial:
ssh -L 3306:prod-db.internal:3306 john@bastion.company.com
Then, connect your client to localhost:3306, and you’re securely inside the production environment.
Working with Multiple Services
Testing microservices often requires talking to several remote services at once. Instead of juggling VPNs, you can open multiple tunnels in a single command:
ssh -L 8001:service1.dev:8080 -L 8002:service2.dev:8080 -L 8003:service3.dev:8080 john@dev-server.com
Now all your development endpoints are neatly mapped to your local ports.
Taking It Further
Multiple Port Forwards in One Command
ssh -L 5432:db:5432 -L 6379:redis:6379 -L 9200:elasticsearch:9200 john@dev-server.com
Access your entire stack through one tunnel — database, cache, and search service included.
Run Tunnels in the Background
ssh -f -N -L 5432:db:5432 john@server.com
The -f flag sends the process to the background, and -N tells SSH not to execute remote commands.
Persistent Connections with autossh
If you rely on tunnels that must stay alive, autossh helps automatically restart them when they drop:
autossh -M 0 -f -N -L 5432:db:5432 john@server.com
Simplify Using SSH Config
Tired of long commands? Add configurations to your SSH config file:
Host dev-tunnel
HostName dev-server.company.com
User john
LocalForward 5432 db.internal:5432
LocalForward 6379 redis.internal:6379
LocalForward 9200 elasticsearch.internal:9200
Now, connecting is as simple as:
ssh dev-tunnel
Security Tips
SSH forwarding inherits the strong encryption of SSH itself, but it’s important to use it wisely.
- Keep forwarded ports bound to
localhostunless necessary. - Use SSH key authentication instead of passwords.
- Keep both SSH client and server software updated.
If you must expose a forwarded port to other machines, use the
-gflag carefully:
ssh -g -L 5432:db:5432 john@server.com
When SSH Isn’t an Option
Sometimes you might not have a public SSH server, or you’re behind CGNAT where traditional forwarding doesn’t work. In such cases, tools like Pinggy provide a quick solution. Pinggy creates reverse tunnels from your local machine to a public URL, no router or IP configuration required.
Example command:
ssh -p 443 -R0:localhost:3000 a.pinggy.io
This instantly gives you a public URL forwarding traffic to your local app, useful for demos, quick tests, or webhook development.
Conclusion
SSH port forwarding is a quiet powerhouse - simple, reliable, and always there when you need it. It’s part of the standard SSH toolkit on nearly every Unix-like system, so there’s nothing extra to install.
Start small, forward a single local port to access a remote service. Once you’re comfortable, explore remote and dynamic forwarding for more complex setups. Before long, you’ll be securely connecting databases, debugging APIs, and bridging networks like a pro.
Understanding SSH port forwarding isn’t just about learning another command; it’s about mastering a fundamental technique that unlocks a new level of control, security, and flexibility in your workflow.
Top comments (0)