ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel
  • »
  • Technology»
  • Computers & Software»
  • Computer How-Tos & Tutorials

What is SSH port forwarding and when would I use it?

Updated on April 24, 2014

Why do you (or why would you most want to) use ssh port forwarding?

See results

Secure Shell is a Swiss Army knife

Secure Shell goes beyond the scope of providing shell access for remote administration over a secure channel. The port forwarding functionality of ssh allows the remote system to act like a TCP proxy for your ssh client. With a few configuration directives, you can set up a secure tunnel between your client workstation and the remote SSH server:

  • to bypass firewall policy
  • to communicate with otherwise inaccessible private addresses
  • to secure communication with SSH encryption on an otherwise untrusted network

These are just a few examples of how ssh port forwarding can help make your life easier.

The following tutorial assumes you have access to SSH on some remote system. For an introduction to SSH, refer to my Hub on setting up SSH. If you don't already have a Linux- or Unix-based firewall in front of your home network, refer to Hubber skear's articles on pfsense: this one in particular.

Note that SSH only forwards TCP ports. This tutorial won't help you if you need to proxy UDP or some other protocol. (Read more about What's the difference between TCP and UDP?)

How do you reach your home computer when you're at work?
How do you reach your home computer when you're at work? | Source

How to phone home from work

I use SSH port forwarding to gain access to computers on my home network. Because my home network uses private IP addresses, without port forwarding they are inaccessible behind my home firewall. For security concerns, I configured my firewall to listen for SSH connections on an alternate port and I have restricted what networks are allowed to connect.

My iMac at home is configured to listen for remote desktop sessions using VNC. Here are the steps I take to access the remote desktop from another location:

  • make use of a dynamic DNS to keep track of my cable modem's IP address
  • initiate ssh access from my work computer to my home firewall
  • configure ssh port forwarding to proxy VNC access from my work computer to my home computer via the home firewall
  • open vnc client to a local port on my work computer
  • success!

Use Dynamic DNS to initiate access

The first step is to establish a connection with some publicly addressable endpoint. If you can initiate a connection to the remote shell on your home firewall, that's the start you need.

ssh -p 4222

From a packet capture, an observer can see that the traffic was initiated from my work laptop to tcp port 4222 on my home firewall. Because the connection is encrypted, there is no meaningful data in the payload - it looks like gibberish.

While you're logged in to your home firewall, try to telnet to your target resource. In this case, I will attempt to telnet to tcp 5900 on host

telnet 5900

If you get any errors at this step, you won't be able to continue with the next. Take a moment to troubleshoot any firewall policy or addressing errors before moving on.

Mac or Linux config file for setting up LocalForward
Mac or Linux config file for setting up LocalForward | Source

Configure SSH port forwarding

Next, we instruct SSH to set up the proxy by defining what TCP ports go where. On the iMac at home, VNC listens for new connections on tcp port 5900 on its local IP address of On my laptop at work, I will connect to port 5999 on my localhost loopback address. Notice that the -L option is the only difference from the previous command.

ssh -p 4222 -L 5999:

As before, a packet capture shows that the traffic appears to be ssh traffic initiated from my work laptop to tcp port 4222 on my home router's public IP address. However, with the LocalForward directive, the effective path of the logical tunnel is that the connection I initiate to tcp port 5999 on my localhost will proxy to the interior address of my home network,, at tcp port 5900.

And we have liftoff! Don't take my word for it - open up your VNC client with the following host and port


To save this config as a permanent addition for Mac or Linux, open your ~/.ssh/config file with a text editor and add the information shown in the screen cap in the sidebar. Save and quit the text editor, then to access the new profile, fire off the new profile like so:

ssh homeVNC

Windows users have a slightly different arrangement. See the screen caps below for where the putty client stores LocalForward and alternate Port directives. After saving the directives in a new profile named homeVNC, launch putty from the Run command:

putty @homeVNC

How to set up port forwarding in PuTTY

Set up alternate port for SSH
Set up alternate port for SSH | Source
Specify the username to save for this profile
Specify the username to save for this profile | Source
Define a LocalForward with local and remote port
Define a LocalForward with local and remote port | Source


    0 of 8192 characters used
    Post Comment

    • JDubya profile image

      Jeff Wilson 4 years ago from United States

      Thanks for the feedback!

    • Anonymous00 profile image

      Anonymous00 4 years ago

      Nice write-up.