ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

What is SSH port forwarding and when would I use it?

Updated on April 24, 2014

Why do you (or why would you most want to) use ssh port forwarding?

See results

Secure Shell is a Swiss Army knife

Secure Shell goes beyond the scope of providing shell access for remote administration over a secure channel. The port forwarding functionality of ssh allows the remote system to act like a TCP proxy for your ssh client. With a few configuration directives, you can set up a secure tunnel between your client workstation and the remote SSH server:

  • to bypass firewall policy
  • to communicate with otherwise inaccessible private addresses
  • to secure communication with SSH encryption on an otherwise untrusted network

These are just a few examples of how ssh port forwarding can help make your life easier.

The following tutorial assumes you have access to SSH on some remote system. For an introduction to SSH, refer to my Hub on setting up SSH. If you don't already have a Linux- or Unix-based firewall in front of your home network, refer to Hubber skear's articles on pfsense: this one in particular.

Note that SSH only forwards TCP ports. This tutorial won't help you if you need to proxy UDP or some other protocol. (Read more about What's the difference between TCP and UDP?)

How do you reach your home computer when you're at work?
How do you reach your home computer when you're at work? | Source

How to phone home from work

I use SSH port forwarding to gain access to computers on my home network. Because my home network uses private IP addresses, without port forwarding they are inaccessible behind my home firewall. For security concerns, I configured my firewall to listen for SSH connections on an alternate port and I have restricted what networks are allowed to connect.

My iMac at home is configured to listen for remote desktop sessions using VNC. Here are the steps I take to access the remote desktop from another location:

  • make use of a dynamic DNS to keep track of my cable modem's IP address
  • initiate ssh access from my work computer to my home firewall
  • configure ssh port forwarding to proxy VNC access from my work computer to my home computer via the home firewall
  • open vnc client to a local port on my work computer
  • success!

Use Dynamic DNS to initiate access

The first step is to establish a connection with some publicly addressable endpoint. If you can initiate a connection to the remote shell on your home firewall, that's the start you need.

ssh -p 4222

From a packet capture, an observer can see that the traffic was initiated from my work laptop to tcp port 4222 on my home firewall. Because the connection is encrypted, there is no meaningful data in the payload - it looks like gibberish.

While you're logged in to your home firewall, try to telnet to your target resource. In this case, I will attempt to telnet to tcp 5900 on host

telnet 5900

If you get any errors at this step, you won't be able to continue with the next. Take a moment to troubleshoot any firewall policy or addressing errors before moving on.

Mac or Linux config file for setting up LocalForward
Mac or Linux config file for setting up LocalForward | Source

Configure SSH port forwarding

Next, we instruct SSH to set up the proxy by defining what TCP ports go where. On the iMac at home, VNC listens for new connections on tcp port 5900 on its local IP address of On my laptop at work, I will connect to port 5999 on my localhost loopback address. Notice that the -L option is the only difference from the previous command.

ssh -p 4222 -L 5999:

As before, a packet capture shows that the traffic appears to be ssh traffic initiated from my work laptop to tcp port 4222 on my home router's public IP address. However, with the LocalForward directive, the effective path of the logical tunnel is that the connection I initiate to tcp port 5999 on my localhost will proxy to the interior address of my home network,, at tcp port 5900.

And we have liftoff! Don't take my word for it - open up your VNC client with the following host and port


To save this config as a permanent addition for Mac or Linux, open your ~/.ssh/config file with a text editor and add the information shown in the screen cap in the sidebar. Save and quit the text editor, then to access the new profile, fire off the new profile like so:

ssh homeVNC

Windows users have a slightly different arrangement. See the screen caps below for where the putty client stores LocalForward and alternate Port directives. After saving the directives in a new profile named homeVNC, launch putty from the Run command:

putty @homeVNC

How to set up port forwarding in PuTTY

Set up alternate port for SSH
Set up alternate port for SSH | Source
Specify the username to save for this profile
Specify the username to save for this profile | Source
Define a LocalForward with local and remote port
Define a LocalForward with local and remote port | Source


    0 of 8192 characters used
    Post Comment

    • JDubya profile imageAUTHOR

      Jeff Wilson 

      4 years ago from United States

      Thanks for the feedback!

    • Anonymous00 profile image


      4 years ago

      Nice write-up.


    This website uses cookies

    As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

    For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

    Show Details
    HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
    LoginThis is necessary to sign in to the HubPages Service.
    Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
    AkismetThis is used to detect comment spam. (Privacy Policy)
    HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
    HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
    Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
    CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
    Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
    Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
    Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
    Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
    Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
    Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
    VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
    PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
    Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
    MavenThis supports the Maven widget and search functionality. (Privacy Policy)
    Google AdSenseThis is an ad network. (Privacy Policy)
    Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
    Index ExchangeThis is an ad network. (Privacy Policy)
    SovrnThis is an ad network. (Privacy Policy)
    Facebook AdsThis is an ad network. (Privacy Policy)
    Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
    AppNexusThis is an ad network. (Privacy Policy)
    OpenxThis is an ad network. (Privacy Policy)
    Rubicon ProjectThis is an ad network. (Privacy Policy)
    TripleLiftThis is an ad network. (Privacy Policy)
    Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
    Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
    Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
    Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
    ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
    Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)