What Is an SSH Tunnel and How to Use It

Introduction to SSH tunneling

An SSH tunnel is a technique that uses the SSH protocol to create an encrypted connection between two computers, most commonly between your computer and a VPS server through which network traffic can be forwarded. SSH tunneling, also known as SSH port forwarding, enables access to services otherwise unavailable from the internet or protection of data traveling over an insecure network. This technique is a fundamental tool for system administrators, developers, and anyone working with remote servers.

The basic principle of an SSH tunnel is simple. Instead of connecting directly to a service that may be exposed to security risks, you create an encrypted SSH channel through which you forward traffic. All data passing through the tunnel is encrypted with AES encryption, meaning even if someone intercepts the network traffic, they cannot read the communication content. SSH tunnels are especially useful when working with databases, administrative panels, or internal services that shouldn't be publicly accessible.

How the SSH protocol works

Authentication

SSH uses asymmetric encryption for client and server authentication. When you first connect to a server, the SSH client checks the server key fingerprint and asks if you trust it. After confirmation, the client stores the key in the known_hosts file and automatically verifies server identity at every subsequent connection. This prevents man-in-the-middle attacks where an attacker could impersonate your server.

For user authentication, SSH supports passwords and SSH keys. SSH keys are the recommended method because they're more secure and practical. A key pair consists of a private key you keep on your computer and a public key you place on the server. The private key never leaves your computer and can be additionally protected with a passphrase. When connecting, the server uses your public key to verify you possess the matching private key without any exchange of secret data.

Encrypted channel

After successful authentication, SSH establishes an encrypted channel using symmetric encryption, typically AES-256. All data passing through this channel including commands, files, and forwarded traffic is protected from eavesdropping. SSH also uses HMAC for data integrity verification, meaning any modification of data in transit is detected. Data compression is optional but can improve performance on slower connections.

Local SSH tunnel (Local Port Forwarding)

Concept

A local SSH tunnel forwards traffic from a port on your local computer through the SSH connection to a port on a remote server or network. This is the most commonly used tunnel type and serves for accessing services available only on the remote server or its local network. The command to create a local tunnel is ssh -L local_port:target:target_port user@server.

For example, if you have a MySQL database on a server listening only on localhost port 3306, you can create a tunnel with ssh -L 3307:localhost:3306 user@server. After that, on your computer you can connect to localhost:3307 and traffic will be forwarded to MySQL on the server. Use a different local port if you already have MySQL running locally. The tunnel remains active while the SSH session is open.

Practical examples

Accessing an admin panel listening only on the server's localhost is a common scenario. If you have a web application on port 8080 available only locally on the server, the command ssh -L 8080:localhost:8080 user@server enables you to open http://localhost:8080 in your computer's browser. This is more secure than opening the port on the firewall because access is limited to persons with SSH access to the server.

Accessing a service in a private network behind the server is another important scenario. If the server has access to an internal network where a database is located at 10.0.0.5:5432, you can create a tunnel with ssh -L 5432:10.0.0.5:5432 user@server. Now from your computer you can connect to localhost:5432 and access the PostgreSQL database in the private network. This is a secure alternative to VPN for accessing individual services.

Remote SSH tunnel (Remote Port Forwarding)

Concept

A remote tunnel works the opposite of a local one. It forwards traffic from a port on the remote server to a port on your local computer or network. The command is ssh -R remote_port:target:target_port user@server. This is useful when you want to make a service from your local computer available on the server or externally. For example, if you're developing a web application locally on port 3000 and want to show it to a client without deployment.

The command ssh -R 8080:localhost:3000 user@server makes your local application available at server:8080. For this to work for external access, the GatewayPorts option must be enabled in sshd_config on the server. Remote tunnels are useful for development, testing, and situations where your computer doesn't have a public IP address but you need to provide access to a service on it.

Security considerations

Remote tunnels require attention because they open a port on the server that may be accessible from outside. By default, SSH binds the remote port only to the server's localhost, meaning it's accessible only from the server itself. If you enable GatewayPorts, the port becomes accessible from any address and you should use firewall rules to restrict access. Never leave a remote tunnel active longer than necessary and use specific IP addresses instead of wildcard binding.

Dynamic SSH tunnel (SOCKS proxy)

Concept

A dynamic tunnel creates a SOCKS proxy server on your local computer that forwards all traffic through the SSH connection. Unlike a local tunnel that forwards traffic for one specific port, a dynamic tunnel can forward traffic for any destination. The command is ssh -D local_port user@server. For example, ssh -D 1080 user@server creates a SOCKS proxy on port 1080.

After creating the dynamic tunnel, configure your browser or operating system to use the SOCKS proxy on localhost:1080. All internet traffic then passes through the encrypted SSH tunnel to the server and exits to the internet from the server's IP address. This is useful for protecting traffic on public WiFi networks, accessing geo-restricted content, or anonymizing browsing. Firefox has built-in support for SOCKS proxy in network settings.

When to use a dynamic tunnel

Public WiFi networks in cafes, hotels, and airports are known for security risks. A dynamic SSH tunnel encrypts all your internet traffic, preventing eavesdropping on the insecure network. Unlike commercial VPN services where you must trust the provider, an SSH tunnel uses your own server, giving you complete infrastructure control. This is especially important for working with sensitive business data outside the office.

Advanced options and configuration

Background tunnels

The -f option sends SSH to background after authentication, and -N tells SSH not to execute remote commands. The combination ssh -fN -L 3306:localhost:3306 user@server creates a tunnel in the background without opening an interactive session. For automatically starting tunnels after system restart, use the autossh tool, which automatically re-establishes the tunnel if the connection is interrupted. It's installed with apt install autossh or yum install autossh.

The SSH config file at ~/.ssh/config enables defining tunnels that are automatically created when connecting to a server. For example, the line LocalForward 3306 localhost:3306 in the Host section for your server automatically establishes the tunnel each time you connect. This eliminates the need to remember a long command and reduces the possibility of errors. Multiple tunnels can be defined for the same host.

Connection multiplexing

The SSH ControlMaster option enables sharing one SSH connection for multiple sessions and tunnels. The first connection is established normally and all subsequent ones use the same connection, speeding up connection and reducing server load. Configuration in the SSH config file includes ControlMaster auto, ControlPath ~/.ssh/sockets/%r@%h-%p, and ControlPersist 600 for keeping the connection 10 minutes after closing the last session.

Security recommendations for SSH tunnels

Access restriction

On production servers, restrict which users can create tunnels using the AllowTcpForwarding option in sshd_config. You can allow only local forwarding with AllowTcpForwarding local or completely disable tunnels with AllowTcpForwarding no for users who don't need them. The PermitOpen option restricts which destinations a tunnel can forward traffic to, for example PermitOpen localhost:3306 allows only the MySQL tunnel.

Use fail2ban to protect the SSH service from brute force attacks and restrict SSH access only from known IP addresses using a firewall. Change the default SSH port from 22 to a non-standard port, which reduces automatic scans. On BeoHosting servers, SSH access is protected by default with modern security settings and our team can help with tunnel configuration for specific needs of your infrastructure.

Conclusion

SSH tunnels are a powerful tool for secure communication that enables access to remote services, traffic protection on insecure networks, and creating secure connections between systems. Local tunnels for accessing remote services, remote tunnels for exposing local services, and dynamic tunnels for proxy are the three basic types covering most scenarios. Understanding SSH tunneling is an essential skill for anyone working with servers. Learn more about virtual servers and network infrastructure.