SSH tunnels allow you to access websites that aren’t available from your network. Instead of nav­ig­at­ing to the website directly from your network, SSH tun­nel­ling (also referred to as SSH port for­ward­ing) involves taking a detour via an SSH server.

VPS Hosting
VPS hosting at un­beat­able prices on Dell En­ter­prise Servers
  • 1 Gbit/s bandwidth & unlimited traffic
  • Minimum 99.99% uptime & ISO-certified data centres
  • 24/7 premium support with a personal con­sult­ant

What is an SSH tunnel?

SSH tunnels, much like real tunnels, serve to connect two points. The first of these points is a computer that is usually located on an unsecured network. The target point is a server or web address that you can’t or don’t want to access from your network. SSH tunnels work as links between different servers and connect the TCP ports on two computers with each other. Any TCP port can be forwarded using SSH tunneling, which is why the process is also called SSH port for­ward­ing or SSH for­ward­ing.

You can use pretty much any server as an SSH server. For example, a Raspberry Pi SSH server would work.

Tip

You still haven’t found the right server? No problem! Take a look at IONOS’s Cloud Server and find the server for you.

But what exactly does an SSH tunnel transport? Certain TCP protocols can be used securely with an SSH tunnel, and the email protocol SMTP also uses SSH tun­nel­ling. SSH ensures the data being trans­por­ted in the tunnel is secure.

What are SSH tunnels used for?

There are various use cases for secure shell port for­ward­ing. In most cases, SSH port for­ward­ing is used to create an encrypted con­nec­tion between a local computer (the local host) and a remote computer. The use of this virtual network allows certain re­stric­tions on access to be bypassed. It will look like you are on this network, when you are in reality just accessing it using the SSH tunnel. This is similar to a Virtual Private Network (VPN) but is non­ethe­less different - try not to mix the two up.

If you’re trans­port­ing data from services that use an un­en­cryp­ted protocol, you can use SSH for­ward­ing to encrypt the data transfer. A SSH File Transfer Protocol, SFTP for short, will be used for this. SSH tunnels also offer increased security when you’re surfing on un­fa­mil­i­ar networks, for example in a hotel or coffee shop. SSH keys use asym­met­ric en­cryp­tion and provide an even higher level of security.

It’s important to note that SSH tun­nel­ling is fre­quently used by hackers, who build backdoors in internal networks so that attackers can easily access internal data.

Tip

You want to take advantage of SSH for your website? The IONOS web hosting package includes an SSL cer­ti­fic­ate and provides you with everything you need! Or if you just want to upgrade your website with SSL, check out the SSL cer­ti­fic­ate offered by IONOS. For increased security for your site, e.g. with two-factor au­then­tic­a­tion, check out the IONOS Domain Guard.

Using SSH tunnels in Linux

There are various options for setting up an SSH tunnel.

SSH local port for­ward­ing

The most common method for setting up an SSH tunnel is local port for­ward­ing. This involves accessing local network resources from your local computer by for­ward­ing a port from your computer to a port on the SSH server. The port can then be forwarded to a port on the target computer.

To set up local port for­ward­ing, use the following terminal command on Unix-based operating systems or macOS:

ssh -L local_port: remote_address: remote_port username@server.com

First you’ll have to define which port you want to forward (local_port). You can use any port number higher than 1024. Ports with smaller port numbers are priv­ileged and can only be accessed by the root. Next, enter the IP address of the target server (remote_address) and your cre­den­tials (remote_port).

Let’s apply this to an example. Say you want to connect with a server in your office that’s at the address 123.234.1.111 in the office network. You can access your office’s SSH server using ssh.test.com. Your username is `Testuser´. The command that you would use to set up the SSH tunnel for port 1234 would look as follows:

ssh -L 8888: 123.234.1.111: 1234 Testuser@ssh.test.com

After executing the command, you’ll have access to the office server via port 8888. If the server supports web access, you can also access the office server via http://localhost:8888. The data that you send to port 8888 on your computer will be forwarded to port 1234 on the target computer using the SSH tunnel.

SSH remote port for­ward­ing

Remote port for­ward­ing connects a port from the SSH server to a port on the client computer, which can then establish a con­nec­tion to the target computer. This kind of port for­ward­ing is usually used to provide an external person with access to internal services. The terminal command for setting up a remote SSH tunnel looks as follows:

ssh -R remote_port: target_address: target_port user@ssh_server_address

If you want to listen on a port with port number 8080, for example, and send the data to port number 3000 on your local computer, the command will look as follows:

ssh -R 8080: 127.0.0.1:3000 user@remote.host

In the example above, the SSH server has the address remote.host. The data you’re tunneling can now be accessed ex­tern­ally by entering this address in a browser, together with the port number:

remote.host:8080

If you run into problems setting up remote port for­ward­ing, this might be due to the con­fig­ur­a­tion of your SSH server. Remote port for­ward­ing is usually de­ac­tiv­ated by default. You can change this by ac­tiv­at­ing Gate­way­Po­rts in your SSH server con­fig­ur­a­tion file. To do this, open the file and set Gate­way­Po­rts to `yes´.

Tip

Are you having a different problem with con­nect­ing to an SSH server? Take a look at our tips for fixing SSH errors!

SSH dynamic port for­ward­ing

A third way of using SSH tunnels involves dynamic port for­ward­ing, which enables you to use a socket on your local computer that will function as a kind of SOCKS proxy. All of the ap­plic­a­tions that use a SOCKS proxy will then connect with the SSH server and send their traffic through the tunnel. This kind of port for­ward­ing is often used for tun­nel­ling web browser traffic.

To set up dynamic port for­ward­ing, use the following terminal command:

ssh -D [local_ip_address:]local_port user@ssh_server_address

If you don’t enter a local IP address, the IP address 127.0.0.1, localhost, will be used auto­mat­ic­ally. If you, for example, set up a SOCKS tunnel for port 9090 with the address remote.host, the command will look as follows:

ssh -D 9090 -N -f user@remote.host

After setting up the SOCKS proxy, be sure to properly configure the ap­plic­a­tions that use the proxy.

SSH tunnels and Windows

You can also set up SSH tunnels on Windows. Since the terminal is less central on Windows, you’ll want to use one of the many practical tools with a user interface, like PuTTY for example. They make setting up an SSH tunnel as easy as pie.

After you’ve down­loaded and installed PuTTY, open it up. In the start menu under “Hostname”, enter the IP address of the SSH server you want to connect with. Then navigate to `Con­nec­tion/SSH/Tunnels´, where you can enter the source port and target port in the fields `Source Port´ and `Des­tin­a­tion´. Finally, click the `Open´ button to establish the con­nec­tion. You should now be able to access the port in a browser using 127.0.0.1:port_number.

Reverse SSH tunnels

To access computers with a private IP address you’ll need a reverse SSH tunnel. With a reverse SSH tunnel, the remote computer you’re looking to access can create a con­nec­tion to your local computer. You can then use that con­nec­tion to create a new con­nec­tion from the local computer to the remote computer.

The following command will set up an SSH tunnel from the remote computer:

ssh -Nf -R 2222:localhost:22 user@local.computer

The local computer can then use the following command to connect with the remote computer:

ssh localhost -p 2222
Go to Main Menu