Skip to content

Instantly share code, notes, and snippets.

@StudioEtrange

StudioEtrange/ssh_tunnel.md

Last active February 19, 2026 22:54
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save StudioEtrange/d10c0b4f17a60b219e0b5722968d5b8c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save StudioEtrange/d10c0b4f17a60b219e0b5722968d5b8c to your computer and use it in GitHub Desktop.
Download ZIP
About SSH Tunneling aka SSH port forwarding
Raw
ssh_tunnel.md

About SSH Tunneling

Local Port Forwarding

ssh -L local_bind_address:local_port:destination_host:destination_port remote_ssh_user@remote_ssh_host -p remote_ssh_port

local_bind_address is a local address bindable only on the current host (i.e 127.0.0.1, 0.0.0.0, 192.168.0.100)

OpenSSH Server configuration :

  • To allow local port forwarding (and any ssh tunnel) : AllowTcpForwarding must be set to yes

OpenSSH Client configuration :

  • To allow any local bindable address for local_bind_address, GatewayPorts must be set to yes. If GatewayPorts is set to no (default value), the local_bind_address is forced to 127.0.0.1
                    │ TUNNEL ENTRY
                    ▼
┌────────────────────────────────────────────────┐
│ CURRENT HOST is listening for request          │
│      [local_bind_address:local_port]           │
│   -launch tunnel with ssh command from here-   │ 
└───────────────────┬────────────────────────────┘
                    │ SSH tunnel
                    ▼
              REMOTE SSH HOST 
        [remote_ssh_host:remote_ssh_port]
                    │ 
                    │ outbound TCP connect
                    ▼
               TUNNEL EXIT
        [destination_host:destination_port]

Remote Port Forwarding

ssh -R remote_bind_address:remote_port:destination_host:destination_port remote_ssh_user@remote_ssh_host -p remote_ssh_port

destination_host could be any address reachable from the current host

OpenSSH Server configuration :

  • To allow remote port forwarding (and any ssh tunnel) : AllowTcpForwarding must be set to yes
  • To allow any address for remote_bind_address, GatewayPorts must be set to yes. If GatewayPorts is set to no (default value), the remote_bind_address is forced to 127.0.0.1
                      │ TUNNEL ENTRY
                      ▼
┌───────────────────────────────────────────┐
│ REMOTE SSH HOST is listening for request  │
│     [remote_bind_address:remote_port]     │
└─────────────────────┬─────────────────────┘
                      │ SSH tunnel
                      ▼
                CURRENT HOST 
     -launch tunnel with ssh command from here-
                      │ outbound TCP connect
                      ▼
                 TUNNEL EXIT
        [destination_host:destination_port]

Dynamic Port Forwarding

It is a SOCKS proxy over SSH ssh -D implements SOCKS4/SOCKS5 protocols

ssh -D local_bind_address:local_port remote_ssh_user@remote_ssh_host -p remote_ssh_port

local_bind_address is a local address bindable only on the current host (i.e 127.0.0.1, 0.0.0.0, 192.168.0.100)

OpenSSH Server configuration :

  • To allow dynamic port forwarding (and any ssh tunnel) : AllowTcpForwarding must be set to yes

OpenSSH Client configuration :

  • To allow any local bindable address for local_bind_address, GatewayPorts must be set to yes. If GatewayPorts is set to no (default value), the local_bind_address is forced to 127.0.0.1
                │ TUNNEL ENTRY
                │ TCP request using SOCKS protocol 
                │ to choose final destination dynamicly
                ▼
┌────────────────────────────────────────────────┐
│ CURRENT HOST is listening for request          │
│      [local_bind_address:local_port]           │
│   -launch tunnel with ssh command from here-   │ 
└───────────────────┬────────────────────────────┘
                    │ SSH tunnel
                    ▼
             REMOTE SSH HOST 
        [remote_ssh_host:remote_ssh_port]
                    │ 
                    │ outbound TCP connect
                    │ (chosen dynamically)
                    ▼
                TUNNEL EXIT
            [any_host:any_port]

Local Port Forwarding with VS Code

When you are connected from your current host to a remote host with VS Code Remote SSH, instead of using this ssh command you can use the "forward port" functionnality in vscode :

ssh -L local_bind_address:local_port:destination_host:destination_port remote_ssh_user@remote_ssh_host -p remote_ssh_port

  • Ports/Add port :
    • Port : destination_host:destination_port : your final target to reach
    • Change Local Adress Port : local_port : the current host where VS Code is running
    • Fixed params :
      • local_bind_address is always localhost
      • remote_ssh_host:remote_ssh_port is the SSH address you are currently connected with VS Code remote SSH
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment