SSH tunnels allow you to access websites that aren’t available from your network. Instead of navigating to the website directly from your network, SSH tunneling (also referred to as SSH port forwarding) involves taking a detour via an SSH server.
vServer (VPS) from IONOS
Low-cost, powerful VPS hosting for running your custom applications, with a personal assistant and 24/7 support.
What is an SSH tunnel?
SSH tunnels, much like real tunnels, serve to connect two points. The first of these points is a computer that is usually located on an unsecured network. The target point is a server or web address that you can’t or don’t want to access from your network. SSH tunnels work as links between different servers and connect the TCP ports on two computers with each other. Any TCP port can be forwarded using SSH tunneling, which is why the process is also called SSH port forwarding or SSH forwarding.
You can use pretty much any server as an SSH server. For example, a Raspberry Pi SSH server would work.
You still haven’t found the right server? No problem! Take a look at IONOS’s Cloud Server and find the server for you.
But what exactly does an SSH tunnel transport? Certain TCP protocols can be used securely with an SSH tunnel, and the email protocol SMTP also uses SSH tunneling. SSH ensures the data being transported in the tunnel is secure.
What are SSH tunnels used for?
There are various use cases for secure shell port forwarding. In most cases, SSH port forwarding is used to create an encrypted connection between a local computer (the local host) and a remote computer. The use of this virtual network allows certain restrictions on access to be bypassed. It will look like you are on this network, when you are in reality just accessing it using the SSH tunnel. This is similar to a Virtual Private Network (VPN) but is nonetheless different — try not to mix the two up.
If you’re transporting data from services that use an unencrypted protocol, you can use SSH forwarding to encrypt the data transfer. A SSH File Transfer Protocol, SFTP for short, will be used for this. SSH tunnels also offer increased security when you’re surfing on unfamiliar networks, for example in a hotel or coffee shop. SSH keys use asymmetric encryption and provide an even higher level of security.
It’s important to note that SSH tunneling is frequently used by hackers, who build backdoors in internal networks so that attackers can easily access internal data.
You want to take advantage of SSH for your website? The IONOS web hosting plan includes an SSL certificate and provides you with everything you need! Or if you just want to upgrade your website with SSL, check out the SSL certificate offered by IONOS. For increased security for your site, e.g. with two-factor authentication, check out the IONOS Domain Guard.
Using SSH tunnels in Linux
There are various options for setting up an SSH tunnel.
SSH local port forwarding
The most common method for setting up an SSH tunnel is local port forwarding. This involves accessing local network resources from your local computer by forwarding a port from your computer to a port on the SSH server. The port can then be forwarded to a port on the target computer.
To set up local port forwarding, use the following terminal command on Unix-based operating systems or macOS:
ssh -L local_port: remote_address: remote_port firstname.lastname@example.org
First you’ll have to define which port you want to forward (local_port). You can use any port number higher than 1024. Ports with smaller port numbers are privileged and can only be accessed by the root. Next, enter the IP address of the target server (remote_address) and your credentials (remote_port).
Let’s apply this to an example. Say you want to connect with a server in your office that’s at the address 184.108.40.206 in the office network. You can access your office’s SSH server using ssh.test.com. Your username is “Testuser”. The command that you would use to set up the SSH tunnel for port 1234 would look as follows:
ssh -L 8888: 220.127.116.11: 1234 Testuser@ssh.test.com
After executing the command, you’ll have access to the office server via port 8888. If the server supports web access, you can also access the office server via http://localhost:8888. The data that you send to port 8888 on your computer will be forwarded to port 1234 on the target computer using the SSH tunnel.
SSH remote port forwarding
Remote port forwarding connects a port from the SSH server to a port on the client computer, which can then establish a connection to the target computer. This kind of port forwarding is usually used to provide an external person with access to internal services. The terminal command for setting up a remote SSH tunnel looks as follows:
ssh -R remote_port: target_address: target_port user@ssh_server_address
If you want to listen on a port with port number 8080, for example, and send the data to port number 3000 on your local computer, the command will look as follows:
ssh -R 8080: 127.0.0.1:3000 email@example.com
In the example above, the SSH server has the address remote.host. The data you’re tunneling can now be accessed externally by entering this address in a browser, together with the port number:
If you run into problems setting up remote port forwarding, this might be due to the configuration of your SSH server. Remote port forwarding is usually deactivated by default. You can change this by activating GatewayPorts in your SSH server configuration file. To do this, open the file and set GatewayPorts to “yes”.
Are you having a different problem with connecting to an SSH server? Take a look at our tips for fixing SSH errors!
SSH dynamic port forwarding
A third way of using SSH tunnels involves dynamic port forwarding, which enables you to use a socket on your local computer that will function as a kind of SOCKS proxy. All of the applications that use a SOCKS proxy will then connect with the SSH server and send their traffic through the tunnel. This kind of port forwarding is often used for tunneling web browser traffic.
To set up dynamic port forwarding, use the following terminal command:
ssh -D [local_ip_address:]local_port user@ssh_server_address
If you don’t enter a local IP address, the IP address 127.0.0.1, localhost, will be used automatically. If you, for example, set up a SOCKS tunnel for port 9090 with the address remote.host, the command will look as follows:
ssh -D 9090 -N -f firstname.lastname@example.org
After setting up the SOCKS proxy, be sure to properly configure the applications that use the proxy.
SSH tunnels and Windows
You can also set up SSH tunnels on Windows. Since the terminal is less central on Windows, you’ll want to use one of the many practical tools with a user interface, like PuTTY for example. They make setting up an SSH tunnel as easy as pie.
After you’ve downloaded and installed PuTTY, open it up. In the start menu under “Hostname”, enter the IP address of the SSH server you want to connect with. Then navigate to “Connection/SSH/Tunnels”, where you can enter the source port and target port in the fields “Source Port” and “Destination”. Finally, click the “Open” button to establish the connection. You should now be able to access the port in a browser using 127.0.0.1:port_number.
Reverse SSH tunnels
To access computers with a private IP address you’ll need a reverse SSH tunnel. With a reverse SSH tunnel, the remote computer you’re looking to access can create a connection to your local computer. You can then use that connection to create a new connection from the local computer to the remote computer.
The following command will set up an SSH tunnel from the remote computer:
ssh -Nf -R 2222:localhost:22 email@example.com
The local computer can then use the following command to connect with the remote computer:
ssh localhost -p 2222