From SpectLog
Jump to: navigation, search


SSH allows to tunnel any TCP/IP connection between two networks: local and remote. Machines on local and remote network may have no ways to connect to each other except possibility to have SSH channel between two selected machines: local client and remote server.

In fact, clients are even often on a private IP networks behind NAT which prohibits any incoming connections into their local network.


In order to be clear and specific in this text, let us use the following convention:

  • local / remote refers to any machine using the tunnel on local and remote networks respectively.
  • client / server refers to the two particular machines providing SSH tunnel between the networks.
Client is a local machine as it has to be on the local network.
Server is a remote machine`as it has to be on the remote network.
  • incoming port is used to listen for connection to be tunneled - it is always a port number only (host is implicit server or client).
  • outgoing port is used as destination for the tunneled payload - it is always both host and port number (host is explicit machine).
  • direct (or local) tunnel creates incoming port on the client.
  • reverse (or remote) tunnel creates incoming port on the server.


  • An SSH connection is established between the client and the server (user@server).
  • SSH starts listening on the tunnel's incoming port (which is on the client machine for the direct tunnel or on the server machine for reverse tunnel).
  • For each connection to the tunnel's incoming port a new tunneled channel is created and maintained between the client and the server.
  • The client and the server start continuously redirecting tunnel's payload between TCP/IP connections on incoming and outgoing ports.

-Local or direct tunnel

The direct tunnel creates tunnel's incoming port on the client (local) machine.

ssh -L port:host:hostport user@server

Example of direct tunnel

Direct tunnel is one straightforward way to access various services on the remote network. All remote services (databases, VNC servers, etc.) can be behind a firewall which only has to allow incoming SSH connection.

-Remote or reverse tunnel

The reverse tunnel creates tunnel's incoming port on the server (remote) machine.

ssh -R port:host:hostport user@server

Example of reverse tunnel

Reverse tunnel is a way to open access to services on the local network. This is especially convenient when the local network is behind NAT.

For example, a home computer can open access to home network by creating tunnel's incoming port on a remote server. Even if home's network is behind NAT, while the SSH connection from home computer exist, it is possible to access services in the home network through remote server.

If there is a server on the Internet, then a home computer behind NAT can allow connections to its local SSH s%rver (localhost:22):

home> ssh -R 8822:localhost:22

Anyone who is able to connect to, will be connecting to the home computer's SSH server:

internet> ssh -p 8822

The tunnel exists until SSH connection from home computer existsn In order to make it more reliable (auto-re-start-able) use public key (password-less) authentication with tunnel opening command inside an infinite shell-loop:

home> ssh-keygen # accept all defaults by hitting Enter
home> ssh-copy-id # authenticate once to be authenticated using keys (without password) forever
home> while true; do ssh -R 8822:localhost:22; done


  • Set AllowTcpForwarding yes (default) for the SSH server to make tunneling possible.
  • In order to be able to listen on the privileged ports, root authorization is required. In other words, do not try to open tunnel's incoming port without root access on that host.


  • Creating Secure Tunnels With ssh [1]
  • SSH Tunneling - Poor Techie's VPN [2]