how-to-guide

SSH Tunneling and Port Forwarding Techniques: A Command-Line Reference

February 24, 2026 jlevy/the-art-of-command-line ↗

SSH tunneling and port forwarding techniques enable secure network traffic routing through encrypted channels using the -L, -D, and -R flags, allowing you to access remote services, browse via SOCKS proxies, and expose local development servers safely.

The jlevy/the-art-of-command-line repository identifies SSH tunneling and port forwarding techniques as fundamental competencies for secure remote operations. As documented in the README.md at line 173, the OpenSSH client provides robust encryption capabilities that extend beyond simple remote shells to create sophisticated network tunnels. This guide presents the exact command structures and configuration patterns found in the repository source code to help you implement production-ready secure connections.

Local Port Forwarding (-L)

Local port forwarding binds a port on your local machine to a destination reachable from the remote server. This technique is essential for accessing databases, web services, or internal APIs that are not exposed to the public internet.

According to the source code in README.md, the standard syntax uses the -L flag followed by [local_port]:[remote_host]:[remote_port]:

ssh -L 3306:127.0.0.1:3306 [email protected]

After establishing this connection, your local port 3306 forwards traffic to 127.0.0.1:3306 on the remote host. You can then connect to the remote MySQL instance using mysql -h 127.0.0.1 -P 3306 as if it were running locally.

Dynamic SOCKS Proxy (-D)

Dynamic port forwarding transforms your SSH client into a SOCKS5 proxy, routing arbitrary application traffic through the encrypted tunnel. This approach is ideal for secure web browsing or when you need to route multiple protocols through a single remote gateway.

The jlevy/the-art-of-command-line repository documents this technique using the -D flag to specify a local port:

ssh -D 1080 [email protected]

Configure your browser or operating system to use localhost:1080 as a SOCKS5 proxy. All TCP traffic will then traverse the encrypted SSH connection to remote.example.com before reaching its final destination, masking your local IP address and bypassing local network restrictions.

Remote Port Forwarding (-R)

Remote port forwarding reverses the direction, exposing a service running on your local machine to the remote server. While used less frequently due to security considerations, this technique enables external access to local development servers or internal tools.

The syntax follows [remote_port]:[local_host]:[local_port]:

ssh -R 8080:localhost:3000 [email protected]

Once connected, any user who can reach remote.example.com:8080 will be proxied to your local service on port 3000. This is particularly useful for sharing local development previews with colleagues or integrating with webhook services that require public endpoints.

Connection Optimization with SSH Config

The repository provides a configuration snippet in README.md (lines 175-184) that optimizes tunnel stability through connection multiplexing and keepalive settings. Add the following to your ~/.ssh/config file:

Host *
    TCPKeepAlive=yes
    ServerAliveInterval=15
    ServerAliveCountMax=6
    Compression=yes
    ControlMaster auto
    ControlPath /tmp/%r@%h:%p
    ControlPersist yes

These settings enable ControlMaster multiplexing, allowing multiple SSH sessions to share a single underlying TCP connection. The ServerAliveInterval and ServerAliveCountMax parameters ensure tunnels remain active during periods of inactivity by sending periodic keepalive packets.

Establishing Persistent Master Connections

To leverage multiplexing, first establish a master connection that persists in the background:

ssh -M -S /tmp/$(whoami)@myhost:22 user@myhost

Subsequent tunnel commands reuse this socket connection, making them nearly instantaneous and reducing TCP handshake overhead:

ssh -S /tmp/$(whoami)@myhost:22 -L 5432:127.0.0.1:5432 user@myhost

Config-Based Tunnel Aliases

For frequently used tunnels, the repository recommends defining shortcuts directly in ~/.ssh/config using the LocalForward directive. This approach eliminates the need to remember port numbers and hostnames:

Host mytunnel
    HostName remote.example.com
    User user
    LocalForward 5900 localhost:5900

With this configuration, you initiate the tunnel using a single command:

ssh mytunnel

This establishes the connection and automatically forwards local port 5900 to the remote VNC server, demonstrating how SSH tunneling and port forwarding techniques integrate seamlessly with standard configuration management.

Summary

  • SSH tunneling and port forwarding techniques provide encrypted pathways for network traffic using the -L, -D, and -R flags documented in the jlevy/the-art-of-command-line repository.
  • Local forwarding (-L) connects local ports to remote services, while remote forwarding (-R) exposes local services to remote hosts.
  • Dynamic forwarding (-D) creates SOCKS5 proxies for comprehensive traffic routing through secure channels.
  • The README.md configuration snippet (lines 175-184) implements ControlMaster multiplexing to reduce connection latency and improve reliability.
  • Persistent tunnels benefit from ServerAliveInterval and TCPKeepAlive settings to prevent timeout disconnection during idle periods.

Frequently Asked Questions

What is the difference between SSH local and remote port forwarding?

Local port forwarding (-L) forwards traffic from your local machine to a destination accessible by the remote server, useful for reaching remote databases or internal web services. Remote port forwarding (-R) operates in reverse, allowing the remote server to access services running on your local machine, commonly used for exposing local development servers to the internet through a remote gateway.

How does SSH connection multiplexing improve tunnel performance?

Connection multiplexing, configured through ControlMaster auto and ControlPath settings in ~/.ssh/config, allows multiple SSH sessions to reuse a single established TCP connection. This eliminates the overhead of repeated authentication handshakes and TCP slow-start phases, making subsequent tunnel connections instantaneous and reducing overall network latency when managing multiple ports.

How do I keep SSH tunnels alive automatically?

Configure your ~/.ssh/config with ServerAliveInterval 15 and ServerAliveCountMax 6 as shown in the repository's recommended snippet (lines 175-184). These directives instruct the client to send periodic keepalive messages every 15 seconds, preventing firewalls or NAT routers from terminating idle connections and ensuring persistent tunnels remain active during extended operations.

When should I use a dynamic SOCKS proxy instead of local port forwarding?

Use dynamic forwarding (-D) when you need to route multiple protocols or arbitrary destinations through a secure tunnel, such as when browsing websites or using applications that connect to various external APIs. Local port forwarding is preferable when targeting specific, known services like a single database instance or Redis server that operates on a fixed port.

Have a question about this repo?

These articles cover the highlights, but your codebase questions are specific. Give your agent direct access to the source. Share this with your agent to get started:

Share the following with your agent to get started:
curl -s "https://instagit.com/install.md"
Works with
Claude Codex Cursor VS Code OpenClaw Any MCP Client

Maintain an open-source project? Get it listed too →