SSH port forwarding, also known as SSH tunneling, allows you to redirect network traffic through a secure, encrypted SSH connection. Think of it as a private, secure pipe: you send data into one end (a local or remote port), and it emerges from a different endpoint—protected from eavesdroppers, surveillance, and firewall blocks.
By encapsulating regular TCP (or UDP when using advanced SSH versions) within SSH’s encryption, port forwarding is a powerful method for securing communications over untrusted networks.
What Is SSH Port Forwarding?
SSH port forwarding is a method of securely transmitting data between a local machine and a remote server over an encrypted SSH connection. It works by redirecting network traffic from one port to another, effectively creating a secure “tunnel” that shields data from eavesdropping or interception.
Why Use SSH Port Forwarding?
- Secure Remote Access: Encrypts traffic between local and remote machines.
- Bypass Firewalls: Access services blocked by network restrictions.
- Expose Local Services: Make internal applications available remotely.
- Protect Sensitive Data: Prevents unauthorized access to databases, internal APIs, and admin panels
Requirements to Port Forward SSH
Just before you begin with the process of port forwarding, make sure you have the following things:
- The IP address of your router.
- IP address of your gaming device.
- TCP and UDP ports of SSH for your gaming device as mentioned in the section below.
Step-by-Step Guide on How to Port Forward SSH
Now that you have the above details noted down, you can move to the next stage of SSH port forwarding:
- On your web browser address bar, type your router’s IP Address/Default Gateway.
- Log in with your router’s credentials (username and password) to view your router’s firmware settings.
- Navigate to the port forwarding section of your router.
- Click on Port Forwarding.
- Enter the IP address of your gaming device in your router in the correct box.
- Put the TCP and UDP ports of the SSH server in the boxes in your router. The default SSH port number is 8080. And then click the apply button.
- And you’re done. Restart your router to let the changes take effect.
- Once your changes take effect, now you can connect to SSH.
Types of SSH Port Forwarding
There are three primary types of SSH port forwarding, each serving different purposes:
1. Local Port Forwarding (ssh -L)
Local port forwarding redirects traffic from a local port to a remote server via an SSH tunnel. It’s commonly used to access internal services (e.g., databases, web apps) securely.
Syntex:
ssh -L [local_port]:[remote_host]:[remote_port] [user]@[ssh_server]
Example:
ssh -L 8080:localhost:80 user@remote-server.com
2. Remote Port Forwarding (ssh -R)
Remote port forwarding does the opposite—it forwards a remote port back to a local machine. This is useful for exposing a local development server to the internet.
Syntax:
ssh -R [remote_port]:[local_host]:[local_port] [user]@[ssh_server]
Example:
ssh -R 9000:localhost:3000 user@public-server.com
3. Dynamic Port Forwarding (ssh -D)
Dynamic port forwarding turns your SSH connection into a SOCKS proxy, allowing multiple applications to route traffic through the encrypted tunnel.
Syntax:
ssh -D [local_port] [user]@[ssh_server]
Example:
ssh -D 1080 user@proxy-server.com
Example Scenarios of SSH Port Forwarding
| Scenario | Type | Command |
|---|---|---|
| Secure DB access | Local | ssh -L 3307:prod-db:3306 alice@db-host.com |
| Expose localhost service | Remote | ssh -R 8080:localhost:5000 alice@server.com |
| Secure browsing | Dynamic | ssh -D 1080 alice@gateway.example.com |
Real-World Use Cases of SSH Port Forwarding
1. Secure Database Access
2. Bypassing Corporate Firewalls
3. Remote Development & Debugging
4. Securing Legacy Applications
SSH ports needed to run
To play SSH online and create a server without any interruptions, you’ll have to allow access to certain ports on your firewall. The default SSH ports are:
| TCP: | 8080 |
| UDP: | 8080 |
Security Risks & Best Practices
Potential Risks
- Unauthorized Access: Misconfigured tunnels can expose internal services.
- Malware Abuse: Attackers can use SSH tunnels for data exfiltration.
- Performance Overhead: Encryption adds latency.
How to Mitigate Them
✔ Restrict Forwarding: Use AllowTcpForwarding in sshd_config.
✔ Use SSH Keys: Avoid password-based logins.
✔ Monitor Connections: Log SSH tunnel activity.
✔ Limit Exposure: Only forward necessary ports
Advanced Tips & Tricks
1. Persistent Tunnels with autossh
Prevent disconnections with:
autossh -M 0 -L 3306:localhost:3306 user@remote-server
2. Multi-Hop Tunneling
Chain SSH tunnels through a bastion host:
ssh -J bastion-user@bastion-host target-user@target-server -L 8080:localhost:80
3. Configuring SSH for Easier Tunneling
Add shortcuts to ~/.ssh/config:
Host db-tunnel
HostName remote-db.com
User db-admin
LocalForward 3306 localhost:3306
How to open ports behind CGNAT
What if your ISP performs CGNAT? Most ISPs perform CGNAT (Carrier-grade Network Address Translation) to conserve bandwidth and assign a single IP address to multiple users connected to the same internet network. However, CGNAT makes it difficult for you to open ports on the router.
To get around the CGNAT issue, you can use the Port Forwarding add-on to bypass this problem and port forward routers without hassle.
Here’s more information on how to use PureVPN’s Port Forwarding add-on and bypass CGNAT in a few clicks.
PureVPN’s Port Forwarding Add-on
A secure way to open all ports
To most people, port forwarding is quite a demanding task. For starters, every router has a different console, which often makes it difficult to navigate to specific settings.
Secondly, you won’t always be able to open SSH ports on your router if your ISP restricts the ports. Yes, you heard that right! ISPs are notorious for blocking ports due to security reasons. If ISP isn’t the reason behind a blocked port, then perhaps it could be your operating system’s firewall.
Well, you can make all these problems go away and enjoy smooth online gaming on all your desired systems with PureVPN’s Port Forwarding add-on. Through the Port Forwarding add-on, you can allow all ports, disallow all ports, and allow specific ports.
SSH Port Forwarding with PureVPN
Here is how you can use PureVPN to port forward SSH in just a few clicks:
- Sign up for PureVPN, add Port Forwarding to your plan, and complete the payment.
- Download and install the PureVPN app, launch it, and log in using your credentials.
- Access the PureVPN Member Area, go to Subscriptions and click Configure next to Port Forwarding.
- Choose Enable specific ports, enter the ports you want to open, and click the Apply Settings button.
- Open the PureVPN app, connect to a port forwarding-supported server, and you are good to go!
Conclusion
SSH port forwarding is an essential tool for secure remote access, whether you’re a developer, sysadmin, or security professional. By mastering local, remote, and dynamic forwarding, you can:
✅ Securely access databases and internal apps.
✅ Bypass restrictive firewalls.
✅ Share local services without exposing them publicly.
However, always follow security best practices to prevent misuse. Ready to implement SSH tunneling? Try the examples above and take control of your secure connections today!
Frequently Asked Questions
SSH port forwarding redirects network traffic through an encrypted SSH connection. It comes in three forms—local (-L), remote (-R), and dynamic (-D)—allowing secure access, firewall bypassing, and proxying over SSH.
It secures data, bypasses network filters, aids secure development and remote access, and protects your privacy online—all via a familiar SSH tool.
No, SSH tunnels encrypt specific app traffic, while VPNs encrypt all network traffic.
PureVPN
June 12, 2025
1 month ago
