SSH Tunnel & Port-Forward Generator
Build the exact ssh command for local (-L), remote (-R), and dynamic (-D / SOCKS) port forwarding - with a plain-English description, the ~/.ssh/config equivalent, and an autossh variant. Nothing leaves your browser.
Opens localhost:8080 on your machine and forwards it to localhost:5432, reached from ssh.example.com.
ssh -N -L 8080:localhost:5432 -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o ExitOnForwardFailure=yes user@ssh.example.comHost my-tunnel
HostName ssh.example.com
User user
LocalForward 8080 localhost:5432
ServerAliveInterval 60
ExitOnForwardFailure yesautossh -M 0 -f -N -L 8080:localhost:5432 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" user@ssh.example.comWhat is SSH tunneling?
SSH tunneling (port forwarding) routes a TCP connection through an encrypted SSH session. Instead of exposing a database, dashboard, or dev server directly, you reach it over SSH - so it stays private and encrypted end to end. There are three directions, each a one-letter flag.
Local forwarding (-L): reach something remote
The most common kind. -L opens a port on your machine and forwards it to a destination reachable from the SSH server. Classic use: connect to a database that only listens on the remote network.
ssh -L 5432:localhost:5432 user@server - now pointing your DB client at localhost:5432actually talks to Postgres on the server. The destination is resolved from the server's side, so localhost there means the server itself.
Remote forwarding (-R): expose something local
The reverse. -R opens a port on the SSH server and forwards it back to a destination reachable from your machine - great for sharing a local dev server: ssh -R 8080:localhost:3000 user@server makes the server's :8080 hit your local :3000.
By default a remote forward only listens on the server's loopback. To bind it to all interfaces (so others can reach it), the server must set GatewayPorts yes in sshd_config.
Dynamic forwarding (-D): a SOCKS proxy
-D turns the SSH connection into a SOCKS proxy: ssh -D 1080 user@server opens a SOCKS5 proxy on localhost:1080, and any app configured to use it routes its traffic out through the server. Point your browser's SOCKS proxy setting at 127.0.0.1:1080to browse as if from the server's network.
The -N and -f flags
| Flag | What it does |
|---|---|
| -N | Do not run a remote command - just hold the tunnel open. Standard for pure forwards. |
| -f | Go to the background after authenticating. |
| -T | Disable pseudo-terminal allocation (often paired with -N). |
A typical "set it and forget it" tunnel is ssh -fN -L ... - background, no shell, just forwarding.
Keeping tunnels alive
Idle tunnels get dropped by firewalls and NAT. Add -o ServerAliveInterval=60 so SSH sends keepalives, and -o ExitOnForwardFailure=yes so a failed forward does not leave a useless connection. For tunnels that must survive disconnects, use autossh, which restarts SSH automatically - this tool generates that command too.
Bind address and security
By default a forwarded port binds to localhost, so only your machine can use it. Binding to 0.0.0.0 exposes it to your whole network - convenient for sharing, but make sure you trust that network, since the forwarded service then has no SSH protection in front of it.
The three forwarding types
| Type | Flag | Syntax | Use it to |
|---|---|---|---|
| Local | -L | -L [bind:]port:host:hostport | Reach a remote/internal service from your machine |
| Remote | -R | -R [bind:]port:host:hostport | Expose a local service on the SSH server |
| Dynamic | -D | -D [bind:]port | Run a SOCKS proxy through the server |
Frequently asked questions
Related developer tools
Manage SSH without the flag soup.
CtrlOps keeps every server as a named host with its keys attached - connect, manage, and monitor your fleet from one local-first desktop app, with credentials encrypted on your own machine.
✓ Start instantly·✓ No credit card·✓ No sneaky autorenewals

