Free tool · Runs in your browser

SSH Tunnel & Port-Forward Generator

Build the exact ssh command for local (-L), remote (-R), and dynamic (-D / SOCKS) port forwarding - with a plain-English description, the ~/.ssh/config equivalent, and an autossh variant. Nothing leaves your browser.

Forwarding type
SSH connection
Forwarding
Flags

Opens localhost:8080 on your machine and forwards it to localhost:5432, reached from ssh.example.com.

ssh command
$ssh -N -L 8080:localhost:5432 -o ServerAliveInterval=60 -o ServerAliveCountMax=3 -o ExitOnForwardFailure=yes user@ssh.example.com
~/.ssh/config (then: ssh my-tunnel)
Host my-tunnel
    HostName ssh.example.com
    User user
    LocalForward 8080 localhost:5432
    ServerAliveInterval 60
    ExitOnForwardFailure yes
autossh (auto-reconnect)
$autossh -M 0 -f -N -L 8080:localhost:5432 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" user@ssh.example.com

What is SSH tunneling?

SSH tunneling (port forwarding) routes a TCP connection through an encrypted SSH session. Instead of exposing a database, dashboard, or dev server directly, you reach it over SSH - so it stays private and encrypted end to end. There are three directions, each a one-letter flag.

Local forwarding (-L): reach something remote

The most common kind. -L opens a port on your machine and forwards it to a destination reachable from the SSH server. Classic use: connect to a database that only listens on the remote network.

ssh -L 5432:localhost:5432 user@server - now pointing your DB client at localhost:5432actually talks to Postgres on the server. The destination is resolved from the server's side, so localhost there means the server itself.

Remote forwarding (-R): expose something local

The reverse. -R opens a port on the SSH server and forwards it back to a destination reachable from your machine - great for sharing a local dev server: ssh -R 8080:localhost:3000 user@server makes the server's :8080 hit your local :3000.

By default a remote forward only listens on the server's loopback. To bind it to all interfaces (so others can reach it), the server must set GatewayPorts yes in sshd_config.

Dynamic forwarding (-D): a SOCKS proxy

-D turns the SSH connection into a SOCKS proxy: ssh -D 1080 user@server opens a SOCKS5 proxy on localhost:1080, and any app configured to use it routes its traffic out through the server. Point your browser's SOCKS proxy setting at 127.0.0.1:1080to browse as if from the server's network.

The -N and -f flags

FlagWhat it does
-NDo not run a remote command - just hold the tunnel open. Standard for pure forwards.
-fGo to the background after authenticating.
-TDisable pseudo-terminal allocation (often paired with -N).

A typical "set it and forget it" tunnel is ssh -fN -L ... - background, no shell, just forwarding.

Keeping tunnels alive

Idle tunnels get dropped by firewalls and NAT. Add -o ServerAliveInterval=60 so SSH sends keepalives, and -o ExitOnForwardFailure=yes so a failed forward does not leave a useless connection. For tunnels that must survive disconnects, use autossh, which restarts SSH automatically - this tool generates that command too.

Bind address and security

By default a forwarded port binds to localhost, so only your machine can use it. Binding to 0.0.0.0 exposes it to your whole network - convenient for sharing, but make sure you trust that network, since the forwarded service then has no SSH protection in front of it.

The three forwarding types

TypeFlagSyntaxUse it to
Local-L-L [bind:]port:host:hostportReach a remote/internal service from your machine
Remote-R-R [bind:]port:host:hostportExpose a local service on the SSH server
Dynamic-D-D [bind:]portRun a SOCKS proxy through the server
SSH tunnel FAQ

Frequently asked questions

Use local forwarding: ssh -L 5432:localhost:5432 user@server. This opens port 5432 on your machine and forwards it to the database as seen from the server (localhost there = the server). Point your DB client at localhost:5432. Choose Local in this tool and set the ports.
Use remote forwarding: ssh -R 8080:localhost:3000 user@server opens port 8080 on the server and forwards it to your local port 3000. To let others (not just the server) reach it, the server needs GatewayPorts yes in sshd_config.
Use dynamic forwarding: ssh -D 1080 user@server opens a SOCKS5 proxy on localhost:1080. Configure your browser or app to use a SOCKS5 proxy at 127.0.0.1:1080 and its traffic routes through the server.
Idle connections get dropped by NAT and firewalls. Add -o ServerAliveInterval=60 (and ServerAliveCountMax=3) so SSH sends keepalives, and use autossh for tunnels that must auto-reconnect after a drop. This tool can generate both the keepalive options and the autossh command.
Local (-L) opens the port on your machine and forwards to a destination reachable from the server - use it to reach something remote. Remote (-R) opens the port on the server and forwards back to your machine - use it to expose something local. The rule of thumb: the flag names where the listening port is opened.
-N tells SSH not to run a remote command, so it just holds the forward open without giving you a shell. -f sends SSH to the background after it authenticates. Together, ssh -fN -L ... is the usual way to start a background tunnel.
Tunnels, keys, and hosts in one place

Manage SSH without the flag soup.

CtrlOps keeps every server as a named host with its keys attached - connect, manage, and monitor your fleet from one local-first desktop app, with credentials encrypted on your own machine.

Start instantly· No credit card· No sneaky autorenewals