# Port forwarding and tunneling SSH port forwarding, also called SSH tunneling, can be used to **get** or **provide** access to services that are not directly reachable, encrypt connections between different applications, and more. See also: [Port Forwarding](https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding) (Ubuntu Community Help Wiki). Termius supports all three main types of port forwarding (local, remote, and dynamic) and lets users manage their port-forwarding rules through a convenient interface. You can view all active port forwarding rules on a single page, and start or stop a specific rule with a double-click. ## Local port forwarding **Concept:** "I want to **get access** to a specific service that is unreachable from my current perspective." For example, Daniel has a MySQL database server that is not reachable from his device with Termius, but is reachable from the `daniel.local` device, which is his office laptop. The laptop runs an SSH server and is reachable from Daniel's device with Termius. If Daniel sets up local port forwarding through an SSH connection to his office laptop, he will be able to **get access** the MySQL database server locally. Here is how to set it up via Termius: {% stepper %} {% step %} #### Create a local port forwarding rule

Open the Port Forwarding screen in Termius, and create a `New Port Forwarding`. When prompted to choose a type, choose `Local`. {% hint style="info" %} Termius has a built-in Port Forwarding Setup Wizard that can lead you through the steps explaining what every parameter of the setup is required for. You can choose to skip it and see all the required fields to be set up on a single form. {% endhint %} {% endstep %} {% step %} #### Choose a local port

This is the port that will be opened on a `local` machine. Traffic from this port will be forwarded to the specified destination via the SSH connection we will specify next. {% hint style="warning" %} Make sure the port is not already in used. For example, if you are setting up a local port forwarding on iOS, make sure not to choose one of the ports listed [here](https://support.apple.com/en-us/103229). Otherwise, the port forwarding rule won't be activated. You can check if another process is already using the selected port by running the `netstat` command in the terminal: * On Windows, run `netstat -ant` * On macOS and Linux, run `netstat -tolpn` {% endhint %} {% endstep %} {% step %} #### Choose a host

This is the intermediate host to tunnel the traffic through. The resource/service you are trying to access locally should be accessible from this host. {% endstep %} {% step %} #### Choose the destination address and port

Now specify the address and port you want to **get access to**, as if you were reaching them from the chosen host's perspective. If the service is running locally on the selected host, then put 127.0.0.1 in the destination address field. {% endstep %} {% step %} #### Start the rule

After you create the Port Forwarding Rule, **double-click** it to start it. **Double-click** it again to stop it. {% endstep %} {% endstepper %} The resulting rule is equivalent to the following command: ``` ssh -L 127.0.0.1:3336:10.1.30.42:3306 daniel@daniel.local ``` ## Remote port forwarding **Concept:** "I want to ***provide*** someone with ***access*** to a service running on my machine or my private network." For example, Bethany is developing a personal website on her laptop and wants Daniel to review it. Unfortunately, it is not accessible to Daniel, and she cannot change the router settings to make it accessible. Daniel has an SSH server running on his machine and suggests that Bethany set up remote port forwarding over the SSH connection to his server so he can access Bethany's website locally. Here is how to set it up via Termius: {% stepper %} {% step %} #### Create a remote port forwarding rule

Open the Port Forwarding screen in Termius, and create a `New Port Forwarding`. When prompted to choose a type, choose `Remote`. {% hint style="info" %} Termius has a built-in Port Forwarding Setup Wizard that can lead you through the steps explaining what every parameter of the setup is required for. You can choose to skip it and see all the required fields to be set up on a single form. {% endhint %} {% endstep %} {% step %} #### Choose a host

This is the host you can reach via SSH, and where you want to open a port. Anyone connecting to that port on the server will have their traffic tunneled back through your SSH connection to your local machine. {% endstep %} {% step %} #### Choose a remote port

This is the port that will be opened on the selected remote server. Anyone connecting to that port on the server will have their traffic tunneled back through your SSH connection to your local machine. {% hint style="warning" %} Make sure the port is not already in used. You can check if another process is already using the selected port by running the `netstat` command in the terminal on the remote host: * On Windows, run `netstat -ant` * On macOS and Linux, run `netstat -tolpn` {% endhint %} {% endstep %} {% step %} #### Choose the destination address and port

Now specify the address and port that you want **to provide access to**. If the service you want to share is running locally on your machine, then put 127.0.0.1 in the destination address field and specify the corresponding port. {% endstep %} {% step %} #### Start the rule

After you create the Port Forwarding Rule, **double-click** it to start it. **Double-click** it again to stop it. {% endstep %} {% endstepper %} The resulting rule is equivalent to the following command: ``` ssh -R 127.0.0.1:8080:127.0.0.1:80 daniel@daniel.local ``` ## Dynamic port forwarding **Concept:** "I want my machine to act as a secure proxy for **any** destination." * This can be used to **get access** to a service that is unreachable locally, similar to the case with Local port forwarding * Or a SOCKS proxy can be used that will tunnel the traffic through the specified SSH connection, allowing secure access in untrusted networks For example, using this technique, you can have a web browser use your SSH connection as a proxy, making your web connection requests appear to come from the remote server instead of your local device. * For that, you will need to specify `127.0.0.1:[selected local port]` as the browser SOCKS proxy. Here is how to set it up via Termius: {% stepper %} {% step %} #### Create a dynamic port forwarding rule

Open the Port Forwarding screen in Termius, and choose to create a `New Port Forwarding`. When prompted to choose a type, choose `Dynamic`. {% hint style="info" %} Termius has a built-in Port Forwarding Setup Wizard that can lead you through the steps, explaining what every parameter of the setup is required for. You can choose to skip it and see all the required fields to be set up on a single form. {% endhint %} {% endstep %} {% step %} #### Choose a local port

This is the port to be opened on a `local` machine. Traffic from this port will be forwarded to the specified destination via the SSH connection we will specify next. {% hint style="warning" %} Make sure the port is not reserved by the system. For example, if you are setting up a local port forwarding on iOS, make sure not to choose one of the ports mentioned [here](https://support.apple.com/en-us/103229). Otherwise, the port forwarding won't be activated. You can check if another process is already using the selected port by running the `netstat` command in the terminal: * On Windows, run `netstat -ant` * On macOS and Linux, run `netstat -tolpn` {% endhint %} {% endstep %} {% step %} #### Choose a host

This is the intermediate host to tunnel the traffic through. The resource/service you are trying to access locally should be accessible from this host. {% endstep %} {% step %} #### Start the rule

After you create the Port Forwarding Rule, **double-click** it to start it. **Double-click** it again to stop it. {% endstep %} {% endstepper %} The resulting rule is equivalent to the following command: ``` ssh -D 2080 daniel@acme-web-dev-us-south:16734 ``` ## Troubleshooting If you followed the steps above but your port forwarding rule doesn't start, there are a couple of things you can check: * Make sure no other process is already using the forwarded port. On Windows, run `netstat -ant`. On macOS and Linux, run `netstat -tolpn`. * If remote port forwarding does not work, make sure `GatewayPorts` is set to `yes` in the remote SSH server configuration. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.termius.com/organize-and-connect-to-hosts/port-forwarding-and-tunneling.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.