Port forwarding and tunneling
This page explains how to set up and manage SSH port forwarding in Termius, including local, remote, and dynamic tunneling.
SSH port forwarding, also called SSH tunneling, can be used to get or provide access to services that are not directly reachable, encrypt connections between different applications, and more. See also: Port Forwarding (Ubuntu Community Help Wiki).
Termius supports all three main types of port forwarding (local, remote, and dynamic) and lets users manage their port-forwarding rules through a convenient interface. You can view all active port forwarding rules on a single page, and start or stop a specific rule with a double-click.
Local port forwarding
Concept: "I want to get access to a specific service that is unreachable from my current perspective."
For example, Daniel has a MySQL database server that is not reachable from his device with Termius, but is reachable from the daniel.local device, which is his office laptop. The laptop runs an SSH server and is reachable from Daniel's device with Termius. If Daniel sets up local port forwarding through an SSH connection to his office laptop, he will be able to get access the MySQL database server locally.
Here is how to set it up via Termius:
Create a local port forwarding rule
Open the Port Forwarding screen in Termius, and create a New Port Forwarding. When prompted to choose a type, choose Local.
Termius has a built-in Port Forwarding Setup Wizard that can lead you through the steps explaining what every parameter of the setup is required for. You can choose to skip it and see all the required fields to be set up on a single form.
Choose a local port
This is the port that will be opened on a local machine. Traffic from this port will be forwarded to the specified destination via the SSH connection we will specify next.
Make sure the port is not already in used.
For example, if you are setting up a local port forwarding on iOS, make sure not to choose one of the ports listed here. Otherwise, the port forwarding rule won't be activated.
You can check if another process is already using the selected port by running the netstat command in the terminal:
On Windows, run
netstat -antOn macOS and Linux, run
netstat -tolpn
The resulting rule is equivalent to the following command:
ssh -L 127.0.0.1:3336:10.1.30.42:3306 [email protected]Remote port forwarding
Concept: "I want to provide someone with access to a service running on my machine or my private network."
For example, Bethany is developing a personal website on her laptop and wants Daniel to review it. Unfortunately, it is not accessible to Daniel, and she cannot change the router settings to make it accessible. Daniel has an SSH server running on his machine and suggests that Bethany set up remote port forwarding over the SSH connection to his server so he can access Bethany's website locally.
Here is how to set it up via Termius:
Create a remote port forwarding rule
Open the Port Forwarding screen in Termius, and create a New Port Forwarding. When prompted to choose a type, choose Remote.
Termius has a built-in Port Forwarding Setup Wizard that can lead you through the steps explaining what every parameter of the setup is required for. You can choose to skip it and see all the required fields to be set up on a single form.
Choose a remote port
This is the port that will be opened on the selected remote server. Anyone connecting to that port on the server will have their traffic tunneled back through your SSH connection to your local machine.
Make sure the port is not already in used.
You can check if another process is already using the selected port by running the netstat command in the terminal on the remote host:
On Windows, run
netstat -antOn macOS and Linux, run
netstat -tolpn
The resulting rule is equivalent to the following command:
Dynamic port forwarding
Concept: "I want my machine to act as a secure proxy for any destination."
This can be used to get access to a service that is unreachable locally, similar to the case with Local port forwarding
Or a SOCKS proxy can be used that will tunnel the traffic through the specified SSH connection, allowing secure access in untrusted networks
For example, using this technique, you can have a web browser use your SSH connection as a proxy, making your web connection requests appear to come from the remote server instead of your local device.
For that, you will need to specify
127.0.0.1:[selected local port]as the browser SOCKS proxy.
Here is how to set it up via Termius:
Create a dynamic port forwarding rule
Open the Port Forwarding screen in Termius, and choose to create a New Port Forwarding. When prompted to choose a type, choose Dynamic.
Termius has a built-in Port Forwarding Setup Wizard that can lead you through the steps, explaining what every parameter of the setup is required for. You can choose to skip it and see all the required fields to be set up on a single form.
Choose a local port
This is the port to be opened on a local machine. Traffic from this port will be forwarded to the specified destination via the SSH connection we will specify next.
Make sure the port is not reserved by the system.
For example, if you are setting up a local port forwarding on iOS, make sure not to choose one of the ports mentioned here. Otherwise, the port forwarding won't be activated.
You can check if another process is already using the selected port by running the netstat command in the terminal:
On Windows, run
netstat -antOn macOS and Linux, run
netstat -tolpn
The resulting rule is equivalent to the following command:
Troubleshooting
If you followed the steps above but your port forwarding rule doesn't start, there are a couple of things you can check:
Make sure no other process is already using the forwarded port. On Windows, run
netstat -ant. On macOS and Linux, runnetstat -tolpn.If remote port forwarding does not work, make sure
GatewayPortsis set toyesin the remote SSH server configuration.
Last updated
Was this helpful?