Port Forwarding

Port forwarding allows you to forward a port to another machine, or bring a remote port to a local machine. This is an enormously helpful technique, providing:

  • Secure access to a port that is otherwise not listening on a public network interface. This is common with database servers like MySQL.

  • Encryption for for services that may not natively use encrypted connections.

Local, Remote, and Dynamic Forwarding

Local forwarding lets you access a remote server's listening port as though it were local. An example of this technique would be to forward port 3306 (MySQL) to your local machine as port 3306, allowing you to use the MySQL server as though it were running on your local machine.

Remote forwarding opens a port on the remote machine and forwards connections to your local device. An example of this technique would be to open port 8080 on the remote machine and forward requests made on that port to your local machine as port 8080.

In the above two examples, the port numbers match, but this is not a requirement. Sometimes it's better to use a different port on the local or remote machine. This is helpful when a port number is already used or you are running on a machine without root access and you wish to bind a port number lower than 1024.

Dynamic Port Forwarding will turn your Termius client into a SOCKS proxy server. Using this technique you could have a web browser use your SSH connection as a proxy, making your web connection requests appear to come from the remote server instead of your local device.

It's important to note that dynamic port forwarding does not fully replace a VPN server. Programs must specifically support SOCKS proxying, and if not configured to use the proxy, they will connect as normal.

Add a Forwarded Port

The process for adding a forwarded port is nearly identical on both mobile and desktop.

To being, click on the Port Forwarding section on of Termius then click New Rule.

At the top of the add form you'll notice three options: Local, Remote, and Dynamic. Choose the option that fits your use case. If you're trying to tunnel a database connection, a popular scenario, use Remote.

On the mobile version you may provide a label for the forwarded port. It is optional.

For the Ports fields, specify the from and to ports. For the bind address, 127.0.0.1 is recommended, though you can change this to another address if you wish to listen on a virtual IP or another network interface on your system.

With Dynamic Port Forwarding, you need only specify one port - this is the local port that the SOCKS proxy server will listen to and await connections.

Edit / Delete a Forwarded Port

Mobile
Desktop

Tap and hold for a moment until the checkbox to the left of the port appears, then tap the edit icon (the green pad icon to the right of the trash can icon). Make your changes, then tap Save.

To delete a port, tap and hold, then click the red trash can icon.

Right-click on a port and click Edit, make your changes, then click Save.

To delete a port, click the three dot icon to the right and click Delete, or right-click and click Delete.

Connect a Forwarded Port

Mobile
Desktop

Tap the port to connect, or tap the ... icon for additional options.

Double-click on the port, or right-click and click Connect.

Troubleshooting

If you're having trouble forwarding a port, please follow these steps:

  1. Ensure that the destination port is not used by another process. On Windows, you can use netstat -ant to see local listening ports. On macOS and Linux, use netstat -tolpn

  2. Ensure that the port to be forwarded is used by the program you wish to access. For example, if Apache is listening on port 80 on the remote machine, be sure to specify that port.

  3. If you have trouble binding a local port lower than 1024, please use a higher port.

  4. If specifying a bind address different than 127.0.0.1, please ensure that network address is active.