GlossaryPrivacy & SecurityIntermediate

SSH Tunnel

An SSH tunnel uses the secure SSH protocol to encrypt and forward traffic between your device and a remote server. It is a simple way to secure connections or bypass network restrictions.

Last updated June 8, 2026

Definition

An SSH tunnel (also called SSH port forwarding) uses the encrypted Secure Shell protocol to wrap and forward network traffic between your machine and a remote server. Because SSH is already secure and widely available, it offers a quick way to protect a connection or route traffic through another host without installing dedicated VPN software.

How SSH tunneling works

You open an SSH session to a server and instruct it to forward ports. There are three main modes:

  • Local forwarding (ssh -L): send local traffic to a remote destination through the server.
  • Remote forwarding (ssh -R): expose a local service to the remote side.
  • Dynamic forwarding (ssh -D): turn the SSH connection into a SOCKS5 proxy.

Why it matters

SSH tunnels encrypt traffic on untrusted networks, reach internal services behind a firewall, and can act as a lightweight personal proxy. The dynamic mode is especially useful for routing a browser through a remote IP for privacy or geo-access.

The trade-off is that tunnels handle one path at a time and lack the polish, kill switches, and scale of a full VPN.

Examples

1

Running ssh -D 1080 user@server to create a SOCKS5 proxy for a browser

2

Using ssh -L to securely reach a remote database behind a firewall

3

Tunneling traffic through a cloud VPS to mask your real IP

Common Use Cases

Securely accessing internal services behind a corporate firewall
Creating a quick personal SOCKS5 proxy without extra software
Encrypting traffic on untrusted public Wi-Fi networks
Routing a browser through a remote server for geo-access

Frequently Asked Questions

No. An SSH tunnel forwards specific ports or acts as a SOCKS5 proxy, while a VPN routes your entire system's traffic. SSH tunnels are lighter but less comprehensive.
Use dynamic forwarding with a command like ssh -D 1080 user@server, then point your browser to the local SOCKS5 proxy on that port.
Yes, SSH encrypts the tunneled traffic with strong cryptography, making it safe for protecting connections over untrusted networks.

Keep Learning

All terms

SOCKS5

SOCKS5 is the latest version of the SOCKS proxy protocol. It routes any kind of network traffic — TCP and UDP — between a client and a server through a proxy, with optional authentication and no awareness of the underlying application.

Read definition

VPN

A VPN (Virtual Private Network) encrypts all of your device's internet traffic and routes it through a remote server, hiding your IP and protecting data on untrusted networks.

Read definition

Forward Proxy

A forward proxy sits between clients and the internet, forwarding their outbound requests so the destination sees the proxy's IP instead of the client's.

Read definition

SSL/TLS

SSL/TLS is the encryption protocol that secures data in transit on the web — the 'S' in HTTPS — protecting it from eavesdropping and tampering.

Read definition
Back to Glossary