How to Tunnel Web Traffic with SSH Secure Shell

Jorge Sierra 07-03-2009

secure If you are a Linux or UNIX user, you probably use SSH (Secure Shell) to access the command line on your machines remotely. In addition to providing secure access to shell accounts, SSH can also securely transport other kinds of web traffic as well. In a sense, it can provide you with a quick and easy VPN (Virtual Private Network) into the remote network where your SSH server resides.


First of all, you will of course need an SSH server running somewhere. Linux and OS X come with SSH servers, but there are also SSH servers available for Windows. freeSSHd is a nice free SSH server for Windows. It is a quick and easy installation and relatively easy to configure as well. You will of course need administrator privileges on the machine you install it onto.

Since you will be accessing your SSH server remotely, if it is behind a firewall or router you will have to make sure that port 22 (the default SSH port) is properly forwarded to it. Most routers have the ability to forward ports to individual machines on the local network. You’ll have to refer to the instructions for your router/firewall on how to do this.

Once you have your SSH server configured so that you can connect to it from any Internet connection, you’ll of course need a client to connect to it. Linux and OS X both have SSH clients built-in.  If you’re on Windows, the client of choice is PuTTY. I will provide instructions on tunneling with PuTTY, but you can certainly use other clients as well.

First, specify the address of your SSH server in the Session section. Select SSH for the Connection type and enter 22 for the Port (or whatever external internet port you are using to connect to your SSH server).



Next, go to Connection > SSH > Tunnels. There are three types of tunnels you can set up:

  • Dynamic – This acts as a SOCKS proxy that can be used to tunnel traffic through the network where the SSH server resides.  You can then configure applications that support SOCKS proxies (such as a web browser) to take advantage of it. I’ll demonstrate how to set up Firefox to work through a dynamic tunnel.
  • Local – A local tunnel will allow you to connect to the specified port on a machine residing on the same network as the SSH server.  One useful example that I will show you is how to connect to a Windows computer running Remote Desktop.
  • Remote – As the name somewhat implies, this is the reverse of a local tunnel.  You are probably less likely to use this, but it would allow machines on the SSH server network to access a machine and port on the network where your SSH client resides.  I won’t go through any examples on setting up a remote port in this article.

So in the example I’m going to provide, we will say the home network has two computers. One is a Linux box running the SSH server and the other is a Windows box with Remote Desktop enabled. We want to set up two tunnels: a dynamic tunnel and a local tunnel to connect to the Windows machine via Remote desktop.

Let’s first set up a dynamic tunnel for port 1080. The port you use for a dynamic tunnel is actually arbitrary, but since port 1080 is often used for SOCKS proxies that’s what we’ll use. Type 1080 in the Source port field, select Dynamic as the port type, and then click the Add button.



Next, let’s set up the local tunnel for the computer on the network running Windows Remote Desktop.  Let’s say the local IP addresses on the LAN where the SSH server resides are addresses.  The Windows machine has a local IP of Enter 3390 for the Source port, for the Destination, select Local for the port type, and then click the Add button. You’ll see later why I’ve configured the source port to be different than the destination.


Once you have everything configured for the connection, go back to the Session section and save your connection. Then click Open and log into your Linux box with your credentials as you normally would.

Now you have to configure your applications to use the tunnels you have set up.  Let’s say you want to do your web browsing through the dynamic tunnel we set up. This is actually an extremely useful way to take advantage of SSH.


You may be on a network with some sort of firewall or content filtering that you wish to bypass. If you are able to get out on port 22 (or any other port, you’ll just have to set up your SSH server accordingly), then you’ll be able to surf wherever you want without issue through the dynamic tunnel.

It is also useful if you are surfing on a network where you may be concerned about others observing your traffic. Perhaps you are connecting from a hotel, a client site, or from work (you didn’t learn that from me) and you do not want others monitoring your traffic.

The best choice is to use Firefox, because Firefox allows you to configure the browser to also send DNS requests through the proxy. If you use Internet Explorer, your DNS requests are still made via the local network you connect from and thus can still be monitored. So Firefox would be the preferred browser if you wish to maintain privacy on the network you are connecting from.

To set up Firefox to use the dynamic tunnel as a SOCKS proxy, go to the Firefox Options > Advanced > Network and click the Settings”¦ button.  In the settings page, click Manual proxy configuration, enter localhost for the SOCKS Host, and 1080 for the Port.



We’re not quite done. We still need to configure Firefox to send DNS requests to the SOCKS proxy as well.  To do this, enter about:config in the navigation bar in Firefox. You may get a prompt asking you if you know what you’re doing. Assure Firefox that you know what you’re doing and proceed.

Enter socks_remote_dns for the Filter and press enter. You should see a single option that says network.proxy.socks_remote_dns. If it says false for the Value, double-click on it so that it says true. You’re now all set. You should be able to surf the web through your new secure dynamic tunnel!


Fortunately, connecting to our Windows Remote Desktop machine is much easier. You just launch the Remote Desktop Client and enter localhost:3390 for the machine address. That’s all there is to it!


The reason we set up the source port to 3390 is because the Remote Desktop Client will not allow you to connect to the default remote desktop port (3389) on the local machine. So that’s why we used 3390 instead (we could have used any port, I just use 3390 because it’s easy for me to remember).

The source port you use for setting up the tunnels is arbitrary. We could have used 1234 instead of 3390 if we wanted to, as long as nothing is running on the local machine at port 1234. What is not arbitrary is what you use on the destination IP and port. For that you will need to use the proper IP address and port for the service you wish to connect to.

You can set up tunnel for any service on any IP anywhere. You’ll just need to set up the program to connect to localhost on the source port you set up for the tunnel. It’s a pretty nifty way to connect to stuff you may not be able to otherwise, due firewall issues you may encounter. All you need is a single port to get to your SSH server, and it of course has to be running on that port.

Do you use SSH tunnels? What sorts of cool things do you use them for?

Photo Credit: kreg.steppe

Related topics: Computer Networks, IP Address, Remote Access, VPN.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. hammer
    February 9, 2010 at 7:43 pm A tunnelling only SSH Server,based on java

  2. sem
    October 19, 2009 at 9:35 am

    Is this tunneling the same as port forwarding? I am a little unfamiliar on this topic. How safe and secure is this?

    • Jorge Sierra
      October 19, 2009 at 12:48 pm

      It's not the same as port forwarding, although port forwarding may be necessary to do it.

      Port forwarding typically takes place with a firewall/router that has a machine behind it. That machine is running some kind of server that you want to allow access from outside of the firewall.

      Tunneling allows you to send (relatively) arbitrary traffic through an SSH server into a client. Essentially, the SSH server becomes a proxy for the client, and encrypted data is transmitted between the server and client, so it is safe and secure. The data being retrieved by the server for the client may or may not be secure/encrypted.

      Fundamentally speaking, it is as though the client is actually on the server requesting data. So if you use SSH tunneling as a proxy to surf the web, it is just as safe/secure as if you were on the server surfing the web.

    • Encryption Software
      October 27, 2009 at 5:14 pm

      As noted, Port Forwarding is a different beast altogether. Think of it as poking singular holes in your firewall for singular apps to make their way through.

  3. David
    July 15, 2009 at 12:03 am

    Hey i'm familiar with ssh tunneling but i don't have or know any servers to pass my encrypted ssh data to.I googled about ssh proxy servers but all i got was crap.Does anyone know a good ssh proxy server that can handle my traffic ?


    • Jorge Sierra
      July 15, 2009 at 8:16 am

      I'm afraid I don't understand the question. What do you mean when you say a server to pass your encrypted ssh data to? SSH already performs the function of passing encrypted data between the SSH client and server. The tunnels are used to pass through any kind of TCP traffic on the specified port(s).

  4. Jon
    April 29, 2009 at 2:18 pm

    Ok... I might be heading in the wrong direction with this. I want to have a secure remote desktop connection to a linux box at home. I have a windows laptop with putty installed. The SSH server is already installed and configured so that I can SSH into my server from putty. Is tunneling VNC the way to go and if so would I just use localhost for all the destinations since its on the same computer?

    • Jorge Sierra
      April 30, 2009 at 7:33 am

      That's exactly right. Make sure that port 22 on your Linux box is accessible from wherever you're going to be connecting with Putty. Then just connect Putty w/ the VNC tunnel configured properly, launch the VNC client, and connect the VNC client to localhost.

  5. Paul Gowers
    April 29, 2009 at 3:40 am

    Hey Jorge, great, easy to follow article. Just set up my first SSH tunnel from laptop at home to client following your instructions and now running Firefox over it. Thanks a million!

  6. Nicodareus
    April 28, 2009 at 5:11 pm

    Heh. I stumbled across this while trying to figure out how to tunnel WoW and EQII through to my personal computer at home. It sort of helped me make sense of a few things, but doesn't really help me out much in the long run. Basically, I'm at work. And while I have full permission to play these games (And watch TV.. And.. Well.. Sleep for that matter.) there are firewalls in the way as one would expect. I can use my own connection and play just fine, but their satellite internet is about 800x better than my cellular internet. Really, it's not even worth trying to play on my little cell card here 40 miles from anywhere.

    I've done alot of reading and know there is a way to set up SOME sort of tunneling to handle this for me, but it all seems really intimidating and complex. Probably moreso than it really is. Any advice or perhaps a link to a 'Network tunneling for dummies' article would be appreciated. n.n

    • Jorge Sierra
      April 29, 2009 at 6:32 am

      Tunneling games directly through an SSH tunnel may be possible (as long as it TCP only, and not UDP traffic), but it is definitely a much more complicated process. Probably your best bet is to use a program that will allow you to tunnel traffic from a program through a SOCKS proxy.

      Scott mentioned Proxifier in the first comment on the article. You can try it out with the 31-day free trial. There is one free program called FreeCap. I've used it in the past and had some luck with some programs, but not all.

  7. Jon
    April 27, 2009 at 11:16 pm

    Looks really useful, but I'm kinda new so not entirely sure how to use it yet. Could somebody point me in the right direction for tunneling VNC through SSH.

    • Jorge Sierra
      April 28, 2009 at 5:46 am

      VNC is a great application for tunneling through SSH. The setup is very much the same as it is for Remote Desktop, however, instead of forwarding port 3389, you would forward port 5900.

      Let's say the machine you want to tunnel to is at IP and VNC is running on port 5900. The local tunnel you would set up would need to be directed to and you could use 5900 as the local port. Once you make the SSH connection with the port forward, you bring up the VNC client, and connect it to localhost:5900. SSH will redirect the traffic to the correct machine.

  8. Josh
    March 23, 2009 at 12:09 pm

    There are a few different ways to do this, actually, and if you have a Mac, you can even create (very easily) your own application to do it for you.

    Step-by-step tutorial on how to do it here:

    [Broken URL Removed]

  9. Francois
    March 9, 2009 at 2:05 pm

    Excellent article! Unfortunately, this type of tunneling is often used to by pass firewalls in corporate environment. Are you aware if SSH traffic can be distinguished from other type of traffic out there so to be blocked?

    • Jorge Sierra
      March 9, 2009 at 2:40 pm

      I'm not sure, that's a very good question that I've wondered about that myself. I would suspect that a good network traffic analyzer would be able to distinguish SSH packets, even if they are running on something other than port 22, but I don't know for sure.

    • VaÅ¡ek
      November 25, 2009 at 7:33 am

      SSH traffic is distinguishable. Look at the packet capture. At the beginning of the SSH connection you will see SSH version etc. Many major firewalls are able to distinguish and block ssh on non-standard ports (for example Check Point and Fortinet).

  10. Paul M.
    March 8, 2009 at 7:57 pm

    BRILLIANT ARTICLE! And thanks for the tip Scott.

    Here's a .bat that could be used to initiate the session with PLINK:
    start plink -v -ssh @ -pw -D localhost:

    Other than tunneling or VNC, what are some other applications for SSH?

    • Jorge Sierra
      March 9, 2009 at 5:06 am

      Shell access and tunneling are pretty much all that SSH does for you. There are many different things you can tunnel through SSH. VNC, Remote Desktop, web sites, FTP, database connections, etc. I even once set up OpenVPN to tunnel through SSH.

  11. Jash Sayani
    March 8, 2009 at 10:11 am

    I have setup my own little VPN server on a Mac mini. It works great from HotSpots and on the iPhone! Now all I need is the iStat iPhone app to monitor the temperature...

  12. Scott
    March 7, 2009 at 7:12 pm

    Great post. I use SSH Tunnels to allow to me to watch Hulu as I don't live in the US. I have a little VPS and connect through that.

    A little tip is to use Proxifier which pushes all traffic through the SSH tunnel made with PuTTy.

    • Jorge Sierra
      March 9, 2009 at 6:23 am

      FreeCap is a nice free alternative to Proxifier that you may want to check out as well.