Port Forward to remote server on virtual private cloud using SSH

neotam Avatar

Port Forward to remote server on virtual private cloud using SSH
Posted on :

Tags :

Considering you have a service running in VPC but it cannot be accessible over the internet and only accessible from the VPC. To access other services that are blocked over the internet, you can use SSH to connect to any one of the server in VPC that is accessible and forward to port to the destination service as follows

Following is the syntax for “Local Forwarding”

ssh -L [bindaddr]<port>: <destination-server>:<destination-port> <server>


bindaddrLocal Address to bind
portLocal port to bind
destination-serverDestination service IP
destionation-portDestination port of service
serverServer to connect

Option -L specifies the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating the socket to the specified local port and optionally binding it to the specified bindaddr. When connection is made to this location port specified, it is forwarded over the secure channel and connection is made to the specified “destination-server” and “destination-port” from the remote machine. If bindaddr is not specified, SSH listens on all interfaces.

If you are connecting to server with key file instead of password, use

ssh -i <keyfile> -L [bindaddr]<port>: <destination-server>:<destination-port> <server>


ssh -L 6379: root@servername.com 

Where SSH acts as the tunnel and forwards the requests destined to port 6379 on localhost to the specified port 3033 on host on the remote network.

— —

While -L option forwards connection on local specified port to remote host, it is also possible to configure SSH in such a way that connection on remote bound port to local host & port using option -R. This works by allocating a socket to listen to port on the remote host.

Following is the syntax for “Remote Forwarding”

ssh -R [bind_address:]port:host:hostport 

The listening socket on the server will be bound to the only by default, this can be changed by specifying bind_address. If bind_address is specified as ‘*’ or empty which indicates that socket should listen on all interfaces


ssh -R 6379: root@servername.com 

Local Forwarding: is used to forward a port from Local Machine to Remote Machine
Remote Forwarding: is used to forward a port from Remote Machine to Local Machine

Dynamic Application Level Port Forwarding

As we discussed above about local and remote forwarding on specific ports. We can also use SSH to create the SOCKS proxy to dinamically forward ports, in such a case SSH essentially acts as the SOCKS Server creating a proxy service referred as SOCKS proxy. Where, either SOCKS4 or SOCKS5 protocols are used.

ssh -D 1337 -q -C -N -f  use@server


-D Bind to local port given following by this option
-qQuite mode, don’t output anything
-CCompress the data
-NDo not execute any remote command, it is useful when forwarding ports
-fRun in background

Where Option -D is

     -D [bind_address:]port
             Specifies a local “dynamic” application-level port forwarding.  This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address.  Whenever a connection is made to
             this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine.  Currently the SOCKS4 and SOCKS5 protocols are
             supported, and ssh will act as a SOCKS server.  Only root can forward privileged ports.  Dynamic port forwardings can also be specified in the configuration file.

             IPv6 addresses can be specified by enclosing the address in square brackets.  Only the superuser can forward privileged ports.  By default, the local port is bound in accordance with the GatewayPorts setting.  However,
             an explicit bind_address may be used to bind the connection to a specific address.  The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates
             that the port should be available from all interfaces.

All command line arguments can be combined to create SOCKS server for SOCKS proxy

 ssh -D1337 -fCqN  user@server

How to keep SSH tunnel open

If you want to reliably port forward using SSH at first you might feel skeptic since SSH connection can be dead after while either disconnected by server. To port forard in reliable fashion using SSH, we can use the wrapper application autossh which monitors the ssh tunnel and restart or connects if required

To incorporate the “Remote Port Forwarding”

autossh -M 20000 -f -N  admin@example.com  -R 2424:localhost:22 -C

Another example, to open ssh tunnel using keypair instead of password

autossh -f -nNT -i ~/keypair.pem -R 2424:localhost:22 admin@exmaple.com

Leave a Reply

Your email address will not be published. Required fields are marked *