What is X11 forwarding in SSH?

X11 forwarding allows remote Linux GUI applications to display on your local machine by securely tunneling X11 traffic through SSH.

How do I enable X11 forwarding on Linux?

Ensure the SSH client and server both support X11 and have 'X11Forwarding yes' in sshd_config. Also, the X11 libraries must be installed.

How do I use SSH X11 forwarding on macOS?

On macOS, install and run XQuartz before initiating an SSH connection with the -X flag to enable X11 forwarding.

How do I use SSH X11 forwarding on Windows?

Use an SSH client with X11 support such as MobaXterm or Cygwin/X to enable X11 forwarding on Windows systems.

What firewall settings are required for SSH X11 forwarding?

The firewall must allow SSH port (default 22) and ensure X11 traffic is not blocked internally. No additional external ports are needed.

HiddenSSH - Secure OpenSSH Hardening | SSD Config Firewall X11

Single Node with X11 and Firewall

The ssh -X command enables X11 forwarding, letting remote Linux GUI apps display locally.
Linux supports this natively with X11 libraries and forwarding enabled on both ends.
On macOS, X11 isn’t built in. To use ssh -X, you must install and run XQuartz before connecting.
On Windows, use MobaXterm (all-in-one SSH + X11 client) or Cygwin/X (Unix-like environment with X11 support).

sshd_config_firewwall_X11

Configured for running X11 with firewall.


#########################################################
# https://hiddenssh.com                                 #
#                                                       #
# sshd_config_firewwall_X11	                        #
# Version 1.1                                           #
#########################################################

# Network
# --------
Port 22
AddressFamily inet
# For Public
ListenAddress 192.168.0.1
# For the VPN
ListenAddress 10.0.0.1
AllowAgentForwarding no
AllowTcpForwarding yes
GatewayPorts yes
PermitTunnel yes
TCPKeepAlive yes

# Firewall
# ---------
# Only allow a user to login, and with correct ip.# gateway
# Need to be set in SSH iptables chain
# Need to be set in /etc/hosts.allow
# Example sshd: 192.168.0.100
#         sshd: 1.1.1.*
# Need to be set in sshd config AllowUsers
AllowUsers user1@192.168.1.100 user2@10.0.0.2

# Encryption
# ----------
# AES acceleration on CPU important for X11 forwarding.
Ciphers aes256-ctr,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com
KexAlgorithms curve25519-sha256@libssh.org
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
RekeyLimit 4G 1h
# Compression is important for bandwith savings.
Compression delayed

# Logging
SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO

# Hardening login
# ---------------
LoginGraceTime 5m
StrictModes yes
MaxAuthTries 5
MaxSessions 5
MaxStartups 10:30:100
ChallengeResponseAuthentication no
UseDNS yes
PidFile /run/sshd.pid
ClientAliveInterval 0
ClientAliveCountMax 3

# Login
# ------
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys .ssh/authorized_keys_backup
PasswordAuthentication yes
PermitEmptyPasswords no
UsePAM yes
# Disable functions
HostbasedAuthentication no
IgnoreUserKnownHosts yes
IgnoreRhosts yes
# Disable users
PermitRootLogin no
DenyUsers root guest ubuntu postfix snap_daemon snapd-range-524288-root sddm geoclue colord saned pulse avahi lightdm rtkit debian-tor dnsmasq nvidia-persistenced glances usbmux fwupd-refresh landscape tss tcpdump uuidd syslog polkitd pollinate systemd-resolve messagebus dhcpcd systemd-timesync systemd-network nobody _apt irc list backup www-data proxy uucp news mail lp man games sync sys bin daemon 
DenyGroups root guest nobody ubuntu

# Info
# -----
PrintMotd yes
VersionAddendum hiddenssh-firewall-x11-v1.0
# Will show before login
Banner /etc/ssh/login.txt
PrintLastLog yes

# X11 / Window manager
# --------------------
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

# System Tweaks
# --------------
PermitTTY yes
PermitUserEnvironment yes
ChrootDirectory none
AuthorizedPrincipalsFile none
AuthorizedKeysCommand none
AuthorizedKeysCommandUser nobody
# override default of no subsystems
Subsystem       sftp    /usr/lib/openssh/sftp-server

# Enviromental Variables, command: env
# Add API Keys
AcceptEnv LANG LC_* hiddenssh openaikey oraclesecretkey oracleauthtoken

# Multi-box-setup
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

X11 config

Config for /etc/X11/xinit/xserverrc, It needs to be set for X11 and correctly to work


#!/bin/sh
# This is the startup script for the X server (used by startx or Xinit)

# Start the X server binary, replacing the shell with it
# --------------------------------------------------------

# /usr/bin/X        = main X11 server binary
# -nolisten tcp     = disables direct remote TCP connections (increases security)
#                     SSH X11 forwarding still works — it uses 127.0.0.1 (loopback)
#                     for DISPLAY like localhost:10.0 forwarded via SSH tunnel
# -dpi 220          = sets the DPI (dots per inch) for scaling fonts/UI
# "$@"              = passes any additional arguments from caller (startx, etc)

exec /usr/bin/X -nolisten tcp -dpi 220 "$@"