How do I configure a local SSH tunnel using .ssh/config?

Use the LocalForward directive in your SSH config file to map a local port to a remote service. For example, 'LocalForward 8080 localhost:3306' maps your local port 8080 to a remote MySQL service.

What is remote port forwarding in SSH?

Remote port forwarding allows a remote server to access a service running on your local machine. For example, 'RemoteForward 9090 localhost:22' exposes your local SSH service on the remote host's port 9090.

What does DynamicForward do in SSH?

DynamicForward sets up a local SOCKS5 proxy. Traffic from applications configured to use this proxy (e.g. Firefox) is forwarded securely through the SSH connection.

How can I prevent SSH from timing out?

Add 'ServerAliveInterval 60' and 'ServerAliveCountMax 2' to your SSH config to send keep-alive messages and prevent disconnections.

What does ExitOnForwardFailure no do?

It prevents SSH from terminating if port forwarding setup fails initially. This ensures your SSH connection stays up and can retry forwarding later.

HiddenSSH - Secure OpenSSH Hardening

SSH tunnel config .ssh/config

SSH tunnels can be pre-configured in the client-side SSH configuration file (~/.ssh/config),
allowing automated and seamless port forwarding without manually entering commands.

1. Configuring Local Port Forwarding (-L)

Local port forwarding allows a local port to securely connect to a remote service.

Example: Forwarding Local Port 8080 to a Remote MySQL Server


Host remote-mysql
    HostName remote-server
    User user
    LocalForward 8080 localhost:3306

LocalForward 8080 localhost:3306 → Maps local port 8080 to remote MySQL port 3306.
When connecting to remote-mysql, the tunnel is automatically established.

2. Configuring Remote Port Forwarding (-R)

Remote port forwarding allows a remote machine to connect back to a local service.

Example: Allowing the Remote Server to Access a Local SSH Service


Host remote-ssh-access
    HostName remote-server
    User user
    RemoteForward 9090 localhost:22

RemoteForward 9090 localhost:22 → Maps remote port 9090 to local SSH port 22.
The remote machine can now securely access the local SSH service.

3. Configuring Dynamic Port Forwarding (`-D`)

Dynamic port forwarding creates a SOCKS5 proxy, allowing multiple applications to route traffic securely through the SSH connection.

Example: Creating a SOCKS5 Proxy on Local Port 1080


Host socks-proxy
    HostName remote-server
    User user
    DynamicForward 1080

DynamicForward 1080 → Sets up a SOCKS5 proxy at localhost:1080.
Applications can now configure SOCKS5 proxy settings to use this connection.

4. Additional Configuration Options

✔ Keeping the Connection Alive


    ServerAliveInterval 60
    ServerAliveCountMax 2

Prevents SSH timeout disconnections by sending keep-alive packets.

✔ Automatically Reconnect on Failure

ExitOnForwardFailure no

Ensures SSH tunnels continue working, even if the first attempt fails.

✔ Simplifying Hostnames for Easier Use


    HostName remote-server.example.com
    User user
    IdentityFile ~/.ssh/id_rsa

Allows easy connection using ssh remote-mysql instead of typing the full hostname.

Summary

✔ Use LocalForward → Securely connect to a remote service.
✔ Use RemoteForward → Allow a remote machine to access a local service.
✔ Use DynamicForward → Set up a SOCKS5 proxy for secure browsing.
✔ Enable ServerAliveInterval → Prevent SSH timeouts.
✔ Use ExitOnForwardFailure → Ensure automatic reconnection.

🚀 Now, SSH tunnels are automatically created when connecting to the configured hosts! 🔐