SSH port forwarding can be used to gain or provide access to services that are not directly reachable, to encrypt connections between different applications and more.
Termius supports all types of port forwarding: local, remote and dynamic.
Local port forwarding
Local port forwarding is most commonly used for connecting to services on a private network, such as a database or VNC server.
This type of port forwarding redirects connections made to a port on your device (e.g. by a browser) running Termius to a device running an SSH server and then to any reachable port / device.
See also: Local port forwarding (a Wikipedia article).
Usage example
Daniel has a MySQL database server that is not reachable from his device with Termius, but is reachable from the daniel.local device, which is his office laptop. The laptop runs an SSH server and is reachable from Daniel's device with Termius. He can connect to the database using a local port forwarding connection.
The settings shown in the above screenshot would solve the problem Daniel has.
The OpenSSH analogue of that connection would be
ssh -L 127.0.0.1:3336:10.1.30.42:3306 daniel@daniel.local
By activating this port forwarding connection in Termius, Daniel will forward the 3336 port on the 127.0.0.1 network interface of his device to the port 3306 at 10.1.30.42. He will then need to specify 127.0.0.1:3336 as the address of the MySQL database in his local MySQL client.
Set up local port forwarding
- Choose Port forwarding in the main menu.
- Click + New and Skip wizard.
- (Optionally) in the Set a label... field, provide a name for the connection.
- In the Local port number field, enter the number of the port that you want to be forwarded. You can use any port number greater than 1024 and less than 49151. For example, 2080.
- (Optionally) in the Bind address field, specify an IP address of your device (network interface) connections to which should be forwarded. If you skip this field, Termius will bind to 127.0.0.1, which means no other machine will be able to connect to the port being forwarded.
- In the Intermediate host field, specify the host that should act as an intermediary.
- In the Destination address field, specify the IP address or domain name of the host to which the connections should be forwarded.
- In the Destination port number field, enter the number of the port which should receive the traffic.
- Click ➔ at the top right to hide the connection's details.
Double-click the port forwarding connection to enable it.
- Choose Port forwarding in the main menu and tap +.
- (Optionally) in the Label field, provide a name for the connection.
- In the Host / Host from field, specify the host that should act as an intermediary.
- In the Port from field, enter the number of the port that you want to be forwarded. Specifying a number greater than 1000 and less than 49151 should probably be fine.
- In the Destination / Host to field, specify the IP address or domain name of the host to which the connections should be ultimately forwarded.
- In the Port to field, enter the number of the port on the end device that should receive the traffic.
- (Optionally) in the Bind address field, specify an IP address of your device (network interface) connections to which should be forwarded. If you skip this field, Termius will bind to 127.0.0.1, which means no other machine will be able to connect to the port being forwarded.
- Tap Save / ✔️, then tap the port forwarding connection to activate it.
Remote port forwarding
Remote port forwarding is mostly used to give access to an internal service to someone from the outside.
This type of port forwarding redirects connections made to a port on a device (e.g. by a browser) running an SSH server to your device (with Termius) and then to any reachable port, on your device or another one.
See also: Remote port forwarding (a Wikipedia article).
Usage example
Bethany is developing a personal website on her laptop and wants Daniel to check it out. Unfortunately, it is not reachable to Daniel. Luckily, Bethany can reach Daniel's public SSH server, which means that Bethany can make it possible for Daniel to connect to her website – by configuring a remote port forwarding connection.
The settings shown in the above image would solve the problem Bethany has.
The OpenSSH analogue of that connection would be
ssh -R 127.0.0.1:8080:127.0.0.1:80 daniel@37.144.179.120
By activating this port forwarding connection in Termius, Bethany will forward (map) the 8080 port on the 127.0.0.1 network interface of Daniel's device, which runs the SSH server, to the port 80 on the 127.0.0.1 interface of her device with Termius. Daniel will need to type 127.0.0.1:8080 in the browser to access the website.
Set up remote port forwarding
- Choose Port forwarding in the main menu.
- Click + New, then Skip wizard, then Remote at the top.
- (Optionally) in the Set a label... field, provide a name for the connection.
- In the Remote host field, specify the host, a port of which you want to be forwarded.
- In the Remote port number, enter the number of the port that you want to be forwarded. You can use any port number greater than 1024 and less than 49151. For example, 2080.
- (Optionally) in the Bind address field, specify an IP address (network interface) on the remote host, connections to which should be forwarded. If you skip this field, Termius will bind to 127.0.0.1, which means only connections made by the remote host only will be forwarded.
- In the Destination address field, specify the IP address or domain name of the host to which the connections should be forwarded.
- In the Destination port number field, enter the number of the port that should receive the traffic.
- Click ➔ at the top right to hide the connection's details.
Double-click the port forwarding connection to enable it.
- Choose Port forwarding in the main menu and tap +.
- Tap Remote at the top / choose Remote in the Type field.
- (Optionally) in the Label field, provide a name for the connection.
- In the Host / Host from field, specify the host, the port of which you want to be forwarded.
- In the Port from field, enter the number of the port that you want to be forwarded. You can use any port number greater than 1024 and less than 49151. For example, 2080.
- In the Destination / Host to field, specify the IP address or domain name of the host to which the connections should ultimately be forwarded.
- In the Port to field, enter the number of the port that should receive the traffic.
- (Optionally) in the Bind address field, specify an IP address (network interface) on the remote host, connections to which should be forwarded. If you skip this field, Termius will bind to 127.0.0.1, which means only connections made by the remote host only will be forwarded.
- Tap Save / ✔️, then tap the port forwarding connection to activate it.
Dynamic port forwarding
SSH dynamic port forwarding turns an SSH server into as a SOCKS proxy server, which can be used by applications on your machine as intermediary for connecting to remote servers.
This type of port forwarding is often used to protect data with SSH encryption – when using the Internet at a coffee shop, hotel, or any other minimally secure network.
See also: Dynamic port forwarding (a Wikipedia article).
Note: A program must support the SOCKS type of proxy for you to be able to route traffic from that app using dynamic port forwarding.
Usage example
Using this technique you can have a web browser use your SSH connection as a proxy, making your web connection requests appear to come from the remote server instead of your local device.
The settings shown in the screenshot is an example of a dynamic port forwarding setup. In this example, a person would need to specify 127.0.0.1:2080 as the browser SOCKS proxy. Once they activate the port forwarding, all connections will begin to be redirected to the SSH server before reaching the target servers.
Set up dynamic port forwarding
- Choose Port forwarding in the main menu.
- Click + New, then Skip wizard, then Dynamic at the top.
- (Optionally) in the Set a label... field, provide a name for the connection.
- In the Local port number field, specify the number of a port on your device at which you want to enable the proxy. You can use any port number greater than 1024 and less than 49151.
- (Optionally) in the Bind address field, specify an IP address of your device (network interface), at which the proxy should be available. If you skip this field, Termius will bind to 127.0.0.1.
- In the Intermediate host field, specify the host that should act as an intermediary.
- Click ➔ at the top right to hide the connection's details.
Double click the port forwarding connection to enable it.
- Choose Port forwarding in the main menu and tap +.
- Tap Dynamic at the top / choose Dynamic in the Type field.
- (Optionally) in the Label field, provide a name for the connection.
- In the Port field, specify the number of a port on your device at which you want to enable the proxy. Specifying a number greater than 1000 and less than 49151 should probably be fine.
- In the Bind address field, specify an IP address of your device (network interface), at which the proxy should be available. If you skip this field, Termius will bind to 127.0.0.1.
- In the Host field, specify the host that should act as an intermediary.
- Tap Save / ✔️, then tap the port forwarding connection to activate it.
Enable a SOCKS proxy for all apps on iPhone / iPad
The instruction provided below explains how to enable a SOCKS proxy at the OS level on an iPhone or iPad.
iOS and iPadOS do not natively support SOCKS proxies so a workaround is needed:
- Create a text file with the .pac extension that includes the following content:
function FindProxyForURL(url, host) { return "SOCKS localhost:<port being forwarded>; }
- Upload the PAC file to a web server, e.g. Dropbox.
- In the wi-fi settings of your device, tap Configure Proxy and then Automatic.
- In the URL field, provide the link to the .pac file and save the changes.
- Run your dynamic port forwarding connection.
Troubleshooting
If you're having trouble forwarding a port, please follow these steps:
- Ensure that the port being forwarded is not used by another process. On Windows, you can use
netstat -ant
to see local listening ports. On macOS and Linux, usenetstat -tolpn
. - If you are having trouble setting up remote port forwarding, make sure
GatewayPorts
is set toyes
in the remote SSH server configuration.
I spent half a day between reading in blogs and trying different combinations
but I could not get it to work
For instance, if my command is:
ssh -L [local-port]:localhost:[remote-port] [user]@[remote-server]
how should I set the port forwarding in termius?
Hi team could you please advise if this is possible to perform multiple port redirection under the same host with only one entry in the port forwarding section ?
Hi! Is it possible to pass on additional arguments to port forwarding setup?
For example, on my laptop I run `ssh -f -N -L 1234:localhost:8787 username@server`. I understand that the local port forwarding described in the article is equivalent to `ssh -L 1234:localhost:8787 username@server`. While this technically works, I experience some issues with page updating and I was wondering whether it can be due to the omission of `-f -N` flags.
Under set up dynamic port forwarding, the workaround for SOCKS setup in iPhone and iPad has a typo, correction below:
function FindProxyForURL(url, host) { return "SOCKS localhost:<port being forwarded>"; }