SSH Port Forwarding — Local, Remote & Dynamic SOCKS5

How to set up SSH port forwarding in Tempest — local (-L), remote (-R), and dynamic SOCKS5 (-D) forwards via a GUI with live status for each tunnel.

Tempest replaces the ssh -L, ssh -R, and ssh -D flags with a GUI for port forwarding — local forwards (access a remote service from your laptop), remote forwards (expose a local service to the remote network), and dynamic SOCKS5 forwards (turn the SSH session into a network proxy). Each forward is a row in the host's edit form; toggle it on/off and watch live connection state.

Local forward (-L) — access a remote service locally

Use case: there's a Postgres on db.internal:5432 that you can't reach directly, but you can SSH into a bastion that can.

Edit your SSH host → Port Forwarding → Add → Local
Port: the local port to listen on (e.g. 15432)
Remote host: db.internal
Remote port: 5432
Save and reconnect.

localhost:15432 on your machine now talks to db.internal:5432 through the SSH tunnel — point your psql or DBeaver at it.

Remote forward (-R) — expose a local service remotely

Use case: you're running a webhook receiver on localhost:3000 and need a remote partner server to call it.

Edit your SSH host → Port Forwarding → Add → Remote
Port: the port the server should listen on (e.g. 8000)
Local host: localhost
Local port: 3000
Save and reconnect.

The SSH server starts listening on 8000; connections tunnel back to your laptop's localhost:3000. Requires the sshd to allow GatewayPorts if you want the listen address to be public on the server.

Dynamic SOCKS5 forward (-D) — SSH-as-a-VPN

Use case: you want every connection from your browser or another tool to route through the remote network.

Edit your SSH host → Port Forwarding → Add → Dynamic
Port: the local SOCKS5 port (e.g. 1080)
Save and reconnect.

Configure your browser / tool to use socks5://127.0.0.1:1080 and all connections originate from the remote SSH host's network.

Manage active forwards

Open Port Forwarding from the host's connection menu to see every forward grouped by host, with live counters showing how many connections are currently open through each tunnel. Disable any without disconnecting the SSH session.

Combine with jump hosts

Port forwards work transparently through jump host chains. The forward is anchored to the target SSH session (the last hop), but the bytes flow back to your laptop through every hop.

How does this compare to the OpenSSH command line?

OpenSSH

Tempest equivalent

ssh -L 15432:db.internal:5432 bastion

Local forward, port=15432, remote-host=db.internal, remote-port=5432

ssh -R 8000:localhost:3000 server

Remote forward, port=8000, local-host=localhost, local-port=3000

ssh -D 1080 bastion

Dynamic forward, port=1080

Pro feature

Configurable port forwards are part of Tempest Pro.

hashtagLocal forward (-L) — access a remote service locally

hashtagRemote forward (-R) — expose a local service remotely

hashtagDynamic SOCKS5 forward (-D) — SSH-as-a-VPN

hashtagManage active forwards

hashtagCombine with jump hosts

hashtagHow does this compare to the OpenSSH command line?

hashtagPro feature

hashtagSee also