# SSH Port Forwarding — Local, Remote & Dynamic SOCKS5 Tempest replaces the `ssh -L`, `ssh -R`, and `ssh -D` flags with a GUI for **port forwarding** — local forwards (access a remote service from your laptop), remote forwards (expose a local service to the remote network), and dynamic SOCKS5 forwards (turn the SSH session into a network proxy). Each forward is a row in the host's edit form; toggle it on/off and watch live connection state. ## Local forward (-L) — access a remote service locally Use case: there's a Postgres on `db.internal:5432` that you can't reach directly, but you can SSH into a bastion that can. 1. Edit your SSH host → **Port Forwarding** → Add → **Local** 2. **Port**: the local port to listen on (e.g. `15432`) 3. **Remote host**: `db.internal` 4. **Remote port**: `5432` 5. Save and reconnect. `localhost:15432` on your machine now talks to `db.internal:5432` through the SSH tunnel — point your `psql` or DBeaver at it. ## Remote forward (-R) — expose a local service remotely Use case: you're running a webhook receiver on `localhost:3000` and need a remote partner server to call it. 1. Edit your SSH host → **Port Forwarding** → Add → **Remote** 2. **Port**: the port the server should listen on (e.g. `8000`) 3. **Local host**: `localhost` 4. **Local port**: `3000` 5. Save and reconnect. The SSH server starts listening on `8000`; connections tunnel back to your laptop's `localhost:3000`. *Requires the sshd to allow `GatewayPorts`* if you want the listen address to be public on the server. ## Dynamic SOCKS5 forward (-D) — SSH-as-a-VPN Use case: you want every connection from your browser or another tool to route through the remote network. 1. Edit your SSH host → **Port Forwarding** → Add → **Dynamic** 2. **Port**: the local SOCKS5 port (e.g. `1080`) 3. Save and reconnect. Configure your browser / tool to use `socks5://127.0.0.1:1080` and *all* connections originate from the remote SSH host's network. ## Manage active forwards Open **Port Forwarding** from the host's connection menu to see every forward grouped by host, with live counters showing how many connections are currently open through each tunnel. Disable any without disconnecting the SSH session. ## Combine with jump hosts Port forwards work transparently through [jump host chains](/connect-to-servers/ssh-jump-host-bastion-chaining.md). The forward is anchored to the *target* SSH session (the last hop), but the bytes flow back to your laptop through every hop. ## How does this compare to the OpenSSH command line? | OpenSSH | Tempest equivalent | | --------------------------------------- | -------------------------------------------------------------------- | | `ssh -L 15432:db.internal:5432 bastion` | Local forward, port=15432, remote-host=db.internal, remote-port=5432 | | `ssh -R 8000:localhost:3000 server` | Remote forward, port=8000, local-host=localhost, local-port=3000 | | `ssh -D 1080 bastion` | Dynamic forward, port=1080 | ## Pro feature Configurable port forwards are part of **Tempest Pro**. ## See also * [SSH Jump Host & Bastion Chaining](/connect-to-servers/ssh-jump-host-bastion-chaining.md) * [Telnet client](/connect-to-servers/connect-to-telnet-servers.md) — wrap insecure protocols in an SSH tunnel --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.gotempest.app/connect-to-servers/ssh-port-forwarding.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.