Creating an SSH Tunnel allows you to encrypt every network communication you want. You are also be able to access other network services which are only available at the destination which you trying to ssh to. Almost every Linux distribution is already able to create such a tunnel. However in term of “tunneling”, using SSH to create a tunnel is more like doing port forwarding.


SSH command to create a tunnel

Tunneling with SSH is really simple. You define the port on your local machine, where your forwarded port should be listening to. Then you define the destination it should point to. The following picture tries to show you how easy it really is:


As you can see in the picture, the first number after the -L parameter (marked red) states the local port on your local machine where you execute the ssh command. This means that the remote service will be available locally on your machine with this port. You should only use ports above the “System Ports” which are regulated in RFC 6335. This means ports greater than 1023 (in the picture we use port 5000 which is fine).
The second value (yellow marked) states the remote address. The remote address can be localhost but in this case localhost does not mean your local machine. It means the remote machine you are ssh-ing to. It is possible that you insert a machine name or IP behind the destination machine. The destination tries to establish the connection to the remote address then.
The third value after the -L parameter (marked blue) is the port of the destination address which is given in the step before (yellow marked). This means, if you want to connect to a running Webserver, then you have to enter 80 here (80 is the standard port for a HTTP connection).
The last value (marked green) is your username and the server you’re going to ssh to.

A more pratical example

Another good example would be something like this:


This example will open a SSH connection to the server and will tunnel (or forward) the Port 443 on the destination address (in this example “”) to the local port 5000 on your local machine. After this you will be able to enter https://localhost:5000 in your webbrowser on your local machine and you should see the google start page. This means all traffic which is going to via HTTPS is routed over your

Encrypting VNC traffic

VNC doesn’t encrypt network traffic by default. If you do remote administration with VNC you could either use a VPN or SSH as a much more simpler solution. There are other remote administration solution available which do support encryption out of the box (like X2Go or NXNomachine). However, using VNC in combination with SSH for encryption is as easy as possible. Encrypting a VNC connection over an SSH tunnel gives you some great benefits:

  1. The VNC traffic between your local machine and the destination (VNC Server) is encrypted.
  2. As a home server user, you can just open the SSH port in your routers firewall for external access. All other ports can remain closed because you can port forward them with the help of SSH.
  3. Due to the SSH user authentication you have something like a “low-level” user authentication.

The following example opens a SSH connection to the server and forwards the VNC Server port on this server so that the VNC Server is reachable locally under the port 5000:

ssh -L5000:localhost:5900

After the connection is established the VNC Server on the server can now be reached under the address localhost port 5000. If your server does listen on another port than the standard port of SSH (22) you can add the -p parameter to ssh to your server with the port you want:

ssh -p1234 -L5000:localhost:5900

Further links