JPKCom DB

SSH Proxy — Examples

Concrete SSH Proxy walkthroughs: a database tunnel, a local dev server, a SOCKS proxy, a jump host, an ~/.ssh/config entry and a systemd tunnel service.

Back to overview: SSH Proxy · Open the live tool: www.jpkc.com/tools/ssh-proxy/

This page shows SSH Proxy through concrete walkthroughs. Hosts, users and ports are examples — plug in your own values. How the individual fields and options work in detail is covered in the manual. Remember: the tool only builds the commands; you run them in your own terminal.

Example 1: Reach a remote database

Goal: reach a MySQL database that only listens locally on the server from your own machine.

  1. Select Local Forward.
  2. SSH Host = db-server.example.com, SSH User = deploy, SSH Port = 22.
  3. In the Port Forwards table: Local Bind 127.0.0.1, Local Port 3306, Remote Host 127.0.0.1, Remote Port 3306.
  4. Leave Background and KeepAlive on, click Generate.

Result: a Bash script with an invocation like

ssh \
    -L 127.0.0.1:3306:127.0.0.1:3306 \
    -f \
    -N \
    -o ServerAliveInterval=60 \
    -o ServerAliveCountMax=3 \
    deploy@db-server.example.com

After starting it, simply point your DB client at 127.0.0.1:3306 — as if the database were running locally. The explanation table breaks down every flag. If the port is already taken locally, the forward will clash; pick a free local port then, such as 13306.

Example 2: Expose your local dev server

Goal: make your locally running web server (localhost:3000) reachable from a remote server, e.g. for a webhook test.

  1. Select Remote Forward.
  2. SSH Host = public.example.com, SSH User = tunnel.
  3. Table: Remote Bind 0.0.0.0, Remote Port 8080, Local Host 127.0.0.1, Local Port 3000.
  4. Tick the GatewayPorts switch (you want the port reachable from outside).
  5. Generate.

Result: an ssh -R 0.0.0.0:8080:127.0.0.1:3000 invocation — plus a clear comment block reminding you that the SSH server needs GatewayPorts clientspecified in /etc/ssh/sshd_config and a restart afterwards. Without that server setting the tunnel binds only to the server's 127.0.0.1, not to 0.0.0.0.

Example 3: A SOCKS5 proxy to browse through a server

Goal: route your browser traffic through a remote server.

  1. Select Dynamic / SOCKS.
  2. SSH Host = gateway.example.com, SSH User = me.
  3. Bind Address 127.0.0.1, SOCKS Port 1080.
  4. Also tick Compression (slow link), Generate.

Result: ssh -D 127.0.0.1:1080 -f -N -C … me@gateway.example.com, along with ready test commands like curl --socks5-hostname 127.0.0.1:1080 https://ifconfig.me. Then configure your application to use the SOCKS5 proxy 127.0.0.1:1080 — conveniently via the Proxy Settings generator. Important: in Firefox set network.proxy.socks_remote_dns = true, otherwise DNS queries leak around the proxy.

Example 4: Reach the internal network through a bastion host

Goal: reach an internal server that's only accessible via a jump host.

  1. Select Jump Host, Mode = Modern (-J / ProxyJump).
  2. In the Jump Chain table: Host bastion.example.com, Port 22, User jumpuser.
  3. Final Destination Host = internal.example.com, Destination User = admin.
  4. Generate.

Result:

ssh \
    -J jumpuser@bastion.example.com \
    -o ServerAliveInterval=60 \
    admin@internal.example.com

Need a second intermediate hop? Click Add Jump and add the row — -J takes multiple, comma-separated hops. On very old servers (before OpenSSH 7.3) choose Legacy (ProxyCommand) instead; for multiple hops the tool then emits chained ~/.ssh/config blocks.

Example 5: Bake a recurring tunnel into ~/.ssh/config

Goal: stop typing the long command every time and let ssh myserver suffice.

  1. Select SSH Config.
  2. Host Alias = myserver, HostName = db-server.example.com, User = deploy.
  3. IdentityFile = ~/.ssh/id_ed25519.
  4. In the forward table: Type L, Bind:Port 127.0.0.1:3306, Target:Port 127.0.0.1:3306.
  5. Generate.

Result: a ready block to append to ~/.ssh/config:

Host myserver
    HostName db-server.example.com
    User deploy
    IdentityFile ~/.ssh/id_ed25519
    ServerAliveInterval 60
    ServerAliveCountMax 3
    ExitOnForwardFailure yes
    LocalForward 127.0.0.1:3306 127.0.0.1:3306

# Usage: ssh myserver

After that ssh myserver is enough, and the forward comes up automatically. Use Copy, then append it to your config.

Example 6: Run a tunnel as a systemd service at boot

Goal: keep a database tunnel running permanently as a service that comes back up by itself after a reboot.

  1. Select Autostart Setup, Autostart Method = systemd (Linux).
  2. SSH Host = db-server.example.com, SSH User = deploy, Identity File = ~/.ssh/id_ed25519.
  3. Tunnel Type = Local (-L), Forward Spec = 3306:127.0.0.1:3306.
  4. Service Name = db-tunnel, Run as User = your username.
  5. Generate.

Result: two tabs. tunnel.sh holds the start script; db-tunnel.service holds a systemd unit with Restart=always and RestartSec=10, plus the install instructions baked into the comments (sudo cp …, daemon-reload, enable --now). Copy the service tab to /etc/systemd/system/db-tunnel.service and enable it — the tunnel then survives reboots and drops. If you need several tunnels managed centrally, the Management Script generator is the better fit.

There's more on the individual generators in the manual, strategy and pitfalls in the tips & tricks. Get started directly in the tool.