# SSH Proxy — Manual

> Full reference for SSH Proxy: all ten generators, shared SSH options, auto-reconnect, the troubleshooting and reference tabs, and the architecture.

Source: https://www.jpkc.com/db/en/tools/ssh-proxy/manual/

Back to overview: [SSH Proxy](https://www.jpkc.com/db/en/tools/ssh-proxy/) · Open the live tool: [www.jpkc.com/tools/ssh-proxy/](https://www.jpkc.com/tools/ssh-proxy/)

This manual describes **SSH Proxy** in full: how the interface is laid out, what each of the ten generators does, which options exist, and what is actually produced. The tool's interface is in English, so labels appear here in their original spelling.

## Layout and operation

On the left is a **navigation bar** with ten entries, grouped into *Port Forwarding*, *Configuration*, *Scripts & Automation* and *Help*. On the right, the selected entry shows a card with input fields and, below it, the **output pane** — a read-only [ACE editor](https://ace.c9.io/) with syntax highlighting.

Three paths lead to output:

- The **Generate** button in the top right of the input card produces the result and scrolls to the output.
- The tool also **regenerates automatically** as soon as you change a field (slightly debounced).
- Above the output sit **Copy** (to the clipboard) and **Download** (as a file, with a fitting name such as `local-forward.sh` or `ssh-config`).

The tunnel generators additionally show an **Explanation** table that explains each generated flag (left column) in plain language (right column). Lists with multiple forwards, jump hosts or tunnel definitions can be extended with **Add …** and removed with the red **×** (at least one row remains).

## Shared SSH options

The three pure tunnel generators (Local/Remote/Dynamic) share a set of fields and switches. How they affect the command:

- **SSH Host / SSH Port / SSH User** — the connection target. A **port** other than 22 adds `-p <port>`; the user produces the `user@host` destination.
- **Identity File** (optional) — the **path** to the private key; adds `-i <path>`. Only the path is recorded, never the key itself.
- **Background `-f -N`** (on by default) — sends SSH to the background after authentication (`-f`) and runs no remote command (`-N`, tunnel only).
- **Compression `-C`** — enables compression (useful on slow links).
- **KeepAlive (60s)** (on by default) — adds `-o ServerAliveInterval=60 -o ServerAliveCountMax=3` so dropped connections are detected.
- **OS** — a selector (Linux, macOS, Windows (OpenSSH), BSD, WSL). The `ssh` invocation generated for a forward uses standard OpenSSH syntax and is the same on all listed systems; here the field mainly provides context.

The finished command is emitted as a Bash script with a shebang and explanatory comments, with flags wrapped across line continuations (`\`).

### Auto-reconnect

All three tunnel generators have an **Auto-Reconnect** switch. When it's on, two extra fields appear — **Reconnect Method** and **Retry Delay (s)** (default 5):

- **autossh (recommended)** — replaces `ssh` with `autossh -M 0` and sets the environment variables `AUTOSSH_GATETIME=0` and `AUTOSSH_PIDFILE`. `autossh` is a separate program (not part of OpenSSH) that monitors the connection and rebuilds it after a drop; `-M 0` disables the legacy monitoring port and relies on the KeepAlive options instead.
- **while loop (no dependency)** — wraps the command in a `while true; … sleep <delay>; done` loop and removes `-f` (background), because the loop needs the tunnel in the foreground to detect disconnects.

## The generators in detail

### Local Forward (`ssh -L`)

Forwards a port on your local machine through the SSH server to a remote service. Typical case: reaching a database or web service behind a firewall.

In the **Port Forwards** table you define one forward per row with **Local Bind** (default `127.0.0.1`), **Local Port** (default `3306`), **Remote Host** (`127.0.0.1`) and **Remote Port** (`3306`). Each row becomes `-L bind:lport:rhost:rport`. Multiple rows produce multiple `-L` flags in a single invocation.

### Remote Forward (`ssh -R`)

Exposes a local service on the remote server (the reverse direction). Typical case: letting a remote server reach your local dev environment, or testing webhooks.

The table has **Remote Bind** (default `0.0.0.0`), **Remote Port** (`8080`), **Local Host** (`127.0.0.1`) and **Local Port** (`3000`); each row becomes `-R bind:rport:lhost:lport`. There's also a **GatewayPorts** switch. When it's on, the tool adds a comment block noting that the SSH server must set `GatewayPorts clientspecified` in `sshd_config` and restart `sshd` — otherwise the remote port won't accept external connections.

### Dynamic / SOCKS (`ssh -D`)

Builds a **SOCKS5 proxy tunnel**. All traffic an application sends through this proxy exits at the SSH server — like a lightweight VPN. Fields: **Bind Address** (default `127.0.0.1`) and **SOCKS Port** (`1080`); these become `-D bind:port`.

Alongside the usual comments, the output adds **test commands**, e.g. `curl --socks5-hostname 127.0.0.1:1080 https://ifconfig.me`, to check that the tunnel is up. A note points to the **Proxy Settings** generator for pointing applications at the proxy.

### Jump Host (`ssh -J`)

Connects through one or more **bastion / jump hosts** to a target. The **Mode** field selects:

- **Modern (-J / ProxyJump)** — produces `ssh -J user@jump[:port],…` plus optional `-i`, `-C`, KeepAlive and `-p` for a destination port other than 22. Requires OpenSSH 7.3 or newer.
- **Legacy (ProxyCommand)** — for exactly one jump host a command with `-o "ProxyCommand=ssh -W %h:%p … jumpuser@jumphost"`; for multiple jumps the tool emits chained `~/.ssh/config` blocks instead, since multi-hop is cleaner expressed that way.

In the **Jump Chain** table you enter the hops in order (host, port, user); below come **Final Destination Host**, **Destination Port** and **Destination User**.

### SSH Config (`~/.ssh/config`)

Produces a ready-made `Host` block to append to `~/.ssh/config`. Required fields are **Host Alias** (the short name you later connect with via `ssh <alias>`), **HostName**, **Port**, **User**. Optional: **IdentityFile**, **ProxyJump**, **ServerAliveInterval** (60) and **ServerAliveCountMax** (3).

Switches add directives: **Compression**, **ExitOnForwardFailure yes** (on), **StrictHostKeyChecking no** (flagged as insecure), **ControlMaster auto**, **AddKeysToAgent yes**, **IdentitiesOnly yes** and **ForwardAgent yes** (flagged as a security risk — the output then adds a warning). Enabling ControlMaster reveals **ControlPath** (default `~/.ssh/sockets/%r@%h-%p`) and **ControlPersist** (`600`). Optional **ConnectTimeout** and **ConnectionAttempts** fields round out the block.

A dedicated table turns **Type** (L/R/D), **Bind:Port** and **Target:Port** into the directives `LocalForward`, `RemoteForward` or `DynamicForward`. The block ends with a `# Usage: ssh <alias>` hint.

### Proxy Settings

Produces configuration commands to point your tools at a proxy — typically after setting up a SOCKS tunnel with `ssh -D`. At the top you choose **Proxy Type** (SOCKS5/HTTP/HTTPS), **Proxy Host** (`127.0.0.1`) and **Proxy Port** (`1080`).

Under **NO_PROXY Exclusions** you set exceptions: `localhost / 127.0.0.1` (on), private ranges (`10.*`, `172.16–31.*`, `192.168.*`), link-local (`169.254.*`) and your own entries in the text field. In the **Generate Configuration For** block you tick what configurations should appear — grouped into four cards:

- **Shell & System** — shell environment variables (on), macOS (`networksetup`), Windows (`netsh` / PowerShell), Linux desktop (`gsettings`).
- **Dev Tools** — git, npm, Gradle / Android Studio, Maven.
- **Package Managers** — apt, yum / dnf, Docker, curl / wget, pip / poetry, Composer (PHP), cargo (Rust), go.
- **Cloud CLIs** — kubectl, AWS CLI, gcloud (GCP), Azure CLI.

The output stitches the selected sections together, each with set **and** unset commands. It takes the proxy type into account — for instance noting that `netsh` and `wget` don't support SOCKS natively, and suggesting alternatives.

### Management Script

Produces a production-ready management script for your tunnels with the actions **start / stop / status / restart / list** (optionally also **reconnect** and **health**). Fields: **Script Type** (Bash or PowerShell), **Script Name** (`tunnel-manager`), **PID Directory** (`/tmp/ssh-tunnels`). Switches: **Auto-reconnect** (on, reveals **Reconnect Interval** = 30s), **Logging** (on, reveals **Log Path** = `/var/log/ssh-tunnels`) and **Health check**.

In the **Tunnel Definitions** table you describe each tunnel with **Name**, **Type** (L/R/D), **SSH Host**, **User**, **Port**, **Forward** (for `-L`/`-R`: `localPort:remoteHost:remotePort`; for `-D`: just the port) and an optional **Key**. The script manages PID files, builds an `ssh -N …` command per tunnel with fixed KeepAlive and `ExitOnForwardFailure` options, and on a health check verifies that the relevant port is listening. The Bash variant uses an associative array, the PowerShell variant a hashtable.

### Autostart Setup

Produces an autostart configuration that starts your tunnel at boot. The **Autostart Method** field selects the mechanism:

- **systemd (Linux)** — a `.service` unit with `Restart=always` and `RestartSec=10`.
- **launchd (macOS)** — a `.plist` with `RunAtLoad` and `KeepAlive`.
- **Task Scheduler (Windows)** — an `.xml` with a logon trigger and restart-on-failure.
- **rc.d (BSD)** — an rc script using `daemon`.
- **crontab @reboot (WSL/generic)** — a `@reboot` entry plus a `~/.bashrc`/`~/.profile` variant with a `pgrep` guard.

Fields are **SSH Host/Port/User**, **Identity File**, **Tunnel Type** (L/R/D), **Forward Spec**, **Service Name** (`ssh-tunnel`), **Run as User** (`$USER`) and **Description**. The output has **two** tabs: `tunnel.sh` (the start script) and the OS-specific config file, whose tab label follows the chosen method (e.g. `ssh-tunnel.service`). The underlying `ssh -N …` command carries the KeepAlive and `ExitOnForwardFailure` options.

## The help tabs

### Troubleshooting

A browseable guide to **eleven** common SSH problems as an accordion — from *Connection refused*, *Permission denied (publickey)*, *Port already in use* and *Host key verification failed*, through *Broken pipe*, *Channel open failed* and *SOCKS proxy not working*, to *autossh*, *SSH agent problems*, *DNS through SOCKS* and *reconnection strategies on network changes*.

In the top right you pick the **OS** (Linux/macOS/Windows/BSD/WSL); for each problem the tool then shows the matching **diagnostic commands** (each with its own copy button) and a list of concrete **solutions**. This tab generates nothing — it presents ready knowledge.

### Reference

A collection of lookup tables, also without generation: a comparison table of the **forward types** (-L/-R/-D/-J), **data-flow diagrams** for each type, a table of common **SSH flags**, **Do/Don't** security lists, example scenarios, a guide to **key generation** (Ed25519 vs. RSA with a comparison table), a section on **connection multiplexing** (`ControlMaster`), and a comparison of **SSH tunnels vs. alternatives** (WireGuard, ngrok / Cloudflare Tunnel, AWS SSM, Teleport, Tailscale / ZeroTier).

## Architecture and limits

- **Fully client-side:** SSH Proxy is pure JavaScript (jQuery, ACE editor). There is **no server backend**, **no API** and **no SSH connection** — the tool only produces text. Your inputs (hosts, users, paths) don't leave the browser.
- **No keys in the tool:** you only supply the **path** to an identity file, never the key itself.
- **Running is up to you:** commands and scripts are a starting point. Review and test them in a safe environment before using them in production — misconfigured tunnels can expose internal services. The disclaimer at the foot of the page says as much.

For the introduction and target audiences, see the [overview page](https://www.jpkc.com/db/en/tools/ssh-proxy/). Concrete walkthroughs are in the [examples](https://www.jpkc.com/db/en/tools/ssh-proxy/examples/), strategy and pitfalls in the [tips & tricks](https://www.jpkc.com/db/en/tools/ssh-proxy/tips/). You can try it all directly in the [tool](https://www.jpkc.com/tools/ssh-proxy/).