JPKCom DB

SSH Proxy — Manual

Full reference for SSH Proxy: all ten generators, shared SSH options, auto-reconnect, the troubleshooting and reference tabs, and the architecture.

Back to overview: SSH Proxy · Open the live tool: www.jpkc.com/tools/ssh-proxy/

This manual describes SSH Proxy in full: how the interface is laid out, what each of the ten generators does, which options exist, and what is actually produced. The tool's interface is in English, so labels appear here in their original spelling.

Layout and operation

On the left is a navigation bar with ten entries, grouped into Port Forwarding, Configuration, Scripts & Automation and Help. On the right, the selected entry shows a card with input fields and, below it, the output pane — a read-only ACE editor with syntax highlighting.

Three paths lead to output:

  • The Generate button in the top right of the input card produces the result and scrolls to the output.
  • The tool also regenerates automatically as soon as you change a field (slightly debounced).
  • Above the output sit Copy (to the clipboard) and Download (as a file, with a fitting name such as local-forward.sh or ssh-config).

The tunnel generators additionally show an Explanation table that explains each generated flag (left column) in plain language (right column). Lists with multiple forwards, jump hosts or tunnel definitions can be extended with Add … and removed with the red × (at least one row remains).

Shared SSH options

The three pure tunnel generators (Local/Remote/Dynamic) share a set of fields and switches. How they affect the command:

  • SSH Host / SSH Port / SSH User — the connection target. A port other than 22 adds -p <port>; the user produces the user@host destination.
  • Identity File (optional) — the path to the private key; adds -i <path>. Only the path is recorded, never the key itself.
  • Background -f -N (on by default) — sends SSH to the background after authentication (-f) and runs no remote command (-N, tunnel only).
  • Compression -C — enables compression (useful on slow links).
  • KeepAlive (60s) (on by default) — adds -o ServerAliveInterval=60 -o ServerAliveCountMax=3 so dropped connections are detected.
  • OS — a selector (Linux, macOS, Windows (OpenSSH), BSD, WSL). The ssh invocation generated for a forward uses standard OpenSSH syntax and is the same on all listed systems; here the field mainly provides context.

The finished command is emitted as a Bash script with a shebang and explanatory comments, with flags wrapped across line continuations (\).

Auto-reconnect

All three tunnel generators have an Auto-Reconnect switch. When it's on, two extra fields appear — Reconnect Method and Retry Delay (s) (default 5):

  • autossh (recommended) — replaces ssh with autossh -M 0 and sets the environment variables AUTOSSH_GATETIME=0 and AUTOSSH_PIDFILE. autossh is a separate program (not part of OpenSSH) that monitors the connection and rebuilds it after a drop; -M 0 disables the legacy monitoring port and relies on the KeepAlive options instead.
  • while loop (no dependency) — wraps the command in a while true; … sleep <delay>; done loop and removes -f (background), because the loop needs the tunnel in the foreground to detect disconnects.

The generators in detail

Local Forward (ssh -L)

Forwards a port on your local machine through the SSH server to a remote service. Typical case: reaching a database or web service behind a firewall.

In the Port Forwards table you define one forward per row with Local Bind (default 127.0.0.1), Local Port (default 3306), Remote Host (127.0.0.1) and Remote Port (3306). Each row becomes -L bind:lport:rhost:rport. Multiple rows produce multiple -L flags in a single invocation.

Remote Forward (ssh -R)

Exposes a local service on the remote server (the reverse direction). Typical case: letting a remote server reach your local dev environment, or testing webhooks.

The table has Remote Bind (default 0.0.0.0), Remote Port (8080), Local Host (127.0.0.1) and Local Port (3000); each row becomes -R bind:rport:lhost:lport. There's also a GatewayPorts switch. When it's on, the tool adds a comment block noting that the SSH server must set GatewayPorts clientspecified in sshd_config and restart sshd — otherwise the remote port won't accept external connections.

Dynamic / SOCKS (ssh -D)

Builds a SOCKS5 proxy tunnel. All traffic an application sends through this proxy exits at the SSH server — like a lightweight VPN. Fields: Bind Address (default 127.0.0.1) and SOCKS Port (1080); these become -D bind:port.

Alongside the usual comments, the output adds test commands, e.g. curl --socks5-hostname 127.0.0.1:1080 https://ifconfig.me, to check that the tunnel is up. A note points to the Proxy Settings generator for pointing applications at the proxy.

Jump Host (ssh -J)

Connects through one or more bastion / jump hosts to a target. The Mode field selects:

  • Modern (-J / ProxyJump) — produces ssh -J user@jump[:port],… plus optional -i, -C, KeepAlive and -p for a destination port other than 22. Requires OpenSSH 7.3 or newer.
  • Legacy (ProxyCommand) — for exactly one jump host a command with -o "ProxyCommand=ssh -W %h:%p … jumpuser@jumphost"; for multiple jumps the tool emits chained ~/.ssh/config blocks instead, since multi-hop is cleaner expressed that way.

In the Jump Chain table you enter the hops in order (host, port, user); below come Final Destination Host, Destination Port and Destination User.

SSH Config (~/.ssh/config)

Produces a ready-made Host block to append to ~/.ssh/config. Required fields are Host Alias (the short name you later connect with via ssh <alias>), HostName, Port, User. Optional: IdentityFile, ProxyJump, ServerAliveInterval (60) and ServerAliveCountMax (3).

Switches add directives: Compression, ExitOnForwardFailure yes (on), StrictHostKeyChecking no (flagged as insecure), ControlMaster auto, AddKeysToAgent yes, IdentitiesOnly yes and ForwardAgent yes (flagged as a security risk — the output then adds a warning). Enabling ControlMaster reveals ControlPath (default ~/.ssh/sockets/%r@%h-%p) and ControlPersist (600). Optional ConnectTimeout and ConnectionAttempts fields round out the block.

A dedicated table turns Type (L/R/D), Bind:Port and Target:Port into the directives LocalForward, RemoteForward or DynamicForward. The block ends with a # Usage: ssh <alias> hint.

Proxy Settings

Produces configuration commands to point your tools at a proxy — typically after setting up a SOCKS tunnel with ssh -D. At the top you choose Proxy Type (SOCKS5/HTTP/HTTPS), Proxy Host (127.0.0.1) and Proxy Port (1080).

Under NO_PROXY Exclusions you set exceptions: localhost / 127.0.0.1 (on), private ranges (10.*, 172.16–31.*, 192.168.*), link-local (169.254.*) and your own entries in the text field. In the Generate Configuration For block you tick what configurations should appear — grouped into four cards:

  • Shell & System — shell environment variables (on), macOS (networksetup), Windows (netsh / PowerShell), Linux desktop (gsettings).
  • Dev Tools — git, npm, Gradle / Android Studio, Maven.
  • Package Managers — apt, yum / dnf, Docker, curl / wget, pip / poetry, Composer (PHP), cargo (Rust), go.
  • Cloud CLIs — kubectl, AWS CLI, gcloud (GCP), Azure CLI.

The output stitches the selected sections together, each with set and unset commands. It takes the proxy type into account — for instance noting that netsh and wget don't support SOCKS natively, and suggesting alternatives.

Management Script

Produces a production-ready management script for your tunnels with the actions start / stop / status / restart / list (optionally also reconnect and health). Fields: Script Type (Bash or PowerShell), Script Name (tunnel-manager), PID Directory (/tmp/ssh-tunnels). Switches: Auto-reconnect (on, reveals Reconnect Interval = 30s), Logging (on, reveals Log Path = /var/log/ssh-tunnels) and Health check.

In the Tunnel Definitions table you describe each tunnel with Name, Type (L/R/D), SSH Host, User, Port, Forward (for -L/-R: localPort:remoteHost:remotePort; for -D: just the port) and an optional Key. The script manages PID files, builds an ssh -N … command per tunnel with fixed KeepAlive and ExitOnForwardFailure options, and on a health check verifies that the relevant port is listening. The Bash variant uses an associative array, the PowerShell variant a hashtable.

Autostart Setup

Produces an autostart configuration that starts your tunnel at boot. The Autostart Method field selects the mechanism:

  • systemd (Linux) — a .service unit with Restart=always and RestartSec=10.
  • launchd (macOS) — a .plist with RunAtLoad and KeepAlive.
  • Task Scheduler (Windows) — an .xml with a logon trigger and restart-on-failure.
  • rc.d (BSD) — an rc script using daemon.
  • crontab @reboot (WSL/generic) — a @reboot entry plus a ~/.bashrc/~/.profile variant with a pgrep guard.

Fields are SSH Host/Port/User, Identity File, Tunnel Type (L/R/D), Forward Spec, Service Name (ssh-tunnel), Run as User ($USER) and Description. The output has two tabs: tunnel.sh (the start script) and the OS-specific config file, whose tab label follows the chosen method (e.g. ssh-tunnel.service). The underlying ssh -N … command carries the KeepAlive and ExitOnForwardFailure options.

The help tabs

Troubleshooting

A browseable guide to eleven common SSH problems as an accordion — from Connection refused, Permission denied (publickey), Port already in use and Host key verification failed, through Broken pipe, Channel open failed and SOCKS proxy not working, to autossh, SSH agent problems, DNS through SOCKS and reconnection strategies on network changes.

In the top right you pick the OS (Linux/macOS/Windows/BSD/WSL); for each problem the tool then shows the matching diagnostic commands (each with its own copy button) and a list of concrete solutions. This tab generates nothing — it presents ready knowledge.

Reference

A collection of lookup tables, also without generation: a comparison table of the forward types (-L/-R/-D/-J), data-flow diagrams for each type, a table of common SSH flags, Do/Don't security lists, example scenarios, a guide to key generation (Ed25519 vs. RSA with a comparison table), a section on connection multiplexing (ControlMaster), and a comparison of SSH tunnels vs. alternatives (WireGuard, ngrok / Cloudflare Tunnel, AWS SSM, Teleport, Tailscale / ZeroTier).

Architecture and limits

  • Fully client-side: SSH Proxy is pure JavaScript (jQuery, ACE editor). There is no server backend, no API and no SSH connection — the tool only produces text. Your inputs (hosts, users, paths) don't leave the browser.
  • No keys in the tool: you only supply the path to an identity file, never the key itself.
  • Running is up to you: commands and scripts are a starting point. Review and test them in a safe environment before using them in production — misconfigured tunnels can expose internal services. The disclaimer at the foot of the page says as much.

For the introduction and target audiences, see the overview page. Concrete walkthroughs are in the examples, strategy and pitfalls in the tips & tricks. You can try it all directly in the tool.