Which port does OpenSSH use

we blog about software_

In software development or system administration you sometimes want to access services that are not directly can be reached from the local network.

In this article we show the three most common ways to use OpenSSH1 Builds tunnels to create a connection between systems that cannot actually speak to one another directly.

synonymous, although strictly speaking SSH stands for the concept for encrypted network connections and OpenSSH is an implementation of it. All examples in the article are OpenSSH specific.

Local port forwarding

A common use case in software development at cronn GmbH is access to a database or a web service in a test environment.

As a rule, the services in the test environment cannot be accessed directly from your own computer, but require access via a server in the test environment that you can log on to via SSH.

In our example we want to execute an SQL query on a PostgreSQL database in the test environment. You could log on to the database server via SSH and run the SQL query in the command line. In practice, this approach is often too unwieldy and you would much rather work with a database client of your choice (e.g. DBeaver or DataGrip).

With "Local Port Forwarding", OpenSSH offers a useful means of achieving just that. Some database clients already offer a graphical configuration option to establish the connection via port forwarding (also called SSH tunnel). In this article, however, we want to shed light on what is actually behind it and how you can establish the connection even if, for example, the database client does not offer this option.

Assume the database listens on port on the database server in our test environment.

With the command

forwarding of the port to your own computer can be set up. When the connection is established, you can easily connect to the local port with the database client of your choice and execute the SQL queries.

If a local database is already running on port on your own computer, the command would result in the error


In practice, you will often see local port forwarding with another, free, local port such as:

Anyone who executes the command will notice that, in addition to port forwarding, OpenSSH also starts an interactive session including a shell. As a rule, however, you only want to forward the port. The establishment of the interactive session can be switched off with the option:

In some cases, however, the database server itself cannot be reached via SSH or you lack the rights. If there is another server in the test environment that can be logged on via SSH and that can connect to the database, then we can set up port forwarding via this server. If this server is mainly used to “jump” to other destinations, it is usually referred to as a “jump host” or “jump server”.

In this case the connection to the database is established with the command


If you want to connect to two databases (e.g. a primary and secondary instance), you could start twice with different local ports:

Alternatively, you can generate both port forwarding with just one command:

All details and options for the command line program can be found on the ssh man page.

Dynamic port forwarding

If you want to connect to a large number of services in the target environment, the creation of local port forwarding can quickly become confusing. For this application, OpenSSH offers the option of dynamic port forwarding. Instead of defining a list of target systems including ports, one instead specifies a free local port (e.g.) on which OpenSSH opens a SOCKS proxy:

All systems can be reached via this local SOCKS proxy as if you were on the jump host yourself. A prerequisite, however, is that the client explicitly supports the establishment of a connection via a SOCKS proxy. All common browsers support SOCKS proxies, so dynamic port forwarding can be very practical if, for example, you want to connect to a large number of different web applications that can only be accessed via a jump host.

Remote port forwarding

In somewhat rarer cases, you might want to set up port forwarding in the opposite direction.

A use case would be, for example, the port forwarding of a service with REST-API that one would like to use in a regular integration test in a continuous integration environment. For the example we assume that, for security reasons, you do not want to allow direct access from the continuous integration server to the test environment. Instead, however, SSH access from a trustworthy server (here:) from the test environment to the continuous integration server is permitted.

In this case, reverse port forwarding ("Remote Port Forwarding") can be set up by opening the forwarding with the command


In this case, our software, which is tested on the continuous integration server, can access the REST service via, although it is operated remotely in the isolated test environment.


In some cases the jump host through which you want to set up port forwarding cannot itself be reached directly via SSH, but only with a "jump" via another server. With the or option in the local SSH configuration (), even more complex scenarios can be set up elegantly. In a future article we will take a closer look at this configuration option. We present our Java library ssh-proxy, with which port forwarding can be easily set up in Java applications, e.g. in integration tests.

In another future article we will show how you can set up user services and autossh port forwarding on Linux with systemd, which are automatically re-established if the network connection is interrupted.

Benedikt Waldvogel

Benedikt Waldvogel is a software developer at cronn GmbH. His core competencies include backend development with Java and Spring as well as automated integration tests.

← Previous PostNext Post →