Port Forwarding Overview
Port forwarding (SSH tunneling) allows you to securely access services through an encrypted SSH connection. Xermius makes it easy to create and manage tunnels with a visual interface.
What is Port Forwarding?
Port forwarding creates an encrypted tunnel through SSH, allowing you to:
- Access remote services securely from your local machine
- Expose local services to a remote server
- Route traffic through an SSH connection like a VPN
How It Works
Your Computer ←→ SSH Tunnel ←→ Remote Server ←→ Target Service
(Secure) (Encrypted) (Secure)
All data passing through the tunnel is encrypted, making it secure even on untrusted networks.
Types of Port Forwarding
Xermius supports three types of port forwarding:
1. Local Port Forwarding (-L)
Purpose: Access a remote service from your local machine
Flow:
Your App → localhost:PORT → SSH Tunnel → Remote Host:PORT
Example Use Case:
Your Database Client → localhost:3306 → SSH → Remote MySQL:3306
When to Use:
- Access databases on remote servers
- Connect to internal web services
- Reach services behind firewalls
- Test applications on remote servers
2. Remote Port Forwarding (-R)
Purpose: Expose a local service to a remote server
Flow:
Remote App → Remote:PORT → SSH Tunnel → localhost:PORT → Your App
Example Use Case:
Remote Server:8080 → SSH → Your Local Dev Server:3000
When to Use:
- Share local development work
- Demo applications without deployment
- Test webhooks locally
- Temporary access to local services
3. Dynamic Port Forwarding (-D)
Purpose: Create a SOCKS5 proxy for routing all traffic
Flow:
Your Browser → SOCKS5:PORT → SSH Tunnel → Internet
Example Use Case:
Your Browser → localhost:1080 (SOCKS5) → SSH → Browse Web
When to Use:
- Browse web anonymously through server
- Bypass geographic restrictions
- Secure browsing on public WiFi
- Access region-restricted content
Accessing Port Forwarding
From Sidebar
- Click "Port Forwarding" in left sidebar
- View all configured tunnels
- Click "New Tunnel" to create
From Host Menu
- Right-click on host
- Select "Port Forwarding"
- Manage tunnels for that host
Keyboard Shortcut
- Press
Ctrl/Cmd + Shift + P - Opens port forwarding panel
Port Forwarding Interface
┌────────────────────────────────────────────────────────┐
│ Port Forwarding [+ New Tunnel]│
├────────────────────────────────────────────────────────┤
│ Production Server │
│ ├─ MySQL Database [●] Active [Start/Stop] │
│ │ Local: 3306 → Remote: localhost:3306 │
│ │ Connections: 5 | Data: 12.4 MB │
│ │ │
│ ├─ Redis Cache [○] Inactive [Start/Stop] │
│ │ Local: 6379 → Remote: localhost:6379 │
│ │ │
│ └─ Web Preview [●] Active [Start/Stop] │
│ Remote: 0.0.0.0:8080 → Local: 3000 │
│ Connections: 2 | Data: 856 KB │
│ │
│ Development Server │
│ └─ SOCKS5 Proxy [●] Active [Start/Stop] │
│ Local: 1080 (SOCKS5) │
│ Connections: 15 | Data: 45.2 MB │
└────────────────────────────────────────────────────────┘
Creating a Tunnel
Basic Steps
- Click "New Tunnel" button
- Select tunnel type
- Fill in configuration
- Click "Create"
- Start the tunnel
Configuration Form
┌─────────────────────────────────────────────┐
│ New Port Forwarding Tunnel │
├─────────────────────────────────────────────┤
│ Name: * │
│ [MySQL Database Access ] │
│ │
│ Connection: * │
│ [Production Server ▼] │
│ │
│ Type: * │
│ [○] Local [●] Remote [○] Dynamic │
│ │
│ ─── Local Configuration ─── │
│ Local Port: * Bind Address: │
│ [3306 ] [127.0.0.1 ] │
│ │
│ ─── Remote Configuration ─── │
│ Remote Host: * Remote Port: * │
│ [localhost ] [3306 ] │
│ │
│ ─── Options ─── │
│ [✓] Auto-start with connection │
│ [ ] Start immediately │
│ │
│ Description: │
│ [Access production MySQL database ] │
│ │
│ [Cancel] [Create Tunnel] │
└─────────────────────────────────────────────┘
Key Concepts
Local Port
The port on your computer where you connect
Example:
localhost:3306
Choose:
- Available port (not in use)
- Standard port for service (MySQL = 3306)
- Or any custom port
Check if port is available:
# On your computer
netstat -an | grep 3306
# If nothing shows, port is free
Remote Host
The target server from the SSH server's perspective
Options:
localhost- Service on SSH server itself192.168.1.100- Another server on remote networkdatabase.internal- Internal hostname
Important: This is from the remote server's perspective!
Bind Address
The network interface to bind to
Options:
127.0.0.1(localhost) - Recommended, only your computer0.0.0.0(all interfaces) - Accessible from network ⚠️- Specific IP - Bind to one interface
Security Note: Using 0.0.0.0 allows others on your network to access the tunnel!
Connection Requirements
Tunnels require an active SSH connection:
- Dedicated Session - Each tunnel creates its own SSH connection
- Independent - Tunnels work without terminal windows open
- Auto-reconnect - Automatically reconnects if connection drops
Managing Tunnels
Start/Stop Tunnels
Start a Tunnel:
- Find tunnel in list
- Click "Start" button
- Status changes to "Active" ●
Stop a Tunnel:
- Click "Stop" on active tunnel
- Status changes to "Inactive" ○
- Connections are closed gracefully
Auto-start:
- Enable "Auto-start with connection"
- Tunnel starts automatically when you connect to host
- Useful for frequently used tunnels
Edit Tunnels
- Right-click on tunnel
- Select "Edit"
- Modify settings
- Save changes
Note: Must stop tunnel before editing
Delete Tunnels
- Right-click on tunnel
- Select "Delete"
- Confirm deletion
Warning: Cannot be undone!
Duplicate Tunnels
Create similar tunnel quickly:
- Right-click existing tunnel
- Select "Duplicate"
- Modify as needed
- Save
Tunnel Statistics
Each active tunnel shows:
Connections:
- Number of active connections
- Total connections since start
- Connection rate
Data Transfer:
- Bytes sent/received
- Transfer speed
- Total data transferred
Status:
- Uptime
- Last error (if any)
- Connection state
Security Considerations
Port Selection
Privileged Ports (< 1024):
- Requires admin/root privileges
- Generally not recommended
- Use higher ports instead
Recommended Ports:
- 3000-9999 - Common development ports
- 10000+ - User ports
- Check if port is available first
Bind Address Security
Localhost (127.0.0.1) - Secure:
✓ Only you can access
✓ No network exposure
✓ Recommended default
All Interfaces (0.0.0.0) - Risky:
⚠ Anyone on network can access
⚠ Firewall may allow connections
⚠ Only use if you know what you're doing
Best Practice:
- Always use
127.0.0.1unless you have a specific reason - Use firewall rules if using
0.0.0.0 - Never expose sensitive services
Authentication
Tunnels inherit SSH authentication:
- Same security as SSH connection
- End-to-end encryption
- No additional authentication by default
For extra security:
- Use SSH keys instead of passwords
- Enable 2FA on SSH server
- Restrict which ports can be forwarded on server
Common Use Cases
Database Access
Scenario: Access production MySQL database
Type: Local
Local Port: 3306
Remote Host: localhost
Remote Port: 3306
Connect from your tools:
Host: localhost
Port: 3306
Username: your_db_user
Password: your_db_pass
Tools:
- MySQL Workbench
- DBeaver
- DataGrip
- Command line:
mysql -h 127.0.0.1 -P 3306
Web Development
Scenario: Share local development server
Type: Remote
Local Port: 3000
Remote Host: 0.0.0.0
Remote Port: 8080
Access from anywhere:
http://your-server-ip:8080
Use Cases:
- Demo to clients
- Test on mobile devices
- Webhook development
VPN-like Access
Scenario: Browse through server (SOCKS5 proxy)
Type: Dynamic
Local Port: 1080
Configure browser:
- Settings → Network → Proxy
- SOCKS5 proxy:
localhost:1080 - All traffic goes through SSH tunnel
Benefits:
- Encrypted browsing
- Hide your IP address
- Access region-restricted content
Troubleshooting
Port Already in Use
Error: "Address already in use"
Solution:
# Find what's using the port
# macOS/Linux:
lsof -i :3306
# Windows:
netstat -ano | findstr :3306
# Kill the process or choose different port
Cannot Bind to Port
Error: "Permission denied"
Solution:
- Use port > 1024
- Or run with admin privileges (not recommended)
Connection Refused
Error: "Connection refused by remote server"
Check:
- Service is running on remote host
- Remote host is accessible from SSH server
- Firewall allows connection
- Correct port number
Test from server:
# SSH to server first
ssh user@server
# Test connection
telnet localhost 3306
# or
nc -zv localhost 3306
Tunnel Disconnects
Causes:
- SSH connection lost
- Network instability
- Server rebooted
- Idle timeout
Solutions:
- Enable auto-reconnect
- Increase keep-alive interval
- Check network stability
- Verify server uptime
Slow Performance
Causes:
- High latency SSH connection
- CPU overhead from encryption
- Bandwidth limitations
Solutions:
- Reduce data transfer
- Compress data
- Use faster network
- Check server CPU usage
Best Practices
1. Naming Conventions
Use clear, descriptive names:
✓ Production MySQL Database
✓ Staging Redis Cache
✓ Local Dev Server Share
✗ Tunnel 1
✗ Test
✗ Forward
2. Documentation
Add descriptions to tunnels:
"Production MySQL read-only access
For reports and analytics
Contact: dba@example.com"
3. Organization
Group related tunnels by host:
- Keep production separate from dev
- Use consistent port numbers
- Document dependencies
4. Security
- Use localhost bind address
- Don't leave tunnels running when not needed
- Regularly review active tunnels
- Use strong SSH keys
5. Monitoring
Watch tunnel statistics:
- Check for unexpected connections
- Monitor data transfer
- Review error logs
- Set up alerts for failures