Referring back to this question, I am executing the below via OpenSSH (Client: Mac OS X 10.6 | Server: Linux Mint), however the port that is being tunneled is not working publicly:

ssh -R 8080:localhost:80 -N root@example.com
  • The purpose is so the local port can be opened on the remote computer
  • It seems as if the remote side binds only on localhost, instead of to all interfaces
  • It works when opening the port on localhost on the remote computer, but when trying to access the public IP of the remote computer from my local computer, the port doesn’t seem to be open

How would I make the tunnel public on the IP for anyone to access?

Trevor Rudolph
  • 2,581
  • 3
  • 16
  • 14
  • What does public IP mean? If you are trying to connect to a local computer thru the router and via the Internet, most routers will not allow such loopback. – harrymc Apr 30 '13 at 05:53

8 Answers8


If you check the man page for ssh, you'll find that the syntax for -R reads:

-R [bind_address:]port:host:hostport

When bind_address is omitted (as in your example), the port is bound on the loopback interface only. In order to make it bind to all interfaces, use

ssh -R \*:8080:localhost:80 -N root@example.com


ssh -R -N root@example.com


ssh -R "[::]:8080:localhost:80" -N root@example.com

The first version binds to all interfaces individually. The second version creates a general IPv4-only bind, which means that the port is accessible on all interfaces via IPv4. The third version is probably technically equivalent to the first, but again it creates only a single bind to ::, which means that the port is accessible via IPv6 natively and via IPv4 through IPv4-mapped IPv6 addresses (doesn't work on Windows, OpenBSD).  (You need the quotes because [::] could be interpreted as a glob otherwise.)

Note that if you use OpenSSH sshd server, the server's GatewayPorts option needs to be enabled (clientspecified, or, in rare cases, to yes) for this to work (check file /etc/ssh/sshd_config on the server). Otherwise (default value for this option is no), the server will always force the port to be bound on the loopback interface only.

  • 824
  • 2
  • 8
  • 21
Stefan Seidel
  • 10,485
  • 1
  • 28
  • 44


-g works for local forwarded ports, but what you want is a reverse/remote forwarded port, which is different.

What you want is this.

Essentially, on example.com, set GatewayPorts=clientspecified in /etc/ssh/sshd_config.

--- previous (incorrect) answer ---

Use the -g option. From ssh's man page:

-g     Allows remote hosts to connect to local forwarded ports.
  • 1,156
  • 8
  • 18

Here's my answer for completion:

I ended up using ssh -R ... for tunneling, and using socat on top of that for redirecting network traffic to

tunnel binded to ssh -R mitm:9999:<my.ip>:8084 me@mitm

socat: mitm$ socat TCP-LISTEN:9090,fork TCP:

Other option is to do a local-only tunnel on top of that, but i find this much slower

mitm$ ssh -L<mitm.ip.address>:9090:localhost:9999 localhost

Miguel Ping
  • 362
  • 1
  • 3
  • 8
  • I like the fact that I don't have to deal with the sshd configuration and that I can do all of it without sudo. Plus I learn that socat exists. Thanks! – BrutusCat Jun 12 '14 at 14:00
  • 2
    +up you go good sir. I tried to tell ssh to bind to without success.. then saw the \* syntax, tried that, no dice. I imagine it may be some sort of security feature on sshd config or something that isn't allowing it. Finally saw this post and `socat` worked awesome. Super useful, putting this in my back pocket ;] – Jaime Jun 24 '19 at 23:45

You can also use a double forward if you won´t or can change /etc/ssh/sshd_config.

First forward to temporary port (e.g. 10080) on loopback device on the remote machine, then use local forward there to redirect port 10080 to 80 on all interfaces:

ssh -A -R 10080:localhost_or_machine_from:80 user@remote.tld "ssh -g -N -L 80:localhost:10080 localhost"
  • 291
  • 2
  • 5

Use the "gateway ports" option.


In order to use that, you probably need to add "GatewayPorts yes" to your server's /etc/ssh/sshd_config.

  • Actually this worked. What I do is that I use an EC2 instance as a forwarder to my REST server. This way, I don't need to stick my server in the DMZ and I don't need a public IP. Funny enough, with the first EC2 instance I created, ssh -R remote_port:localhost:port xxx@ec2xxx worked just fine but then I had to create another instance later on for some reason and from that point on, I was always getting: connection refused. Used tcpdump to look at what I was getting and there wasn't much info. -g plus GatewayPorts yes did the trick. – E.T Jan 24 '17 at 19:12

I don't have enough reputation to comment at the appropriate sections, so I'm adding a new answer.

Warning: if you set GatewayPorts to yes this will make sshd bind your forwardings to any interface - regardless of the client configuration (-R, etc.). This can become quite a security issue if the client assumes she has limited her forwardings to f.e. localhost. Therefore, setting GatewayPorts to clientspecified is usually what you want.


Jump hosts are a fairly recent addition to OpenSSH. This requires SSH access to the intermediate, but should work without additional configuration.

ssh -J root@example.com remoteuser@localhost -p 8080

This command instructs SSH to first connect to root@example.com, and then, from that machine, to initiate a connection to port 8080 at localhost (i.e., the port that is tunneled from the jump host to the remote host) under the remoteuser user name.

  • 852
  • 1
  • 10
  • 19

If you'd like to put the configuration in you ~/.ssh/config instead of using command line parameters, you can try something like

Host REMOTE_HOST_NAME RemoteForward \*:8080

Remember to have you remote host's firewall allow connections to 8080 and ensure that the GatewayPorts option of your /etc/ssh/sshd config isnt set to no