How to allow remote hosts to use an SSH tunnel

An SSH local tunnel normally listens only on the client that started it. When another trusted workstation needs the same internal web console, API, or service through that encrypted path, the tunnel host must bind the forwarded port to a reachable interface instead of loopback.

OpenSSH handles this client-side with a bind address on -L and the -g option, which permits remote hosts to connect to local forwarded ports. The bind address controls who can enter the tunnel, while the target host and port still control where traffic exits from the remote SSH server.

Server policy still matters. The remote account must be allowed to use TCP forwarding, while server-side GatewayPorts controls remote -R forwards rather than the local -L listener created by the client command. Keep the tunnel temporary, restrict the client source range, and close the ssh process when the handoff ends.

Related: How to forward a local port with SSH
Related: How to create an SSH SOCKS proxy
Related: How to disable SSH TCP forwarding
Tool: Port Exposure Summary Checker

Steps to allow remote hosts to use an OpenSSH local tunnel:

  1. Confirm that the target service responds from the SSH gateway. 
    $ ssh user@host.example.net curl -sS http://127.0.0.1:8000/
internal service reached

    The target address in an -L forward is reached from the remote SSH server. Replace 127.0.0.1:8000 with the service address and port as seen from host.example.net.

  2. Start the local forward on the tunnel host's trusted interface. 
    $ ssh -fN -g \
  -L 192.0.2.40:8080:127.0.0.1:8000 \
  -o ExitOnForwardFailure=yes \
  user@host.example.net

    -fN backgrounds a forwarding-only session, -g allows non-local clients, and ExitOnForwardFailure=yes prevents a silent background process when the listener cannot open.

    Use a specific trusted interface address when possible. Binding to 0.0.0.0 listens on every interface and can expose the forwarded service beyond the intended network.

  3. Confirm that ssh is listening on the shared address and port. 
    $ ss --tcp --listening --numeric --processes --no-header "sport = :8080"
LISTEN 0      128    192.0.2.40:8080 0.0.0.0:* users:(("ssh",pid=24819,fd=4))
  4. Restrict the tunnel port to trusted clients at the host firewall. 
    $ sudo ufw allow from 192.0.2.0/24 to any port 8080 proto tcp
Rule added

    Use the equivalent host firewall, cloud security group, or network ACL on systems that do not use UFW. Keep the allowed source narrower than the whole internet.

  5. Test the shared tunnel from a trusted remote host. 
    $ curl http://192.0.2.40:8080/
internal service reached

    A response through 192.0.2.40:8080 proves the remote client reached the target service through the SSH tunnel.

  6. Stop the background tunnel when sharing ends. 
    $ kill 24819

    Use the ssh process ID from the listener check. Killing the wrong process can close an unrelated SSH session.