How to create a local port forward in PuTTY

Local port forwarding in PuTTY makes a remote TCP service reachable via a local port without opening that service to the network. It is commonly used to access internal web apps, admin consoles, and databases that only listen on the SSH server or its private network.

A local forward creates a listening socket on the computer running PuTTY and carries each incoming connection through the encrypted SSH session. The SSH server then opens the onward connection to the configured destination, so the destination host:port is interpreted from the server side rather than the local machine.

Port forwarding works only while the SSH session stays connected, and local port conflicts prevent the forward from opening. Leaving PuTTY’s default loopback-only binding keeps the forwarded port limited to the local computer, while allowing other hosts to connect can expose the tunneled service to the LAN.

1. Launch PuTTY on Windows 11.
2. Enter the SSH server address in Host Name (or IP address).
3. Enter the SSH port in Port.

   Default SSH port is 22.

4. Select SSH as the Connection type.
5. Open Connection → SSH → Tunnels from the left category tree.
6. Type an unused local port number in Source port.

   Example: 8080.

   If another program is already using the port, PuTTY cannot bind the forward and the tunnel will not work.

7. Type the destination in Destination using the host:port format.

   Example: 127.0.0.1:80 to reach a web service bound to the SSH server’s loopback interface.

8. Select Local under Add new forwarded port.
9. Select Auto as the destination address family.
10. Leave Local ports accept connections from other hosts unchecked.

    Enabling this option can expose the forwarded port to other devices, effectively sharing access to the tunneled service.

11. Click Add to create the local port forward.
12. Confirm the new forward appears in the Forwarded ports list.

    Multiple local forwards can be added to the same SSH session.

13. Return to the Session category.
14. Save the session profile to keep the tunnel settings for future connections.

    Saved sessions store tunnel definitions, but passwords are not saved by default.

15. Click Open to start the SSH connection.
16. Confirm the server fingerprint in the PuTTY Security Alert dialog.

    The fingerprint should match the SSH server’s published host key to avoid trusting the wrong system.

    Related: How to update or delete PuTTY host key fingerprints on Windows

17. Log in to the SSH server when prompted.
18. Keep the SSH session window open while the port forward is needed.

    Closing PuTTY stops the tunnel immediately and disconnects clients using the forwarded port.

19. Confirm the local port is listening on the computer running PuTTY.

    C:\> netstat -nao | findstr :8080
      TCP    127.0.0.1:8080     0.0.0.0:0      LISTENING       12344

    

    An additional ::1 listener is normal on IPv6-enabled systems.

20. Access the tunneled service using the local address and the chosen port.

    http://127.0.0.1:8080/

    

    Use 127.0.0.1 or localhost as the client address to avoid reaching the service directly over the network.