How to enable public access to SSH tunnel with port forwarding

Public access to an SSH tunnel allows applications and users on other hosts to reuse a single encrypted connection for web browsing, diagnostics, or access to internal services. Binding the tunnel to an external IP address turns a local-only endpoint into a shared resource on the network.

In OpenSSH, local and dynamic port forwarding options such as ssh -L and ssh -D create listening sockets on the client side and forward traffic over the secure channel to the remote server. By default these sockets bind to 127.0.0.1, but a custom listening address and the -g option can expose the same tunnel on another local interface, making it reachable from remote hosts on that network segment.

Allowing remote hosts to reach a tunnel effectively publishes a proxy or forwarded service, which can open a path for abuse if left unprotected. Firewall rules, access control lists, and careful choice of listening address (for example, a private LAN interface instead of 0.0.0.0) limit exposure while still enabling the required access. Changes should be tested from a known-safe network and reviewed regularly to ensure the tunnel does not become an unintended open proxy on the internet.

1. Identify the external IP address of the host running the tunnel.

   $ ip a
   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
       inet 127.0.0.1/8 scope host lo
          valid_lft forever preferred_lft forever
       inet6 ::1/128 scope host 
          valid_lft forever preferred_lft forever
   2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
       link/ether 00:0c:29:08:63:73 brd ff:ff:ff:ff:ff:ff
       altname enp2s1
       inet 192.168.111.27/24 brd 192.168.111.255 scope global dynamic noprefixroute ens33
          valid_lft 66553sec preferred_lft 66553sec
       inet6 fe80::fc5d:1d5c:ae0e:68f1/64 scope link noprefixroute 
          valid_lft forever preferred_lft forever

2. Create an SSH dynamic port-forward tunnel that listens on this external IP address.

   $ ssh -fN -g -D 192.168.111.27:8080 192.168.111.29
   user@192.168.111.29's password:

   Related: How to create an SSH SOCKS proxy

   Exposing a public SOCKS proxy can be abused as an open proxy; restrict access to trusted networks and addresses.

3. Verify that the tunnel is active and listening on the specified IP.

   $ ss -natp | grep 8080
   LISTEN 0      128    192.168.111.27:8080         0.0.0.0:*    users:(("ssh",pid=2966,fd=4))

4. Configure the firewall to allow incoming connections to the tunnel port if a firewall is enabled.

   $ sudo ufw allow 8080 # Ubuntu and Debian variance
   $ sudo firewall-cmd --zone=public --permanent --add-port=8080/tcp # CentOS and Red Hat variance
   $ sudo firewall-cmd --reload # CentOS and Red Hat variance

   UFW manages host-based firewall rules on Ubuntu and Debian, while firewalld with firewall-cmd is common on CentOS and Red Hat Enterprise Linux.

5. Test access to the tunnel from a remote host to confirm connectivity.

   $ curl --proxy socks5://192.168.111.27:8080 https://ifconfig.me
   115.131.92.137