SSH vs. SSH Tunneling: Key Technical Differences and Practical Use Cases for Developers


5 views

When working with remote servers, SSH (Secure Shell) is the fundamental protocol for secure command-line access. SSH Tunneling, however, is an advanced feature that creates encrypted pathways for network traffic.

Basic SSH connection (without tunneling):

ssh username@server.example.com -p 22

This gives you direct shell access to the remote machine. The shell experience appears identical whether you use tunneling or not because tunneling operates at the network layer, not the shell session.

SSH Tunneling creates secure "pipes" for other protocols. Three main types exist:

# Local Port Forwarding (common for web dev)
ssh -L 8080:localhost:80 username@server.example.com

# Remote Port Forwarding (access internal resources)
ssh -R 3306:localhost:3306 username@server.example.com

# Dynamic Port Forwarding (SOCKS proxy)
ssh -D 1080 username@server.example.com

Database Access: Tunnel MySQL through SSH:

ssh -L 3307:db.internal:3306 devuser@bastion.example.com

Web Application Testing: Access staging environments:

ssh -L 8080:staging-app:80 deploy@gateway.example.com

Bypassing Firewalls: When corporate networks restrict certain ports:

ssh -D 9090 -q -C -N user@vpn-access.example.com

While both use encryption, tunneling introduces additional security implications:

  • Local (-L) forwards expose ports on your machine
  • Remote (-R) forwards create listening ports on the server
  • Always specify bind addresses (127.0.0.1 vs 0.0.0.0)

Tunneling adds overhead for forwarded connections. For best results:

ssh -C -c aes256-gcm@openssh.com user@host

When tunnels don't work:

ssh -v -L 5432:db:5432 user@jumpbox.example.com
netstat -tulnp | grep 5432
curl -v http://localhost:5432

Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. At its core, SSH provides:

  • Secure remote command-line login
  • Secure command execution
  • Secure file transfer

A basic SSH connection looks like this:

ssh username@remote_host

SSH tunneling (or port forwarding) creates an encrypted tunnel between local and remote machines that can carry arbitrary network traffic. The three main types are:

Local Port Forwarding

Forwards a local port to a remote destination:

ssh -L local_port:remote_host:remote_port username@ssh_server

Remote Port Forwarding

Forwards a remote port to a local destination:

ssh -R remote_port:localhost:local_port username@ssh_server

Dynamic Port Forwarding

Creates a SOCKS proxy:

ssh -D local_port username@ssh_server

While a regular SSH connection gives you shell access, tunneling enables:

  • Accessing restricted services (e.g., database behind firewall)
  • Securing unencrypted protocols
  • Bypassing network restrictions

Example: Accessing a remote MySQL server through SSH tunneling:

ssh -L 3306:localhost:3306 user@remote_server
mysql -h 127.0.0.1 -u db_user -p

Tunneling introduces additional security aspects:

  • All forwarded traffic is encrypted
  • Can expose services unintentionally
  • Requires careful configuration of allowed ports

Tunneling adds overhead compared to direct SSH:

  • Additional encryption/decryption cycles
  • Potential latency from extra hops
  • Bandwidth limitations of the SSH connection

Use regular SSH when:

  • You only need shell access
  • No port forwarding is required
  • Working with simple command execution

Use SSH tunneling when:

  • You need to access network services securely
  • Working with legacy protocols
  • Bypassing network restrictions is necessary