SSH Tunnels

Local forwarding (-L), remote forwarding (-R), and SOCKS5 proxy (-D) with full IPv4/IPv6/domain support. Up to 10 local + 5 remote tunnels per profile.

SSH tunnels are one of the most underrated tools in a sysadmin's toolkit, they let you reach internal services (a database, a Redis instance, an admin panel) without exposing them to the Internet. SSHive turns SSH tunneling from a memorized command-line incantation into a profile setting. Open a profile, click "Tunnels", add a forward, done. The tunnel starts automatically when the SSH connection comes up and tears down when it drops. All three OpenSSH forwarding modes are supported: Local (`-L`) brings a remote port to your Mac, Remote (`-R`) exposes a local port on the remote server, and Dynamic SOCKS5 (`-D`) gives you a per-app proxy. Each profile can have up to 10 Local and 5 Remote tunnels active simultaneously. SOCKS5 supports IPv4, IPv6, and domain-name routing, so you can use SSHive as a private VPN-like proxy for browser sessions when traveling.

Key capabilities

Local forwarding (-L): Access remote services as if they were local

Remote forwarding (-R): Expose local services to the remote network

SOCKS5 dynamic proxy (-D): Full IPv4, IPv6, and domain name routing

Up to 10 local + 5 remote tunnels per connection profile

Real-world tunnel scenarios

Reach a private database

Forward 5432 from a private RDS instance through your bastion to localhost:5432. Connect TablePlus, DBeaver, or psql to localhost, they think the database is local, and your SSH key is the auth.

Expose a local dev server

Use Remote forwarding to expose your local Vite dev server (port 5173) on a public host's port 8080. Quick demo to a stakeholder without ngrok or Cloudflare Tunnel.

SOCKS5 proxy for safe browsing

On hotel Wi-Fi, start a SOCKS5 tunnel through your home server, set Firefox/Chrome to use localhost:1080. All your web traffic exits from your home IP, encrypted, untouchable by the hotel network.

SSH tunnels, frequently asked questions

Why not just use a VPN?+

A VPN routes all traffic, requires admin privileges, and is overkill for reaching one database. SSH tunnels are surgical: only the ports you specify are forwarded, no kernel network changes, no sudo. They're also auditable, your bastion logs the SSH session, not opaque VPN tunnels.

Can I use a tunnel without keeping the SSH terminal open?+

Yes. SSHive separates "tunnel-only" profiles: connect with no shell, just the tunnels active. The connection stays alive in the background. Disconnect from the sessions panel when done.

How does SSHive handle tunnel re-establishment after a drop?+

Auto-reconnect retries with exponential backoff (1s, 2s, 4s, ... up to 60s). Tunnels reattach as soon as the SSH connection is back. You see a yellow indicator in the sessions panel during reconnect.

Are tunnels in the free tier?+

Tunnels are a Pro feature. Free tier covers SSH terminal + SFTP. Pro ($9.99 one-time) unlocks tunnels, RDP, VNC, broadcast, and unlimited sessions.

Related SSHive features

SSH Terminal

GPU-accelerated terminal

SFTP File Manager

Drag & drop file manager

Broadcast Mode

Multi-server command execution

Common use cases

Manage AWS EC2 instances from your Mac

Connect to public and private EC2 instances with PEM keys, jump hosts, and tunnels, all from one native macOS app.

Manage your home server from your Mac

One app for everything in your home lab, SSH, SFTP, VNC, and secure tunnels for Plex, Home Assistant, Nextcloud, and more.

Docker host management from your Mac

SSH to Docker hosts, tunnel exposed ports, broadcast across swarm nodes, all from one native macOS app.

Try SSH Tunnels Free