SSH Tunnels

Local forwarding (-L), remote forwarding (-R), and SOCKS5 proxy (-D) with full IPv4/IPv6/domain support. Up to 10 local + 5 remote tunnels per profile.

SSH tunnels are one of the most underrated tools in a sysadmin's toolkit — they let you reach internal services (a database, a Redis instance, an admin panel) without exposing them to the Internet. SSHive turns SSH tunneling from a memorized command-line incantation into a profile setting. Open a profile, click "Tunnels", add a forward — done. The tunnel starts automatically when the SSH connection comes up and tears down when it drops. All three OpenSSH forwarding modes are supported: Local (`-L`) brings a remote port to your Mac, Remote (`-R`) exposes a local port on the remote server, and Dynamic SOCKS5 (`-D`) gives you a per-app proxy. Each profile can have up to 10 Local and 5 Remote tunnels active simultaneously. SOCKS5 supports IPv4, IPv6, and domain-name routing — so you can use SSHive as a private VPN-like proxy for browser sessions when traveling.

Key capabilities

Local forwarding (-L): Access remote services as if they were local

Remote forwarding (-R): Expose local services to the remote network

SOCKS5 dynamic proxy (-D): Full IPv4, IPv6, and domain name routing

Up to 10 local + 5 remote tunnels per connection profile

Real-world tunnel scenarios

Reach a private database

Forward 5432 from a private RDS instance through your bastion to localhost:5432. Connect TablePlus, DBeaver, or psql to localhost — they think the database is local, and your SSH key is the auth.

Expose a local dev server

Use Remote forwarding to expose your local Vite dev server (port 5173) on a public host's port 8080. Quick demo to a stakeholder without ngrok or Cloudflare Tunnel.

SOCKS5 proxy for safe browsing

On hotel Wi-Fi, start a SOCKS5 tunnel through your home server, set Firefox/Chrome to use localhost:1080. All your web traffic exits from your home IP — encrypted, untouchable by the hotel network.

SSH tunnels — frequently asked questions

Why not just use a VPN?+

A VPN routes all traffic, requires admin privileges, and is overkill for reaching one database. SSH tunnels are surgical: only the ports you specify are forwarded, no kernel network changes, no sudo. They're also auditable — your bastion logs the SSH session, not opaque VPN tunnels.

Can I use a tunnel without keeping the SSH terminal open?+

Yes. SSHive separates "tunnel-only" profiles: connect with no shell, just the tunnels active. The connection stays alive in the background. Disconnect from the sessions panel when done.

How does SSHive handle tunnel re-establishment after a drop?+

Auto-reconnect retries with exponential backoff (1s, 2s, 4s, ... up to 60s). Tunnels reattach as soon as the SSH connection is back. You see a yellow indicator in the sessions panel during reconnect.

Are tunnels in the free tier?+

Tunnels are a Pro feature. Free tier covers SSH terminal + SFTP. Pro ($9.99 one-time) unlocks tunnels, RDP, VNC, broadcast, and unlimited sessions.

Related SSHive features

SSH Terminal

GPU-accelerated terminal

SFTP File Manager

Drag & drop file manager

Broadcast Mode

Multi-server command execution

Common use cases

Manage AWS EC2 instances from your Mac

Connect to public and private EC2 instances with PEM keys, jump hosts, and tunnels — all from one native macOS app.

Manage your home server from your Mac

One app for everything in your home lab — SSH, SFTP, VNC, and secure tunnels for Plex, Home Assistant, Nextcloud, and more.

Docker host management from your Mac

SSH to Docker hosts, tunnel exposed ports, broadcast across swarm nodes — all from one native macOS app.

Try SSH Tunnels Free