How to set up an SSH tunnel on a Mac

A complete guide to local, remote, and SOCKS5 SSH tunnels on macOS — both command-line and visually in SSHive.

Estimated time: 5 minutes

An SSH tunnel forwards a network port over an encrypted SSH connection. There are three flavors: Local (`-L`) brings a remote port to your Mac, Remote (`-R`) exposes a Mac port on the remote server, Dynamic SOCKS5 (`-D`) gives you a per-app proxy. This guide covers all three using OpenSSH (built into macOS) and visually using SSHive's Tunnels UI — pick whichever fits your workflow. The end result is the same: secure, ephemeral port forwarding without VPN overhead.

Step-by-step

1
Open a profile and expand "Advanced"
Sidebar → click + (new connection) or right-click an existing profile → Edit. Fill in host, port, username and auth as usual, then click "Advanced" at the bottom of the dialog. The Advanced section unfolds with three tunnel blocks listed vertically: Local (-L), Remote (-R) and SOCKS5 (-D).
2
Add a Local forward (-L) — the most common case
Under "Local tunnels" click + Add. Three fields appear inline: Local port (e.g. `5433` — pick something ≥ 1024 to avoid sudo), Remote host (`db.internal` — what the SSH server can reach; use `localhost` if the target runs on the bastion itself), Remote port (`5432`). Save. The tunnel auto-mounts every time you connect to this profile. SSHive binds to 127.0.0.1 by default — no bind-address field exposed, that's a deliberate safety choice. Free tier: 1 Local tunnel max. Pro: 10.
3
Add a Remote forward (-R) — Pro only
Under "Remote tunnels" click + Add. Fields: Remote port (the port that opens on the SSH server, e.g. `8080`), Local host (`localhost`), Local port (`3000`). On the SSH server, `curl localhost:8080` now reaches your Mac's `localhost:3000`. On Free, the section shows a PRO badge and the Add button is disabled — clicking it opens the upgrade modal. Pro cap: 5 Remote tunnels per profile.
4
Read the ⇄ status pill in the bottom bar
Once connected, the status bar shows `⇄ N` where N is the number of active tunnels (Local + Remote + SOCKS combined). Click the pill to open the Tunnel Status panel: each tunnel is listed with its type, local port, target and live state, plus a per-tunnel close button. If a tunnel fails to bind (port already in use), the SSH session stays connected and the failure is logged — N just won't include that one.
5
Auto-reconnect — tunnels come back with the session
When the SSH session drops (Wi-Fi switch, sleep/wake, server bounce), all tunnels close — they're bound to the SSH connection. SSHive's auto-reconnect kicks in and remounts every tunnel in the profile in series. No manual action needed. If a specific tunnel keeps failing on reconnect, check the remote sshd: `AllowTcpForwarding yes` for Local/Remote, plus `GatewayPorts yes` if you need a Remote tunnel reachable from external interfaces.

Frequently asked questions

Tunnel dies when my SSH session ends?+

Yes — tunnels live with the SSH connection. In SSHive, enable auto-reconnect on the profile and tunnels reattach automatically when the connection comes back. For long-running tunnels, set `ServerAliveInterval 60` in OpenSSH or use SSHive's built-in keepalive (default: 30s).

Can I tunnel through a chain of jump hosts?+

Yes. CLI: `ssh -J bastion1,bastion2 -L 5432:db:5432 user@target` chains both bastions. In SSHive: configure each profile with the appropriate Jump Host, and tunnels work transparently through the chain.