Jon McCain
  - software - articles - about - contact  

Using Putty To Create SSH Tunnels

This article is going to show you how to use an ssh client to port forward some tcp/ip traffic through an ssh tunnel.  It in this case we are going to make a connection to a remote vnc server across the internet.  You may be asking yourself why not just open the vnc port on the router.  In the case of vnc, vnc traffic is not encrypted.  . It can also be a risk to make your pc's vnc service directly visible on the internet because someone could create an exploit and gain direct control of your pc.  So this is all about security.  In addition, you can port forward any number of ports through the ssh tunnel, but the router only has to have a single port open. So therefore you can keep a very tight firewall.

First let's make some assumptions.  Assume you have a set up like this. 

 I assume you know about port forwarding and have set the router to forward port 22 (ssh) to the ssh server.   We are going to be using putty 0.56, a free ssh client, as the ssh client on a windows machine.  We are using a vnc viewer like TightVNC for the vnc client and server.

The Theory
The idea is that you configure putty to accept a connection on a local port. Any data that is sent to that port is then sent through the ssh connection.  On the other end the ssh server can then forward that traffic to a local machine on it's network.  So first you use putty to log in to the ssh server.  This establishes your connection, aka the tunnel.

Now you run vnc and connect to your own machine.  Putty send the vnc data to the ssh server which then sends it to the vnc server on pc #2.

How To Do It
Assume the vnc server is set to run on "display" 1.  To determine what TCP port it is running on just add 5900.  So it is running on port 5901.

1. Open putty
2. Go to Connection, then to SSH, then to Tunnels.
3.  In the "port forwarding" section set source port to 5901. This will refer to a port on pc #1
4. Set the destination to  This will tell the ssh server where to send the traffic on the other end.  In this case, pc #2
5. Select "local".  This tells putty that the source port is to be on the local machine (pc #1).
6. Click the ADD button. You should see "L5901" appear in the list.
7. Click the OPEN button to connect.
8. Log in with your ssh username and password
9. Minimize putty.  The tunnel is only active while the ssh connection is active. So you MUST stay logged in.
10. Open the vnc viewer. Connect to localhost:01 (vnc assumes the 59 part)
11. You should get a connection to pc #2! Do things.
12. Close your vnc connection.
13. Maximize putty and log out from the ssh session.

To avoid having to add the tunnel info every time, save the session (before you connect) and putty saves the settings.

It's not as complicated as it sounds.  And this is not limited to just vnc.  You can do this trick with any tcp port and any client program. For instance you could connect to a windows sever using the remote desktop client (aka rdp) by forwarding port 3389 and going to localhost:3389. Other ssh clients should work the same way.  Tunnels are a feature of ssh not of just putty.

Date: 7/11/2005, Updated: 9/21/2016