What is the difference between Local/Remote/Dynamic SSH tunneling?

The answer from jscott is correct, however after reading it, it was still not completely clear to me when should I use local and when remote. So I researched further, and I have found the answer here:

Use local if you have a service running on a machine that can be reached from the remote machine, and you want to access it directly from the local machine. After setting up the tunneling you will be able to access the service using your local host IP (127.0.0.1)

Use remote if you have a service that can be reached from the local machine, and you need to make it available to the remote machine. It opens the listening socket on the machine you have used SSH to log into.

Dynamic is like local, but on the client side it behaves like a SOCKS proxy. Use it if you need to connect with a software that expects SOCKS forwarding.

From the puTTY documentation, specifically, 4.23 The Tunnels Panel section:

Set one of the ‘Local’ or ‘Remote’ radio buttons, depending on whether you want to forward a local port to a remote destination (‘Local’) or forward a remote port to a local destination (‘Remote’). Alternatively, select ‘Dynamic’ if you want PuTTY to provide a local SOCKS 4/4A/5 proxy on a local port (note that this proxy only supports TCP connections; the SSH protocol does not support forwarding UDP).

• Local -- Forward local port to remote host.
• Remote -- Forward remote port to local host.
• Dynamic -- Act as a SOCKS proxy. This requires special support from the software that connects to it, however the destination address is obtained dynamically at runtime rather than being fixed in advance.

I have drawn some sketches

The machine, where the ssh tunnel command is typed (or in your case: Putty with tunneling is started) is called »your host«.

static (options -L local and -R remote)

1. local: -L Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side.

ssh -L sourcePort:forwardToHost:onPort connectToHost means: connect with ssh to connectToHost, and forward all connection attempts to the local sourcePort to port onPort on the machine called forwardToHost, which can be reached from the connectToHost machine.

2. remote: -R Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side.

ssh -R sourcePort:forwardToHost:onPort connectToHost means: connect with ssh to connectToHost, and forward all connection attempts to the remote sourcePort to port onPort on the machine called forwardToHost, which can be reached from your local machine.

dynamic (option -D)

-D is like -L (local) but instead of fowarding to one and only one specific remotehost and port, SSH acts as a SOCKS proxy to the remotehost. Your program using the tunnel needs to support socks proxies. Or you need to help it with some tricks (see examples below).

What does a Socks proxy do? It accepts all your requests and forwards it dynamically to the remote hosts and ports, that the original program wanted it to (see examples below).

Usage examples of -D (dynamic / socks)

If you want to tunnel your browser traffic (with Firefox for example), you do not only want to access ONE website (remotehost and port), but surf freely in the www. So you need a dynamic tunnel, a socks proxy.

On your computer (your host) you do:

ssh -D 5000 remotehost   # or the equivalent option "dynamic" with putty

Firefox traffic tunnelled

For this you can edit your Firefox configuration, so that your browser uses your socks proxy. Type in the Firefox address bar:

about:config

Now edit the following values:

network.proxy.socks             string localhost
network.proxy.socks_port        integer 5000
network.proxy.socks_remote_dns  boolean true
network.proxy.type              integer 1   (0 ist default)
media.peerconnection.enabled    boolean false (true ist default)

You can now surf in the internet without anybody at the strange place knowing what you do.

more general: use tsocks application with a file /etc/tsocks.conf

Contents of the config file:

local = 192.168.1.0/255.255.255.0   # no proxy for local network
server = localhost    # proxy-server (your host)
server_type = 5       # socks5
server_port = 5000

You can now start program with tsocks in front of it, so that it uses the socks proxy.

tsocks thunderbird
tsocks mplayer -playlist http://bassdrive.com/bassdrive.m3u

curl

Easy to use with curl:

ALL_PROXY="socks5h://localhost:5000" curl http://blabbla.abc

or just

curl --proxy socks5h://localhost:5000 http://blabbla.abc

combine ALL_PROXY and tsocks

wget needs tsocks, because wget doesn’t support proxies. If you do both, you are safe (mostly): The script will use tsocks or ALL_PROXY variable:

ALL_PROXY="socks5h://localhost:5000" tsocks script

for youtube-dl

youtube-dl --proxy socks5://127.0.0.1:5000 http://blaaaa.bla

To set it up with Putty (local forward example)

Start Putty and enter your usual connection settings (Hostname or IP address) In the tree on the left side, navigate to

Connection → SSH → Tunnels

and create a new local tunnel with the source port 123 and the destination localhost:456.

Do not forget to click on Add.

Then navigate back to session and click Save to keep your settings for the next time. Now you can use the saved connection to log in to your server and after you successfully log in, every time you connect to port 123 on your host you will actually connect to port 456 on the server.

Local / Remote chooses whether you're connecting to a local port or a remote port (your own pc or another pc)

Dynamic is for a SOCKS proxy

See 4.19.2 Port forwarding http://the.earth.li/~sgtatham/putty/0.54/htmldoc/Chapter4.html

a local server is, well, local

typically it means a local server is connected on your LAN (local area network) and a remote server is not on you lan but connected over your WAN (wide area network) remote could be next door or the next continent or it could be in the same room, simply on separate network.