Server Setup Guide

Setting up your SSH server for TCP tunneling

ZTunnel uses standard OpenSSH port forwarding. These steps show how to prepare a Linux SSH server so that both local (-L) and remote (-R) TCP forwarding work correctly.

  1. 1. Install OpenSSH server

    On a Debian/Ubuntu host:

    sudo apt update
sudo apt install -y openssh-server
sudo systemctl enable --now ssh

    On RHEL/Rocky/Alma:

    sudo dnf install -y openssh-server
sudo systemctl enable --now sshd

  2. 2. Enable TCP forwarding in sshd_config

    Edit /etc/ssh/sshd_config and ensure these options are set:

    AllowTcpForwarding yes
GatewayPorts yes            # only if you need -R to bind to non-loopback
PermitOpen any              # or restrict to host:port pairs
ClientAliveInterval 30
ClientAliveCountMax 3

    Local forwarding (-L) only requires AllowTcpForwarding yes.
    Remote forwarding (-R) that listens on external interfaces additionally needs GatewayPorts yes (or clientspecified).

  3. 3. Restart the SSH daemon

    sudo systemctl restart ssh       # Debian/Ubuntu
sudo systemctl restart sshd      # RHEL family

  4. 4. Open firewall ports

    sudo ufw allow 22/tcp            # UFW
# or
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

    For remote (-R) forwards that bind to non-loopback, also open the chosen listening port on the server firewall.

  5. 5. Create or confirm a login user

    sudo adduser tunneluser
sudo usermod -aG sudo tunneluser   # optional

    Use this user's name and password in ZTunnel's SSH Credentials page.

  6. 6. Test the tunnel from the command line

    Verify the server works before configuring ZTunnel:

    # Local forward: localhost:8080 on your PC -> example.com:80 via server
ssh -L 8080:example.com:80 tunneluser@your.server.com

# Remote forward: server:9000 -> 127.0.0.1:3000 on your PC
ssh -R 9000:127.0.0.1:3000 tunneluser@your.server.com

  7. 7. Configure ZTunnel

    1. Open SSH Credentials and enter host, port, username, password.
    2. Click Save & Reconnect.
    3. Open Port Forwards and add one or more forwards.
    4. Toggle them on/off live, or click Reconnect SSH to rebuild the session.
Security tip: Password-based SSH is convenient for tunneling but public-key auth is safer. For production systems, restrict AllowTcpForwarding per-user with Match User blocks and pin PermitOpen to the exact host:port pairs you trust.