Giter VIP home page Giter VIP logo

tunnel-ssh's Introduction




Tunnel-SSH Logo

History and Credits

Once upon a time this package was created to show my colleges how to create and publish a npm package. That time we used ssh tunnels on our unix machines on a daily bases, so decided to to do it with node. This was about 6 years ago, where javascript was a callback hell.

Since then this project is pretty much community driven by pull requests and suggestions.

Thank you for your support.

Special thanks goes to the following brothers in arms: Tunnel-ssh is based on the fantastic ssh2 library by Brian White.

Vlad Barboni for the initial brainstorming. derekrliang for providing the type definitions. lenchvolodymyr for the idea of the dynamic port mapping.


  • Improved Typescript support
  • sshOptions.username default is root
  • forwardOptions.dstAddr default to (all interfaces)


Tunnel-ssh v5 is designed to be very extendable and does not provide as much sematic sugar as prio versions.

The design goal was to use the original settings for each part used in the project to be able to use all possible binding features from client and server.

The configuration is separated in the following parts:

  • Tunnel server
  • TCP Server
  • SSH Client
  • SSH Forwarding

Tunnel Server Options

This configuration controls be behaviour of the tunnel server. Currently there is only one option available.


const tunnelOptions = {

autoclose - closes the Tunnel-Server once all clients disconnect from the server. Its useful for tooling or scripts that require a temporary ssh tunnel to operate. For example a mongodump.

Set this option to false will keep the server alive until you close it manually.

TCP Server options

Controls the behaviour of the tcp server on your local machine. For all possible options please refere to the official node.js documentation: ServerListenOptions


const serverOptions = {
	port: 27017

If port is omitted or is 0, the operating system will assign an arbitrary unused port, which can be retrieved by using server.address().port after the 'listening' event has been emitted.

To use the automatic assigned port in the forwardOptions make sure forwardOptions.srcPort is not defined.

SSH client options

Options to tell the ssh client how to connect to your remote machine. For all possible options please refere to the ssh2 documentation: ssh2 documentation You will find different examples there for using a privateKey, password etc..

SSH Agent additional information.

The most common settings for the agent are :

	// for linux
	// for windows
	// for windows with unix port (wsl docker


const sshOptions = {
	host: '',
	port: 22,
	username: 'frylock',
	password: 'nodejsrules'

SSH Forwarding options

Options to control the source and destination of the tunnel.


const forwardOptions = {

Note: If the srcAddr or srcPort is not defined, the adress will be taken from the local TCP server. This is usefull if you want to create a tunnel and let the OS decide what port should be used.


	const tunnelOptions = {

	const sshOptions = {
		host: '',
		port: 22,
		username: 'frylock',
		password: 'nodejsrules'

	// Here is where the magic happens...
	const serverOptions = null; // automatic assign port by OS
	// Note that the forwarding options does not define the srcAddr and srcPort here.
	// to use the server configuration. 
	const forwardOptions = {

    let [server, client] = await createTunnel(tunnelOptions, serverOptions, sshOptions, forwardOptions);
	// Example how to get the server port information.
    console.log(`server listen on ${server.address().port}`)


Tunnel-SSH exposes currently only one method: createTunnel

createTunnel(tunnelOptions, serverOptions, sshOptions, forwardOptions);


Since 5.0.9 we added our own types to the project. For Typescript we export the configuration objects as well. The recommented way of import is as follows:

import {createTunnel, ForwardOptions, ServerOptions, SshOptions} from 'tunnel-ssh';

// please note that the ForwardingOptions, ServerOptions and SshOptions are Types

The method retuns a promise containing the server and ssh-client instance. For most cases you will not need those instances. But in case you want to extend the functionallity you can use them to bind to there events like that:

createTunnel(tunnelOptions, serverOptions, sshOptions, forwardOptions).
then(([server, conn], error)=>{



For a list of all possible Events please refere to the node.js documentation for the server and the ssh2 documentation for the client.

Usage Example

The following example shows how to connect to a remote mongodb and bind it to all local interfaces.

import {createTunnel} from 'tunnel-ssh';

const port = 27017;

const tunnelOptions = {
const serverOptions = {
	port: port
const sshOptions = {
	host: '',
	port: 22,
	username: 'frylock',
	password: 'nodejsrules'
const forwardOptions = {

let [server, conn] = await createTunnel(tunnelOptions, serverOptions, sshOptions, forwardOptions);

server.on('connection', (connection) =>{
    console.log('new connection');

Too complicated ?

If you just searching for an easy way to forward a remote port to your local machine try the following:

import {createTunnel} from 'tunnel-ssh';
const sshOptions = {
	host: '',
	port: 22,
	username: 'frylock',
	password: 'nodejsrules'

function mySimpleTunnel(sshOptions, port, autoClose = true){
    let forwardOptions = {

    let tunnelOptions = {
    let serverOptions = {
        port: port

    return createTunnel(tunnelOptions, serverOptions, sshOptions, forwardOptions);

await mySimpleTunnel(sshOptions, 27017);

tunnel-ssh's People


aberbegall avatar actionshrimp avatar agebrock avatar amilajack avatar damianrivas avatar fbsender avatar gpetrov avatar haroldputman avatar is984 avatar ivarconr avatar joshbalfour avatar kinsi55 avatar kjirou avatar lambacck avatar lenchvolodymyr avatar mymyoux avatar othams avatar pedroventura avatar saller avatar vweevers avatar xylude avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar


 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

tunnel-ssh's Issues

PrivateKey example is misleading.

I initially had an issue with privateKey because I naively thought I could pass a string path to a privkey, but this would throw Error: Cannot parse privateKey: Unsupported key format from inside ssh2. I ultimately got it to work by using fs and loading the file that way. It might be worth mentioning this in the examples.

(I'd happily submit a PR using this technique in conjunction with a new field like privateKeyPath or something but that would add a dependency on fs.)

Thanks for this package!

Release a new version


I'm using tunnel-ssh in a project and I found a critical issue on it, luckily the issue was already fixed however it's been a while since you don't generate a new version. Considering the commits after version 1.1.0 have breaking changes can you publish version 2.0.0 with all fixes?

In the meanwhile I will be pointing directly to your git repository (master branch).


CLOSE_WAIT connections

When I try to establish concurrent connections through the same ssh tunnel using a tunnel-ssh module in low vpn speed access, after about 10 connections, I start to receive ECONNRESET error. This error leads to many CLOSE_WAIT tcp connections (netstat) that remain blocked forever. I ran this scenario using node versions 7, 8, 10 and 11.

The error happens in outbound connections (sshConnection). Once it take place, the outbound connection receives "close" event that does not reflect the inbound connection (netConnection), that remains active. Even if I try to close the tunnel (what is not desirable, since I may have healthy connections in it) it does not emit close event, probably keeping this tunnel locked, since the server side still has established incoming connections. Checking server object is possible to verify that it has active connections (same amount in CLOSE_WAIT state).

The error that the application receives is related to the tunnel itself and does not distinguish any specific connection, so it is not possible to easily pinpoint and close the failed connections in application level. In this situation the event:

netConnection.emit('sshConnection', sshConnection, netConnection);

is not set, since sshConnection ready event never ocurred, because of the error. If this line is moved out of the "sshConnection.on ready" context, it will be possible to bind netConnection to sshConnection in this situation.

Another idea is to treat sshConnection close event, destroying netConnection associated to it. Note that by my tests netConnection.end() method is not enough to clear the connection reference in server object, only netConnection.destroy() makes it.

As a workaround I saved aside all connections received in "netConnection" event, until I receive ECONNRESET in the application. I timed out for a while to wait for tcp states to be changed, then checked /proc/net/tcp for CLOSE_WAIT connections. I compare them to the netConnections I was notified and force netConnection.destroy() to release it. Pretty ugly workaround, but it seems to be working for me.

I hope this can be helpfull to fix this problem

Thanks in advance

Channel open failure: Connection refused

I've not been able to get tunnel-ssh to work. I always get a connection refused error. I'm using node v10.15.1.

Here is the output:

Error: (SSH) Channel open failure: Connection refused at SSH2Stream.onFailure (/home/nehemiah/Local/piksie-server/node_modules/tunnel-ssh/node_modules/ssh2/lib/client.js:1186:13) at Object.onceWrapper (events.js:277:13) at SSH2Stream.emit (events.js:189:13) at parsePacket (/home/nehemiah/Local/piksie-server/node_modules/tunnel-ssh/node_modules/ssh2-streams/lib/ssh.js:3708:10) at SSH2Stream._transform (/home/nehemiah/Local/piksie-server/node_modules/tunnel-ssh/node_modules/ssh2-streams/lib/ssh.js:669:13) at SSH2Stream.Transform._read (_stream_transform.js:190:10) at SSH2Stream._read (/home/nehemiah/Local/piksie-server/node_modules/tunnel-ssh/node_modules/ssh2-streams/lib/ssh.js:251:15) at SSH2Stream.Transform._write (_stream_transform.js:178:12) at doWrite (_stream_writable.js:410:12) at writeOrBuffer (_stream_writable.js:394:5) Emitted 'error' event at: at Socket.emit (events.js:189:13) at /home/nehemiah/Local/piksie-server/node_modules/tunnel-ssh/index.js:19:31 at SSH2Stream.onFailure (/home/nehemiah/Local/piksie-server/node_modules/tunnel-ssh/node_modules/ssh2/lib/client.js:1194:5) at Object.onceWrapper (events.js:277:13) [... lines matching original stack trace ...] at SSH2Stream.Transform._write (_stream_transform.js:178:12)

When using the exact same configuration for other SSH tasks it does work. Any help would be greatly appreciated.

Shutdown Tunnel

How do you shutdown a tunnel? I'd like to be able to open a tunnel, run a mysql/mongo query, get the results, and shutdown the tunnel.

I didn't see any methods in index.js to provide such a feature, thoughts?

how to connect to mongodb server via ssh tunnel with Proxy Jump (Bastion Host)

how to connect to mongodb server via ssh tunnel with Proxy Jump (Bastion Host)

`Host host1
  Port 2222
  User xxxx
  IdentityFile ~/.ssh/cert
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  KeepAlive yes
  ServerAliveInterval 30
  ServerAliveCountMax 30

Host test2
  ProxyCommand  ssh.exe host1  -q -W %h:%p host1
  User ubuntu
  IdentityFile ~/.ssh/cert
  KeepAlive yes
  StrictHostKeyChecking no
  UserKnownHostsFile /dev/null
  ServerAliveInterval 30
  ServerAliveCountMax 30


I have an ssh config file like this. I have a proxy jump to host1 from test2.

var config = {
    agent : process.env.SSH_AUTH_SOCK,

var server = tunnel(config, function (error, server) {

how can I enter ProxyCommand details here?

config,sshPort not used

Trying to connect to a remote RethinkDB server on Compose gives a specific port to connect to the ssh server. In a bash command like [email protected] -p XXXXX. I thought I could use the sshPort config variable like this

uiConfig =
  privateKey: key
  username: username
  sshPort: sshPort
  host: host
  srcHost: composeConfig.ip
  srcPort: composeConfig.uiPort
  dstPort: localConfig.uiPort
  dstHost: localConfig.ip
  keepAlive: true
uiTunnel = tunnel uiConfig, (e, uiTunnel)->
  if e
    console.log 'TUNNEL ERROR >>>>', e.message
    console.log 'UI TUNNEL CONNECTED'

When the server connects I get
Error: getaddrinfo ENOTFOUND [email protected] [email protected]:22

Is this because config.sshPort is defaulting to port 22?

Unable to keep multiple connections open simultaneously

I'm trying to use this in conjunction with to connect to 2 different mysql servers on separate hosts, each via their own ssh tunnel.

However, what seems to happen is that as soon as the second connection is established, the first is dropped. I noticed the keepAlive setting, although this doesn't seem to do what I thought it would and the first connection are still dropped as soon as the second is opened.

TypeError: Object #<Object> has no method 'then'

TypeError: Object #<Object> has no method 'then'
    at Object.createTunnel [as reverseTunnel] (/Users/scriby/sourcecode/test/node_modules/tunnel-ssh/lib/reverse.js:7:45)

Line 7 of reverse.js is return cfg.setReverseDefaults(userConfig).then(function(config) {.

As far as I can tell setReverseDefaults does not return a promise, so this code errors.

how to connect to remote postgreSQL

The following is my code. None of them are working.

the Error message is

hi Server {
   [Object: null prototype] { connection: [Function], close: [Function] },
  _eventsCount: 2,
  _maxListeners: undefined,
  _connections: 0,
   TCP {
     reading: false,
     onread: null,
     onconnection: [Function: onconnection],
     [Symbol(owner)]: [Circular] },
  _usingWorkers: false,
  _workers: [],
  _unref: false,
  allowHalfOpen: false,
  pauseOnConnect: false,
  _connectionKey: '4:',
  [Symbol(asyncId)]: 13 }

{ Error: connect ETIMEDOUT
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1083:14)
  errno: 'ETIMEDOUT',
  code: 'ETIMEDOUT',
  syscall: 'connect',
  address: '',
  port: 5432 }

const fs = require('fs');
const pg = require('pg');
const Pool = pg.Pool;
const path = require('path');

 * Load CONFIG to global
const CONFIG = {}

let pool, tnl; 
    const tunnel = require('tunnel-ssh');

    const sshConfig = {
        username: CONFIG.remote.user,
        port: CONFIG.remote.port,
        privateKey: fs.readFileSync(path.join(__dirname, `/.ssh/${CONFIG.remote.privateKey}`)),
        keepaliveInterval: 60000,
        keepAlive: true,
        dstPort: CONFIG.db.port,
        localPort: 54000,


    tnl = tunnel(sshConfig, async function(error, server) {
            throw Error("SSH connection error: " + error);

        console.log('hi', server);

      // Method 1:
        const connectionString = `postgres://friend:E@[email protected]/stellar_federation`;

        const client = new pg.Client(connectionString);

        client.query( 'SELECT * FROM users ORDER BY id ASC')
        .then(query => {
            query.on('end', () => { client.end(); });

       // Method2:
        pool = new Pool({
            port: CONFIG.db.port,
            user: CONFIG.db.user,
            password: CONFIG.db.password,
            database: CONFIG.db.database,
        pool.query('SELECT * FROM users ORDER BY id ASC')
        .then( results => {
            if (error) {
                throw error
            console.log("\n PostgreSQL is connected! \n", results);

module.exports = pool;

Syntax changed?

Before a few weeks ago, I used tunnel.tunnel to map remote port to localhost. However, now the docs suggest to do just tunnel. However, when I just do tunnel instead of tunnel.tunnel, it gives me this error:

tunnel(config, function(e, sshTunnel) {

TypeError: tunnel is not a function

However, when I use tunnel.tunnel instead, it doesn't give a syntax error -- but, the callback in the function is not called at all.

I'm using version 3.2.1-beta. Is this a version issue?

Encrypted private key detected, but no passphrase given

var sshTunnel = this.tunnel({
        host: 'xxxx',
        sshPort: 22,
        dstPort: 3305,
        username: 'xxxx',
        privateKey: require('fs').readFileSync('/Users/alex/.ssh/id_rsa'),
        keepAlive: true
}, function(error, result) {

        console.log('Connected to SSH mysql tunnel', result);

Throws Error: Encrypted private key detected, but no passphrase given

Debug version

I think debug dependency should be updated again, if you check using nsp will give an vulnerability error, because unfortunately you've chose a low level risk version

> nsp check

remote:        (+) 1 vulnerabilities found        
remote:        ┌───────────────┬─────────────────────────────────────────────────────────────────┐        
remote:        │               │ Regular Expression Denial of Service                            │        
remote:        ├───────────────┼─────────────────────────────────────────────────────────────────┤        
remote:        │ Name          │ debug                                                           │        
remote:        ├───────────────┼─────────────────────────────────────────────────────────────────┤        
remote:        │ CVSS          │ 3.7 (Low)                                                       │        
remote:        ├───────────────┼─────────────────────────────────────────────────────────────────┤        
remote:        │ Installed     │ 2.6.0                                                           │        
remote:        ├───────────────┼─────────────────────────────────────────────────────────────────┤        
remote:        │ Vulnerable    │ <= 2.6.8 || >= 3.0.0 <= 3.0.1                                   │        
remote:        ├───────────────┼─────────────────────────────────────────────────────────────────┤        
remote:        │ Patched       │ >= 2.6.9 < 3.0.0 || >= 3.1.0                                    │        
remote:        ├───────────────┼─────────────────────────────────────────────────────────────────┤        
remote:        │ Path          │ [email protected] > [email protected] > [email protected] … │        
remote:        ├───────────────┼─────────────────────────────────────────────────────────────────┤        
remote:        │ More Info     │                          │        
remote:        └───────────────┴─────────────────────────────────────────────────────────────────┘


can I do a tunnel reverse?

Error not captured inside the function callback

When passing the incorrect private key file, the error thrown("Error: All configured authentication methods failed") is not captured inside the function callback. But able to capture it as part of "error" event outside callback.

let tunnelsshConfig = {
username: sshUserName,
host: sshHostName,
port: 22,
dstHost: '',
dstPort: 27017,
localHost: '',
localPort: xxxx8,
privateKey: privateKeyFile

tunnel(tunnelsshConfig, function(sshError, mongoServer) {
if (sshError) {
dbConnectStatus = "false";
} else {
console.log("Successful Connection");
// Successful Code

How to know that connection was established successfully?


Right now I run this scenario:

  1. Start connection with the wrong password
  2. Callback called error=null
  3. After some time (2 - 3 seconds) error event received

So, I need to start a timeout (it can be more than 3 seconds) to wait for a proper connection status.

My application wants to know a connection status (success/error) as soon as possible. What is the solution?

migration from v2 to v3

Please, we need help to how use the new version 3 because the API is changed without notice.

var tunnel = require('tunnel-ssh');
var config = {

tunnel(config, function(e, sshTunnel){
    //Now, you should be able to connect to the tunnel via localhost:3336.

This code is now:

var tunnel = require('tunnel-ssh');
var config = {

tunnel.tunnel(config, function(e, sshTunnel){
    //Now, you should be able to connect to the tunnel via localhost:3336.

Error when trying to connect with 4096 bit rsa key

Hi I'm trying to connect using your sample code. But I'm using a 4096 bit rsa key (openssh) and I'm getting the following error -

Error: Cannot parse privateKey: Unsupported key format

Error: Cannot parse privateKey: Unsupported key format at Client.connect (~/sshtunnel/node_modules/ssh2/lib/client.js:146:13) at start (~/sshtunnel/node_modules/tunnel-ssh/lib/tunnel.js:36:14) at Client.client.createStream (~/sshtunnel/node_modules/tunnel-ssh/lib/tunnel.js:64:12) at Server.<anonymous> (~/sshtunnel/node_modules/tunnel-ssh/lib/tunnel.js:148:12) at Server.g (events.js:260:16) at emitNone (events.js:67:13) at Server.emit (events.js:166:7) at emitListeningNT (net.js:1260:10) at doNTCallback1 (node.js:430:9) at process._tickCallback (node.js:352:17) at Function.Module.runMain (module.js:469:11) at startup (node.js:136:18) at node.js:963:3

Thanks in advance for your help.

how to connect to remote mysql

Sorry to trouble you .

Usually , I login in my reomte machine with ssh test , and do some job with mysql .But now I want to do this job in my local machine . I try to make it work , but I have trouble .

My ssh config is

Host test
    User test
    Port 12528
    IdentityFile ~/.ssh/id_rsa

My remote mysql config is

    host: 'localhost',
    user: 'db_test',
    password: 'db_password',
    database: 'db_name',

And all my code is here

var tunnel = require('tunnel-ssh');
var  mysql = require('mysql');
  var server = tunnel({
      host: '',
      dstPort: 12528
    }, function (error, result) {
      if(error) {
        return console.log(error)
      // This is ok ,  

       // this is not work
      var connection = new mysql.createConnection({
        host: 'localhost',
        database: "db_name",
        user: "db_test",
        password: "db_password"

      var sql = "select count(*) as total from accounts  ";

      connection.query(sql, function(err, rows, fields) {
        if (err) {
            return ;

I can connect with my ssh machine ,but i can't connect with mysql . What the problem is ?

The error is like below , when i changed mysql host from localhost to

{ [Error: connect ETIMEDOUT]
  errorno: 'ETIMEDOUT',
  code: 'ETIMEDOUT',
  syscall: 'connect',
  fatal: true }

or below , when the host is localhost

[Error: ER_ACCESS_DENIED_ERROR: Access denied for user 'db_test'@'localhost' (using password: YES)]
  errno: 1045,
  sqlState: '28000',
  fatal: true }

Hope you can help me . Thanks a lot .

Working with spawnSync / execSync?

I'm trying to set up a tunel for another program I'm invoking via spawSync from child_process. I can get the tunnel to work correctly for node commands; however, poking around with strace and lsof, it looks like the node process never even opens the remote connection in this situation (it is listening on the local socket, and the program I'm invoking does seem to connect to it, but then gets stuck in what I think is the SSL handshake. The last lines of output before it hangs are:

setsockopt(4, SOL_TCP, TCP_NODELAY, [1], 4) = 0
fcntl(4, F_SETFD, FD_CLOEXEC)           = 0
setsockopt(4, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0
connect(4, {sa_family=AF_INET, sin_port=htons(61578), sin_addr=inet_addr("")}, 16) = -1 EINPROGRESS (Operation now in progress)
poll([{fd=4, events=POLLOUT|POLLERR}], 1, -1) = 1 ([{fd=4, revents=POLLOUT}])
getsockopt(4, SOL_SOCKET, SO_ERROR, [0], [4]) = 0
getsockname(4, {sa_family=AF_INET, sin_port=htons(34016), sin_addr=inet_addr("")}, [16]) = 0
poll([{fd=4, events=POLLOUT|POLLERR}], 1, -1) = 1 ([{fd=4, revents=POLLOUT}])
sendto(4, "\0\0\0\10\4\322\26/", 8, MSG_NOSIGNAL, NULL, 0) = 8
poll([{fd=4, events=POLLIN|POLLERR}], 1, -1

Any ideas what might be up? Or how to work around it?

Error: All configured authentication methods failed

Calling mongoose.connect inside of tunnel callback seems to be causing authentication errors. If i remove mongoose.connect no error are displayed.

I have also tried to use monk instead of mongoose but the same error pops up when monk('user:pass@localhost:port/mydb') is called

const tunnel_config = {
	host: 'XX.XXX.XXX.XXX',
	dstHost: '',
	port: 22,
	localPort: 27017,
	dstPort: 27017,
	localHost: ''

const mongoInfo = {
    user: 'XXXX',
    pass: 'XXXXX',
    port: 27017,
    uri: '',
    db: 'XXX'

const db_info = `${mongoInfo.user}:${mongoInfo.pass}@${mongoInfo.uri}:${mongoInfo.port}/${mongoInfo.db}`;

let connection = tunnel(tunnel_config, function (error, connection) {
        console.log("SSH connection error: " + error);
    mongoose.connect('mongodb://user:[email protected]:27017/XXX'); //this here seems to be causing the error
   monk('user:pass@localhost:port/mydb')  // causes same error
{ Error: All configured authentication methods failed
    at tryNextAuth (/Users/ivan/Workspace/Bitbucket/p-004-analysis/step_01/node_modules/ssh2/lib/client.js:376:17)
    at SSH2Stream.onUSERAUTH_FAILURE (/Users/ivan/Workspace/Bitbucket/p-004-analysis/step_01/node_modules/ssh2/lib/client.js:587:5)
    at SSH2Stream.emit (events.js:160:13)
    at parsePacket (/Users/ivan/Workspace/Bitbucket/p-004-analysis/step_01/node_modules/ssh2-streams/lib/ssh.js:3929:10)
    at SSH2Stream._transform (/Users/ivan/Workspace/Bitbucket/p-004-analysis/step_01/node_modules/ssh2-streams/lib/ssh.js:669:13)
    at SSH2Stream.Transform._read (_stream_transform.js:185:10)
    at SSH2Stream._read (/Users/ivan/Workspace/Bitbucket/p-004-analysis/step_01/node_modules/ssh2-streams/lib/ssh.js:251:15)
    at SSH2Stream.Transform._write (_stream_transform.js:173:12)
    at doWrite (_stream_writable.js:407:12)
    at writeOrBuffer (_stream_writable.js:393:5)
    at SSH2Stream.Writable.write (_stream_writable.js:290:11)
    at Socket.ondata (_stream_readable.js:646:20)
    at Socket.emit (events.js:160:13)
    at addChunk (_stream_readable.js:269:12)
    at readableAddChunk (_stream_readable.js:256:11)
    at Socket.Readable.push (_stream_readable.js:213:10) level: 'client-authentication' }

Typo in


Thank you for this, this is awesome.

Two minor things:

  • In, an example sshConfig is given with a property called passphrase. That should be password to work properly.
  • And from NPM there is no direct link to this Git-repo, that would be nice too!

problems with mongodump

I'm not able to dump through a tunnel to a mongodb server...

This works:
ssh -L 27018:localhost:27017 localhost -N
mongodump --port=27018

This not:

const tunnel = require('tunnel-ssh');
const config = {
  username: 'usr',
  password: 'pwd',
  host: 'localhost',
  port: 22,
  dstHost: 'localhost',
  dstPort: 27017,
  localPort: 27016
tunnel(config, (err, tnl) => {

mongodump --port=27016

My actual more real use case works not on localhost but something like this:
equivalent ssh command for tunnel: ssh -L 44041:remotemongoserver:44147 user@remotesshserver -p 2222 -N
mongodump command: mongodump --host=localhost --port=44041 --username=dbuser --password=dbpassword --db=mydb --out=/Users/adrai/Projects/my-backuper/backups && mv /Users/adrai/Projects/my-backuper/backups/mydb /Users/adrai/Projects/my-backuper/backups/app-readmodel
And this works like you expect with ssh cli.

Do I miss something?

Not working with Node 10.8.0


I have encountered an issue when using our package with node 10.8.0. I got this error:

D:\Code\Node JS\braces-easy-way\node_modules\ssh-tunnel\node_modules\require-dir\index.js:93
            if (!require.extensions.hasOwnProperty(ext)) {

TypeError: require.extensions.hasOwnProperty is not a function
    at requireDir (D:\Code\Node JS\braces-easy-way\node_modules\require-dir\index.js:93:37)
    at new App (D:\Code\Node JS\braces-easy-way\node_modules\ssh-tunnel\lib\app.js:38:19)
    at Object.<anonymous> (D:\Code\Node JS\braces-easy-way\node_modules\ssh-tunnel\lib\app.js:26:28)
    at Module._compile (internal/modules/cjs/loader.js:689:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:700:10)
    at Module.load (internal/modules/cjs/loader.js:599:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:538:12)
    at Function.Module._load (internal/modules/cjs/loader.js:530:3)
    at Module.require (internal/modules/cjs/loader.js:637:17)
    at require (internal/modules/cjs/helpers.js:20:18)

I did research a lot, but couldn't solve this problem.
So anyone has any solutions?
Thank you guys for helping and creating a wonderful package.

The reverse tunnel does not return the connection object

I am trying to capture the ready event from the connection but the function tunnel.reverse() always return undefined.

var conn = tunnel.reverse({
  host: host,
  username: 'root',
  dstHost: '', // bind to all interfaces (see hint in the readme)
  dstPort: dstPort,
  //localHost: '', // default
  //localPort: localPort
}, function(error, clientConnection) {

//This fails since conn is undefined
conn.on('ready', function(){

Two ports for ssh tunnel

Hi all,
I am trying to make two configs so that I could use Neo4j database. However, I don't know whether I can do that or not, here is my code:

const neo4j = require('neo4j-driver').v1;
const sshTunnel = require('tunnel-ssh');
const path = require('path');
const fs = require('fs')

const directoryPath = path.join(__dirname, '../my-private-key');

const configA = {
    host: 'my-ssh-host',
    port: 22,

    username: 'my-ssh-userName',
    privateKey: fs.readFileSync(directoryPath),
    passphrase: 'my-passphrase',

    dstHost: 'my-ssh-host',
    dstPort: 7474,

    localHost: 'localhost',
    localPort: 7474,

    keepAlive: true

// console.log(fs.readFileSync(directoryPath))

const configB = {
    host: 'my-ssh-host',
    port: 22,

    username: 'my-ssh-userName',
    privateKey: fs.readFileSync(directoryPath),
    passphrase: 'my-passphrase',

    dstHost: 'my-ssh-host',
    dstPort: 7687,

    localHost: 'localhost',
    localPort: 7687,

    keepAlive: true

const serverPortA = sshTunnel(configA, async  (error, server) => {
    if (error) {
    } else {
        // console.log(server)

const serverPortB = sshTunnel(configB, async  (error, server) => {
    if (error) {
    } else {
        // console.log(server)

exports.Neo4jTest = async (nodes) => {
    const driver = neo4j.driver("bolt://localhost", neo4j.auth.basic("userName", "password"));
    const session = driver.session();
    console.log(2) => {
                'CREATE (a:MOVIE {name: $name, level: $level}) RETURN a',
                    level: node.level
            .then(result => {

                const singleRecord = result.records[0];
                const node = singleRecord.get(0);

                // on application exit:
            .catch(err => {


It was response nothing when I call the method Neo4jTest(). I don't know whether I can use sshTunnel object to make two ports as tunnel

How do you create an SSH tunnel from localhost to a particular server?

We have a few attributes available in the config that are not clearly diffentiated:


How do I connect my localhost (
to a remote server (, username: foo, password: bar)
with a MySQL instance (mysql user: foo, mysql pass: bar, mysql db: my_db, mysql port: 2222)?

In command line, I can do: ssh -L 2222:localhost:2222 [email protected], and then enter my password. Then in NodeJS, I would just connect to MySQL on port 2222 since it is tunneled.

Suggested improvements

I have a couple of suggestions:

  • avoid tunnel() altering (adding) the config properties (i have noticed that that in some cases). This might create regression issues for those who are relying on this undocumented functionality.
  • instead, what about adding a config property/method to the Server object returned by tunnel(), so the original config params can be retrieved from the tunnel itself?

published npm version is out of date

The version published on npm is out of date with master. For example this fix is currently not available on the npm package - 76379ea

Can you please publish a new version?


"user" vs "username" config option in

Hi, there are a couple of typos in the examples. The user config option should be username, ie:

Under "Config example":

    var config = {

and under "Sugar configuration":

    var config = {

If you pass the user config option and not the username config option, the following is used by tunnel-ssh instead:

username: env.TUNNELSSH_USER || env.USER || env.USERNAME,

Which obviously may lead to authentication failures.


Cannot read property 'localPort' of undefined

In trying to connect to a remote server, I have config that looks like this:

var server = tunnel({
    remoteHost: '',
    remotePort: 3306,
    localPort: 33333,
    verbose: true,
    sshConfig: {
        host: 'REMOTE-IP',
        username: 'USER',
        port: 22,
        privateKey: require('fs').readFileSync('/key/to/id_rsa'),

Every time I attempt to connect, it gives me the error Cannot read property 'localPort' of undefined.

What am I doing wrong here?

Error after connection but not caught be .on('error')


I am getting an error after a connection is successfully connected. I am pretty sure the host is closing the connection, which is fine, but the error is not being caught in the .on error.

tunnel(config, function(){
   // I get here
}).on('error', function(error){
  // I dont get here

This is what I get as output when the app crashed:

      throw er; // Unhandled 'error' event

Error: read ECONNRESET
    at exports._errnoException (util.js:874:11)
    at TCP.onread (net.js:544:26)

Question: Equivalent plink command in js

Currently I am using these two modules

In order to open a web socket connection with a remote VNC server (port 5900). To achieve that currently I use plink to create a ssh tunnel to a remote VNC server and redirect the remote port 5900 over ssh tunnel.

This is the plink command I execute:

plink.exe -L 3333:localhost:5900 -i key.ppk user@remotehost -pw passphrase

And I would like to integrate that plink functionality into the websockify script.

Would that be possible with tunnel-ssh?
Thanks in advance :)

"passphrase" instead of "password" in RSA Example config

when using an encrypted private key following Error is thrown when using the example config from readme
throw new Error('Encrypted private key detected, but no passphrase given');

The readme suggests using "password" in the config, though "passphrase" is the correct key.

forwardOut() fails with Connection refused error with some remote hosts

When I try to forward a local port to a remote host with this module and some hosts refuse to connect and I get the following error (DEBUG):

   Error: (SSH) Channel open failure: Connection refused
       at SSH2Stream.onFailure (c:\vncclient\node_modules\ssh2\lib\client.js:1186:13)
       at Object.onceWrapper (events.js:315:30)
       at emitOne (events.js:116:13)
       at SSH2Stream.emit (events.js:211:7)
       at parsePacket (c:\vncclient\node_modules\ssh2-streams\lib\ssh.js:3708:10)
       at SSH2Stream._transform (c:\vncclient\node_modules\ssh2-streams\lib\ssh.js:669:13)
       at SSH2Stream.Transform._read (_stream_transform.js:186:10)
       at SSH2Stream._read (c:\vncclient\node_modules\ssh2-streams\lib\ssh.js:251:15)
       at SSH2Stream.Transform._write (_stream_transform.js:174:12)
       at doWrite (_stream_writable.js:387:12) +0ms

the 'ready' event is hit but then the forwardOut() fails and therefore the sshstream cannot be piped to the connection.

This is my implementation I provide the configuration and wait for the 'listening' event and then create a new connection to the tunnel.

   const config = {
        username: 'myuser',
        privateKey: fs.readFileSync('file.ppk'),
        passphrase: 'mypasphrase',
        host: target_host,
        dstPort: 5900,
        localPort: 0,
        localHost: 'localhost',
        readyTimeout: 99999,
        srcHost: 'localhost',
        port: 22,
    sshtunnel = tunnel(config, function (error, server) {
        if (error) {console.log('error');
    sshtunnel.on('listening', function () { 
        net.createConnection(sshtunnel.address().port, sshtunnel.address().address, function () {

The above code works with some hosts but others Refuse, and all host are identical. I already spent 3 full days on this issue.

This is the complete debug output from tunnel-ssh:

  tunnel-ssh sshConnection:ready +224ms
Error found on ssh tunnel: { Error: (SSH) Channel open failure: Connection refused
    at SSH2Stream.onFailure (c:\vncclient\node_modules\ssh2\lib\client.js:1186:13)
    at Object.onceWrapper (events.js:315:30)
    at emitOne (events.js:116:13)
    at SSH2Stream.emit (events.js:211:7)
    at parsePacket (c:\vncclient\node_modules\ssh2-streams\lib\ssh.js:3708:10)
    at SSH2Stream._transform (c:\vncclient\node_modules\ssh2-streams\lib\ssh.js:669:13)
    at SSH2Stream.Transform._read (_stream_transform.js:186:10)
    at SSH2Stream._read (c:\vncclient\node_modules\ssh2-streams\lib\ssh.js:251:15)
    at SSH2Stream.Transform._write (_stream_transform.js:174:12)
    at doWrite (_stream_writable.js:387:12) reason: 'CONNECT_FAILED', lang: '' }
  tunnel-ssh Destination port: { Error: (SSH) Channel open failure: Connection refused
    at SSH2Stream.onFailure (c:\vncclient\node_modules\ssh2\lib\client.js:1186:13)
    at Object.onceWrapper (events.js:315:30)
    at emitOne (events.js:116:13)
    at SSH2Stream.emit (events.js:211:7)
    at parsePacket (c:\vncclient\node_modules\ssh2-streams\lib\ssh.js:3708:10)
    at SSH2Stream._transform (c:\vncclient\node_modules\ssh2-streams\lib\ssh.js:669:13)
    at SSH2Stream.Transform._read (_stream_transform.js:186:10)
    at SSH2Stream._read (c:\vncclient\node_modules\ssh2-streams\lib\ssh.js:251:15)
    at SSH2Stream.Transform._write (_stream_transform.js:174:12)
    at doWrite (_stream_writable.js:387:12) reason: 'CONNECT_FAILED', lang: '' } +6ms 

I'm running on a windows server 2012 with Node.js version 8.9.0 and the remote hosts are Linux 2.6.15.

keepAlive does not seem to work

I'm setting keepAlive: true and connecting to the server. After a successful connection, I turn off my Wifi, so tunnel throws an error. Then I turn on the Wifi and expecting my code to reconnect, but nothing happens. The listening port created on localhost by tunnel is kept open though.

Here is my code:

require! 'tunnel-ssh': tunnel

config =
    username: \mysshuser
    host: \
    port: 1234 
    keep-alive: yes
    dst-host: \localhost
    dst-port: 5589

t = tunnel config, (err, server) ->
    if err
        console.error "Something went wrong while opening tunnel: ", err
        console.log "Tunnel succeeded"

t.on \error, (err) ->
    console.error "something went wrong"

# my application code goes here

Why doesn't keepAlive keeps the connection alive after a network failure?

Apparent tunnel() callback inconsistency

Samples in documentation define callback as:

var server = tunnel({host: '', dstPort: 3306}, function (error, result) {

but tunnel() code calls the callback as (result, error):

  try {
    var config = createConfig(configArgs);
  } catch ( e ) {
    if (callback) {
      callback(null, e);
    } else {

How do you close the tunnel?

The example in index.js doesn't work for me.

    server.on('sshStream', function (sshStream, sshConnection, netConnection, server) {

      sshStream.on('close', function () {
        console.log('TCP :: CLOSED');

Question: Local Machine (A) -> SSH to Remote Server (B) -> API Request to Another Server (C)

Is this possible with tunnel-ssh?

I've done similar things with proxies, but was hoping to do something completely in code for development and testing.

Here is my question on Stack Overflow

I basically want to run a node script on my local machine (a) that will connect to a remote server (b) and then make api requests to another server (c) as if they came from (b).

Thanks! and sorry for polluting your issue board with this question.

Add a LICENSE file to this repository

I would like to ask you to please add the licence of your choice for tunnel-ssh.

As I can see in NPM states MIT (same as ssh):

but it's not clearly indicated in this repository.

Why is this important for us?
We need to ensure that we are able to use this tool and the lack of LICENCE can lead to legal confusion besides that we need the copyright notice included in the LICENCE.

Sorry to be picky with this request but is really important for us.
P.S: adding-a-license-to-a-repository

Thank you

callback on close()?

Shouldn't server.close() take a callback when all of the connections have been shut down? I notice that you call end() on the underlying connections, but if they return false, don't wait for continue.

This may be the source of errors in a test suite I have, which is getting sporadic hanging and/or errors when it opens and closes many connections. Also, I will be deploying to aws lambda, and do want to know if I really have a crisp shutdown without any data lost, without having to linger if connection is already closed.

Error: Cannot parse privateKey: Unsupported key format

When I load the "privatekey" and establish a connection I get the following error message:
Error: Cannot parse privateKey: Unsupported key format

I load the "privatekey" as follows:
privateKey: require('fs').readFileSync('/root/.ssh/id_rsa', { encoding: 'utf8' }).trim()

The private key begins with:

Is this a Bug or what I make false?



I've applied code to a MEAN.JS stack app which goes like this:

var config = {
    agent : process.env.SSH_AUTH_SOCK,

var server = tunnel(config, function (error, server) {
        console.log("SSH connection error: " + error);

    var db = mongoose.connection;
    db.on('error', console.error.bind(console, 'DB connection error:'));
    db.once('open', function() {
        // we're connected!
        console.log("DB connection successful");
	// Init the express application
	var app = require('./config/express')(db);
	// Start the app by listening on <port>
	// Expose app
	exports = module.exports = app;

MEAN.JS application started on port 22

Securely using https protocol

throw er; // Unhandled 'error' event

Error: read ECONNRESET
at exports._errnoException (util.js:907:11)
at TCP.onread (net.js:558:26)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.