[1] Because this creates a security hole, CONNECT-capable HTTP proxies commonly restrict access to the CONNECT method.
[2] Other tunneling methods able to bypass network firewalls make use of different protocols such as DNS,[3] MQTT,[4] SMS.
SSH uses port 22 to enable data encryption of payloads being transmitted over a public network (such as the Internet) connection, thereby providing VPN functionality.
Tunneling a TCP-encapsulating payload (such as PPP) over a TCP-based connection (such as SSH's port forwarding) is known as "TCP-over-TCP", and doing so can induce a dramatic loss in transmission performance — known as the TCP meltdown problem[6][7] which is why virtual private network (VPN) software may instead use a protocol simpler than TCP for the tunnel connection.
Users may set up SSH tunnels to transfer unencrypted traffic over a network through an encrypted channel.
If one were to mount a Microsoft Windows file-system remotely through the Internet, someone snooping on the connection could see transferred files.
To mount the Windows file-system securely, one can establish a SSH tunnel that routes all SMB traffic to the remote fileserver through an encrypted channel.
Any connections to it are forwarded to the specified address and port originating from the opposing (remote or local, as previously) host.
The #TCP meltdown problem is often not a problem when using OpenSSH's port forwarding, because many use cases do not entail TCP-over-TCP tunneling; the meltdown is avoided because the OpenSSH client processes the local, client-side TCP connection in order to get to the actual payload that is being sent, and then sends that payload directly through the tunnel's own TCP connection to the server side, where the OpenSSH server similarly "unwraps" the payload in order to "wrap" it up again for routing to its final destination.
SSH tunnels provide a means to bypass firewalls that prohibit certain Internet services – so long as a site allows outgoing connections.
This allows normal network management and routing to be used, and when used on routers, the traffic for an entire subnetwork can be tunneled.