> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/gateway/knowledge-base/knowledge-base-articles/devolutions-gateway-tunnel-connection-type.md).

# Devolutions Gateway tunnel connection type

The ***Devolutions Gateway tunnel*** can fulfill similar needs to SSH port forwarding/SSH tunneling, but it requires nothing other than Devolutions Gateway itself. It is useful when using connections that do not have built-in support in Remote Desktop Manager through the Devolutions Gateway. The entry can be found under ***New Entry*** – ***Session*** – ***Remote Connections***.

{% hint style="info" %}
Devolutions Gateway needs to be set up in the Remote Desktop Manager workspace and then configured through [inheritance](https://docs.devolutions.net/rdm/kb/knowledge-base/inheritance/) or on the connection itself. The option is under ***Properties*** – ***Connection*** – ***VPN/SSH/Gateway*** – ***VPN/SSH/Gateway*** – ***General***.
{% endhint %}

<figure><img src="https://cdnweb.devolutions.net/docs/docs_en_kb_KB0116.png" alt=""><figcaption></figcaption></figure>

## Listeners

{% hint style="danger" %}
If the ***Listener*** is set to 0.0.0.0, it will accept connections from any source within the network. Due to the difficulty in tracking accountability, it is recommended ***NOT*** to do this for multiple security reasons.
{% endhint %}

* In almost every scenario, the listener (bind address) should be set to the loopback address (127.0.0.1) from the local machine.
* ***TCP Forward***: It is the equivalent to port forwarding.
* ***HTTP*** and ***SOCKS5*** proxies: These listeners are set up as proxies which makes it possible to use a browser other than Google Chrome. This also means they use a dynamic destination.

  <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>Dynamic ports can be used with all three listener types. If the value is 0, it will automatically find an available port.</p></div>

### Allow Rules

The ***HTTP*** and ***SOCKS5*** listeners will also make use of the ***Allow Rules*** to specify authorized destinations, anything not on the allow list will be denied.

***Target filters*** can be specified using IP addresses or hostnames. Both can contain wildcards. Each ***Target filter*** must explicitly specify a destination port. Leaving the default port as '0' will result in an error when attempting to save the filter.

![](https://cdnweb.devolutions.net/docs/docs_en_kb_KB0163.png)

**Examples of valid target filters:**

<table data-header-hidden><thead><tr><th width="201">Target filter</th><th>Description</th></tr></thead><tbody><tr><td><code>windjammer.net:80</code></td><td>Allows HTTP traffic to the hostname windjammer.net.</td></tr><tr><td><code>*.windjammer.net:443</code></td><td>Allows HTTPS traffic to any subdomain of windjammer.net but not to windjammer.net directly.</td></tr><tr><td><code>192.168.0.*:22</code></td><td>Allows SSH traffic to any IP address between 192.168.0.0 to 192.168.0.255.</td></tr><tr><td><code>*:3389</code></td><td>Allows RDP traffic to any endpoint reachable by the Devolutions Gateway.</td></tr></tbody></table>

You can add multiple ***Target filters*** to your entry tailored to your intended use of the tunnel. For example, you might add the same hostname several times but with different ports, like 80 and 443, to permit both HTTP and HTTPS traffic.

#### Using the Devolutions Gateway tunnel oustide of Remote Desktop Manager

Once opened, it is possible to use a ***Devolutions Gateway Tunnel*** from an applicaton that is external to Remote Desktop Manager. You could, for instance, use it with a web browser or any other application that supports the type of proxying (TCP, HTTP, or SOCKS5) that you specified in the connection.

**Example: Using the tunnel with the cURL command-line tool**

You can add your proxy endpoint along with the port specified or the one that was generated by the ***Devolutions Gateway tunnel*** entry with the -x argument.

```bash
curl -x socks5h://127.0.0.1:65535 windjammer.net
```

{% hint style="warning" %}
If you have set your target filters using hostnames, it is important to ensure that your application does not resolve the hostname before sending it to the tunnel; otherwise, the traffic will be denied. Applications typically have settings to enable or disable this behavior. For example, in the web browser Firefox, you need to enable the ***Proxy DNS when using SOCKS v5*** option in the proxy configuration panel for this scenario to function correctly.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.devolutions.net/gateway/knowledge-base/knowledge-base-articles/devolutions-gateway-tunnel-connection-type.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.