SSH

The most important thing to remember about SSH port forwarding is that specifications are read as $FROM_SPEC:$TO_SPEC. So a local port forward creates a port that the local system uses to communicate with the remote host/port specified by $TO_SPEC, while a remote port forward creates a port that the remote system uses to communicate with the local host/port specified by $TO_SPEC. (It's actually a little more complicated than this, as the $FROM_SPEC might be something like *:8888, which opens up port 8888 to all systems on the local subnet, not just localhost.

It's also possible to use SSH as a SOCKS5 proxy (with a tool like proxychains). As of OpenSSH 7.6, proxy ports can be opened up for both local and remote systems.

Forward $LOCAL_PORT from the local machine (-L), to $TARGET_HOST on $TARGET_PORT, relative to $REMOTE_HOST:

(Traffic flows from localhost:$LOCAL_PORT > $REMOTE_HOST > $TARGET_HOST:$TARGET_PORT.)

Create a tunnel from the local machine using $LOCAL_PORT as the $REMOTE_HOST:

(Traffic flows from localhost:$LOCAL_PORT > $REMOTE_HOST > the remote network, with $REMOTE_HOST acting as a SOCKS proxy for the local machine.)

Forward $REMOTE_PORT from $REMOTE_HOST (-R), to $TARGET_HOST on $TARGET_PORT, relative to the local machine:

(Traffic flows from $REMOTE_HOST:$REMOTE_PORT > local machine > $TARGET_HOST:$TARGET_PORT.)

Create a tunnel from the $REMOTE_HOST using $REMOTE_PORT as the local machine:

(Traffic flows from $REMOTE_HOST:$REMOTE_PORT > local machine > the local network, with the local machine acting as a SOCKS proxy for the $REMOTE_HOST.)

OpenSSH has come bundled with Windows since Windows 10 1803.

By default, SSH on Windows uses the full Kerberos username, $DOMAIN\$USER. This can often cause problems when interacting with non-Windows systems; the solution is to explicitly specify the username used in a given connection, either on the command line or in ~/.ssh/config.

The ssh-agent daemon is available as a service on Windows, but is disabled by default.