Child pages
  • PuttyX11forwarding
Skip to end of metadata
Go to start of metadata

Setting up X11 tunneling in PuTTY

Courtesy of

What is PuTTY?

PuTTY is a free terminal program primarily developed by Simon Tatham. It supports both telnet and SSH (protocols 1 and 2), and it also supports the use of SSH keys (RSA and DSA) for authentication. There are several tools that work together with PuTTY, for instance:


PuTTY also supports tunneling of connections. Most applications send data in clear text when communicating with other machines. This means that any machine along the transmission path can see the data. Tunnels work by sending your data through an encrypted channel, effectively making it extremely hard for eavesdroppers to spy on you.

X11 tunnels

X11 tunnels are similar to regular tunnels, somewhat contrary to popular belief. The only difference is that when you ssh into a remote machine, ssh sets up the DISPLAY environment variable so it points back to the machine you are sitting at. It also works if you ssh from a remote host to another remote host, but the connection speed is, of course, reduced every time.

Please note that I may use the terms "X11 forwarding" and "X11 tunneling" equivalently.

There are at least two advantages when using X11 tunnels:

  • All X11 applications will be directed back to your local system's X display even if you ssh on to several other systems.
  • Most important, the X11 traffic is encrypted on the network from the remote host to localhost.

If you understand the possible consequences of having your passwords sniffed and care about security, you will want to use this option. If you do not, go away.

Setting up X11 tunneling

First of all make sure that you have a recent version of PuTTY which supports X11 tunneling.
It is now time to bring up PuTTY, so do so! Select the category "Connection/SSH/Tunnels". Check the "Enable X11 forwarding" box and fill out the text field below with the address of your X11 server. The format is either "IP address:display" or "host name:display". You will most likely be using display 0 (zero), but you will probably know if not. If your X11 server is not running on the local computer, you must be able to trust the network between your local machine and your X11 server. If your X11 server runs on the same computer as PuTTY, put "" in the text box.

Default settings

You should now set up the default settings. This includes protocol (Session), preferred SSH protocol (Connection/SSH), encryption cipher selection order (Connection/SSH), compression (Connection/SSH), auto-login user name (Connection) and private key file (for RSA/DSA SSH key authentication, Connection/Auth). I recommend using SSH protocol version 2 only as certain implementations of protocol 1 are flawed. I also recommend the use of SSH keys. I recommend the following cipher selection order:

  1. Blowfish
  2. – warn below here –
  3. 3DES
  4. DES
  5. AES

Blowfish is unpatented, unlicensed and at the time of writing (20021204), no one has announced an attack against it when using 16 rounds (PuTTY uses 16 rounds as far as I can tell by looking in sshblowf.c).

X11 Security

Next, it is time to set up X-Win32. I assume that you run X-Win32 on the same computer as you run PuTTY on. In the configuration click "Security". We want to add an IP address therefore click "Add..". Type "" to explicitly allow access from the computer running the X server and then "OK" to confirm your input. Close the configuration window with a click on "OK", and you are done.

Testing X11 tunneling

This is rather simple. Connect to a server and fire up an X11 application. xclock is usually a good choice as it is simple and fast. You can also check the the DISPLAY environment variable and see if it contains "localhost:1.0", "" or similar value. If there are many people using X11 tunneling on the server, the last part, ":1.0", can vary (it will usually have a higher value).


The easiest fix for when connections simply stop working (and they used to work!) is to simply stop and restart your X11 server (eg: cygwin or Xming). For good measure, restart your workstation completely.

If you have followed the guidelines presented here and still are not able to make it work, it might not be entirely your fault. As the ability to tunnel stuff through eg. a firewall presents a potential security risk, your systems administrator might administratively reject this functionality. You can determine this by looking in PuTTY's event log (right click in the title bar).

You should look for a line saying "Requesting X11 forwarding" after logging in. If you cannot find this line, PuTTY has not asked for X11 tunneling. If the line is there and is immediately followed by another line saying "X11 forwarding refused", your administrator has disabled this option.

If X11 tunneling is requested and not refused by the server, it is hard to tell what the problem is. Consult the server logs and search for any warnings and similar abnormal messages concerning your session.