Advanced Host Settings
Jump hosts, port forwarding, keepalive, and other per-host options.
Overview
Each saved host in vmux can be customized beyond the basic connection fields. These advanced settings are available in the host form when you add or edit a host.
Jump Host (ProxyJump)
A jump host (also called a bastion host) is an intermediary server that vmux connects through to reach your final destination. This is common in corporate environments where servers sit behind a firewall and aren't directly reachable from the internet.
When configured, vmux first establishes an SSH connection to the jump host, then tunnels a second connection through it to the target host.
To configure a jump host, tap Add Jump Host in the host form and fill in:
| Field | Description | Default |
|---|---|---|
| Jump Host | Hostname or IP of the bastion server. | -- |
| Jump Port | SSH port on the jump host. | 22 |
| Jump Username | Your username on the jump host. | -- |
This is equivalent to ssh -J user@jumphost:port user@destination on the command line.
Port Forwarding
Port forwarding creates encrypted tunnels between your device and the remote host. vmux supports three forwarding directions, and you can add multiple rules per host.
Tap Add Port Forwarding in the host form, then tap Add Rule to create a forwarding entry.
Local Forwarding
Forwards a port on your device to a port on the remote network. Traffic sent to the local bind address is tunneled through SSH and delivered to the target host and port on the remote side.
Use case: Access a database or web service on the remote network that isn't exposed to the internet.
| Field | Description |
|---|---|
| Bind Host | Local address to listen on (default: localhost). |
| Bind Port | Local port to listen on. |
| Target Host | Destination host on the remote network (default: localhost). |
| Target Port | Destination port on the remote network. |
Equivalent to ssh -L bindHost:bindPort:targetHost:targetPort.
Remote Forwarding
Forwards a port on the remote host back to a port on your local network. Traffic sent to the remote bind address is tunneled back through SSH and delivered to the target on your side.
Use case: Expose a local development server to the remote host, or allow a remote service to call back to your device.
| Field | Description |
|---|---|
| Bind Host | Remote address to listen on (default: localhost). |
| Bind Port | Remote port to listen on. |
| Target Host | Destination host on your local network (default: localhost). |
| Target Port | Destination port on your local network. |
Equivalent to ssh -R bindHost:bindPort:targetHost:targetPort.
Dynamic Forwarding (SOCKS Proxy)
Opens a SOCKS5 proxy on your device. Applications configured to use the proxy route their traffic through the SSH tunnel to the remote host, which forwards it to the final destination.
Use case: Route web traffic through a remote server, or access multiple services on a remote network without creating individual forwarding rules for each one.
| Field | Description |
|---|---|
| Bind Host | Local address for the SOCKS proxy (default: localhost). |
| Bind Port | Local port for the SOCKS proxy. |
No target host or port is needed -- the SOCKS protocol handles destination routing dynamically. Equivalent to ssh -D bindHost:bindPort.
Managing Rules
Each rule has a Direction picker (Local, Remote, Dynamic) and a Remove button. You can add as many rules as you need per host. Rules are saved with the host profile and applied automatically on each connection.
Keepalive
SSH connections can silently drop when idle, especially through NATs, firewalls, or VPNs that close inactive connections. Enabling keepalive sends periodic packets to keep the connection alive.
| Field | Description | Default |
|---|---|---|
| Keepalive | Toggle to enable or disable keepalive packets. | Off |
| Interval | Seconds between keepalive packets (5 to 300, in steps of 5). | 60 |
If your connections frequently drop after a period of inactivity, enable keepalive and set the interval below your network's idle timeout. A value of 30-60 seconds works well for most environments.
Agent Forwarding
When enabled, SSH agent forwarding allows the remote host to use your local SSH keys for further connections. This is useful for hopping between servers or pulling from Git repositories on a remote machine without copying your keys there.
| Field | Description | Default |
|---|---|---|
| Agent Forwarding | Toggle to enable or disable agent forwarding. | Off |
Equivalent to ssh -A. Only enable this on hosts you trust, since the remote server gains the ability to use your agent's keys for the duration of the session.
Startup Command
An optional command that vmux runs automatically after the SSH connection is established and the shell is ready. The command is sent as input to the remote shell.
| Field | Description |
|---|---|
| Startup Command | Shell command to run on connect (e.g., cd ~/projects && ls). |
This is useful for navigating to a working directory, starting a tmux session, activating a virtual environment, or running any setup you'd otherwise type manually each time.
Per-Host Theme Override
By default, all terminal windows use the global color theme from Settings. You can override this on a per-host basis so that specific servers have a distinct visual appearance.
| Field | Description | Default |
|---|---|---|
| Theme Override | Select a theme from the installed theme list, or leave as "Default" to use the global theme. | Default (app theme) |
This makes it easy to visually distinguish production servers from staging, or personal hosts from work hosts, at a glance.
Themes are managed through the theme system. Any theme available globally can be selected as a per-host override.
Identity Management
vmux uses an identity system to manage authentication credentials separately from host profiles. An identity represents a single set of credentials -- a password, a Secure Enclave key, an SSH agent connection, or a companion app link.
How Identities Work
When you add a host, the Identity picker in the Authentication section lets you either create a new identity or reuse an existing one. Identities are filtered by authentication method, so you only see identities that match the currently selected method (Password, Device Key, SSH Agent, or Companion App).
- Create New Identity -- Fill in the credentials below the picker. A new identity is created and linked to the host when you save.
- Reuse Existing Identity -- Select a previously created identity from the picker. The host links to that identity and uses its stored credentials.
Sharing Identities Across Hosts
Multiple hosts can share the same identity. When you attach an existing identity to a new host:
- The credentials are not duplicated. Both hosts reference the same identity.
- Updating the identity (e.g., changing the password) affects all hosts that use it.
- Deleting a host does not delete the shared identity.
This is particularly useful for environments where many servers use the same credentials, or when you want a single Secure Enclave key to authenticate across your entire fleet.
Identity Labels
Each identity can have an optional label to help you identify it in the picker. If no label is set, vmux generates a display name based on the authentication method and context (e.g., the hostname where it was first created).