Console9

How to run Rsync through SSH tunnel

Transfer files with Rsync over an SSH tunnel, including custom port configuration, key-based authentication, and SSH options for remote sync.

Transfer files securely between a local and remote server using Rsync over an encrypted SSH connection, with options for custom ports and SSH key authentication.

Prerequisites

  • Rsync installed on both the local and remote machines. See How to Install Rsync.
  • SSH access to the remote server with valid credentials (password or SSH key).
  • The SSH server (sshd) running on the remote machine.
  • Port 22 (or the configured SSH port) open in the remote server's firewall.

Step-by-Step: Run Rsync Through SSH Tunnel

  1. Push a local directory to a remote serverusing Rsync over SSH. Rsync uses SSH as the default remote shell, so the -e ssh flag is optional for standard port 22 connections.

    rsync -avz /home/user/src/ user@203.0.113.10:/home/user/dest/

    Rsync connects to the remote server via SSH on port 22, authenticates with the provided user credentials, and transfers only the changed bytes. The -avz flags enable archive mode, verbose output, and compression.

  2. Pull a remote directory to the local machineby reversing the source and destination arguments.

    rsync -avz user@203.0.113.10:/home/user/src/ /home/user/dest/

    Rsync downloads the remote directory contents to the local destination over the SSH tunnel.

  3. Specify a non-standard SSH portusing the -e flag. Replace 2222 with the actual SSH port configured on the remote server.

    rsync -avz -e "ssh -p 2222" /home/user/src/ user@203.0.113.10:/home/user/dest/

    Rsync passes the -p 2222 option to SSH, which connects on the specified port instead of the default port 22.

  4. Use SSH key-based authenticationby specifying the private key file in the -e flag. Rsync passes the identity file to SSH for passwordless authentication.

    rsync -avz -e "ssh -i /home/user/.ssh/id_rsa" /home/user/src/ user@203.0.113.10:/home/user/dest/

    Rsync authenticates using the specified SSH private key instead of prompting for a password.

  5. Combine SSH optionsfor a custom port and a specific SSH key in a single command.

    rsync -avz -e "ssh -p 2222 -i /home/user/.ssh/id_rsa" /home/user/src/ user@203.0.113.10:/home/user/dest/

How to Verify the SSH Tunnel Transfer

Rsync prints the list of transferred files and a summary showing bytes sent and received. Verify the remote destination by connecting over SSH and listing the directory contents.

ssh user@203.0.113.10 "ls -la /home/user/dest/"

Compare the source and destination using Rsync's dry-run mode. Rsync outputs nothing when both sides are identical.

rsync -avn /home/user/src/ user@203.0.113.10:/home/user/dest/

Common Issues When Running Rsync Through SSH

Rsync fails with "Connection refused" when the SSH server is not running on the remote machine or the SSH port is blocked by a firewall. Verify that sshd is running with systemctl status sshd and that the firewall allows the SSH port.

Rsync fails with "Permission denied (publickey)" when SSH key authentication fails. Verify that the public key exists in ~/.ssh/authorized_keys on the remote server and that the private key file has 600 permissions.

Rsync hangs or times out during large transfers over SSH. Add SSH keepalive options to prevent idle connection timeouts: -e "ssh -o ServerAliveInterval=60 -o ServerAliveCountMax=3". See Rsync transfer hangsfor detailed fixes.

Rsync produces "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" when the remote server's SSH host key has changed. Remove the old key with ssh-keygen -R 203.0.113.10 and reconnect.

© 2026 - Console9