How to speed up X11 forwarding in SSH

Last updated on October 23, 2020 by Dan Nanni

When you are running X applications over SSH, the encryption/decryption overhead of the SSH protocol may slow down the rendering of remotely running X applications. Furthermore, if an SSH session is established over a wide area network, X11 forwarding over SSH may become even slower due to network latency and throughput limitation.

In this tutorial, I will describe some tips on how to speed up X11 forwarding in SSH over wide area networks.

There are two ways to boost the performance of X11 forwarding via SSH.

Method One

First, you can use the compression option of OpenSSH client. With -C option, OpenSSH client will compress all data exchanged over SSH, including stdin, stdout, stderr and forwarded X11 sessions.

You can also consider using less computation-heavy ciphers in SSH, so that less time is spent during encryption/decryption. The default AES cipher used by OpenSSH is known to be slow.

An independent study shows that arcfour and blowfish ciphers are faster than AES, as shown below. According to SSH man page, blowfish is a fast block cipher which is also very secure. Meanwhile, arcfour stream cipher is known to be more vulnerable than common block ciphers. So use caution when using arcfour.

To speed up X11 forwarding by using the above tips, you can SSH to a remote host as follows.

$ ssh -XC -c blowfish-cbc,arcfour

Method Two

Alternatively, you can specify these options in an SSH configuration file.

To edit a system-wide SSH configuration file:

$ sudo vi /etc/ssh/ssh_config 

To edit a per-user SSH configuration file:

$ vi ~/.ssh/config

In either SSH configuration file, add the following:

  Compression yes
  ForwardX11 yes
  Ciphers blowfish-cbc,arcfour

Then you can SSH to the remote host without using any command-line option:

$ ssh

Note that there are some caveats in switching to a different cipher in SSH. First, the performance of a particular cipher may vary across different processor architecture. For instance, recent generations of Intel processors (e.g., Intel i5, i7, Xeon) come with hardware support for AES (e.g., AES-NI), in which case (hardware-accelerated) AES would be much faster than the rest.

Second, if the network over which X11 forwarding is established is extremely slow, then the bottleneck of X11 forwarding is actually the network, not the CPU. In this case, the performance of X11 forwarding would not be affected whichever cipher you are using.

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal or credit card

Please note that this article is published by under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at as the original source.

Xmodulo © 2021 ‒ AboutWrite for UsFeed ‒ Powered by DigitalOcean