How to Use GitHub Copilot With VS Code Remote-SSH on a Bastion Host

You need to use GitHub Copilot while connected to a remote SSH server through a bastion host, but the Copilot extension fails to activate or shows network errors. A bastion host creates a jump box that adds an extra network layer between your local machine and the target server. This article explains how to configure VS Code Remote-SSH and GitHub Copilot to work reliably across a bastion host tunnel.

How GitHub Copilot Communicates Over Remote-SSH

GitHub Copilot runs as a VS Code extension that sends code context to GitHub servers and receives completion suggestions. When you connect to a remote workspace using Remote-SSH, the extension runs on the remote host. The remote host must have outbound HTTPS access to api.github.com and copilot-proxy.githubusercontent.com on port 443.

A bastion host sits between your local machine and the target server. Traffic from VS Code on your local machine goes to the bastion host first, then the bastion forwards it to the target server. Copilot on the target server must reach GitHub servers directly. If the target server has no direct internet access, Copilot fails with connection errors.

The key requirement is that the GitHub Copilot extension on the remote host can establish a TLS connection to GitHub servers. The bastion host itself does not need to run Copilot. Only the target server needs the extension and network access.

When Copilot Fails on a Bastion Host Setup

Common failure signs include the Copilot icon showing a red exclamation mark, the status bar reading “Copilot: Offline,” or completion suggestions never appearing. These happen because the remote host cannot reach GitHub servers, the SSH tunnel blocks WebSocket connections, or the Copilot authentication token does not propagate through the bastion.

Steps to Configure GitHub Copilot With Remote-SSH and a Bastion Host

Follow these steps in order. Each step builds on the previous one. Do not skip the SSH agent forwarding step because it solves the most common authentication failure.

1. Edit the SSH Config File for ProxyJump

1. Open your local SSH config file
   On Windows, the file is at C:\Users\YourUsername\.ssh\config. On macOS and Linux, it is at ~/.ssh/config. Create the file if it does not exist.
2. Add the bastion host entry
   Write:

Host bastion
    HostName bastion.example.com
    User your-bastion-username
    IdentityFile ~/.ssh/id_rsa

1. Add the target host entry with ProxyJump
   Write:

Host target-server
    HostName 10.0.1.50
    User your-target-username
    IdentityFile ~/.ssh/id_rsa
    ProxyJump bastion

The ProxyJump directive tells SSH to connect to the bastion first, then jump to the target server. VS Code Remote-SSH reads this config automatically.

2. Enable SSH Agent Forwarding

1. Add ForwardAgent to the target host entry
   In the same SSH config file, add this line under the target-server block:

Host target-server
    HostName 10.0.1.50
    User your-target-username
    IdentityFile ~/.ssh/id_rsa
    ProxyJump bastion
    ForwardAgent yes

1. Start the SSH agent on your local machine
   On macOS and Linux, run eval "$(ssh-agent -s)". On Windows, ensure the OpenSSH Authentication Agent service is running. Add your private key with ssh-add ~/.ssh/id_rsa.
2. Test agent forwarding
   Connect to the target server manually: ssh target-server. Then run ssh-add -l on the target server. You should see your key fingerprint. If you see “The agent has no identities,” agent forwarding is not working.

3. Set a Fixed Local Server Port in Remote-SSH Settings

1. Open VS Code settings
   Press Ctrl+, on Windows or Cmd+, on macOS. Search for “Remote.SSH: Local Server Port.”
2. Set a fixed port number
   Enter a port like 22000. This prevents VS Code from using a random port that might conflict with the bastion tunnel. Save the setting.

4. Install GitHub Copilot on the Remote Host

1. Connect VS Code to the target server
   Open VS Code. Press Ctrl+Shift+P, type “Remote-SSH: Connect to Host,” and select “target-server.” VS Code opens a new window connected to the remote host.
2. Install the GitHub Copilot extension on the remote host
   In the Extensions view, search for GitHub Copilot. Click Install in SSH: target-server. Do not install it only locally. The extension must run on the remote host.
3. Sign in to GitHub
   Click the Copilot icon in the status bar. A browser window opens on your local machine. Authorize the extension. The token is forwarded through the SSH agent to the remote host.

5. Verify Copilot Connectivity

1. Check the Copilot status
   Look at the bottom-right status bar. It should show “Copilot: Ready” with a green checkmark. If it shows “Copilot: Offline,” the remote host cannot reach GitHub servers.
2. Test a completion
   Open a file on the remote host. Type a comment like // function to calculate fibonacci and press Enter. Copilot should suggest code within two seconds.

Common Issues When Using Copilot Through a Bastion Host

Copilot Shows “Offline” on the Remote Host

The remote target server lacks outbound HTTPS access to GitHub servers. Check network rules on the target server. Allow outbound traffic to api.github.com and copilot-proxy.githubusercontent.com on port 443. If the target server uses a corporate proxy, configure the HTTP_PROXY and HTTPS_PROXY environment variables on the remote host. Restart VS Code Remote-SSH after setting the variables.

Copilot Authentication Fails After Reconnecting

The SSH agent forwarding stops working when you close the terminal or reboot your local machine. Restart the SSH agent with ssh-add and reconnect VS Code Remote-SSH. If the issue persists, delete the old remote session from VS Code: press Ctrl+Shift+P, select “Remote-SSH: Close Remote Connection,” then reconnect.

Copilot Completions Are Slow or Intermittent

Latency through the bastion host can delay completions. Set the remote.SSH.connectTimeout setting to a higher value, such as 30 seconds. In VS Code settings, search for “Remote.SSH: Connect Timeout” and set it to 30. Also ensure the bastion host has sufficient bandwidth. A 10 Mbps link is the minimum for responsive completions.

VS Code Remote-SSH Fails to Connect to the Target Server

The SSH config file has a syntax error or the bastion host is unreachable. Test the connection manually: ssh -J bastion target-server. If that works, the config is correct. If it fails, check the bastion hostname, port, and firewall rules. The bastion host must accept SSH connections from your local IP address.

GitHub Copilot Direct Connection vs Bastion Host Connection

Item	Direct SSH Connection	Bastion Host Connection
Network path	Local machine to target server	Local machine to bastion host to target server
SSH config requirement	Host entry with HostName only	Host entry with ProxyJump or ProxyCommand
Agent forwarding	Optional	Required for Copilot token propagation
Copilot extension location	Remote host	Remote host
Outbound access needed	Target server to GitHub servers	Target server to GitHub servers
Latency impact	Minimal	Higher due to extra hop

The direct connection setup is simpler and faster. Use it whenever the target server is reachable from your local machine without a jump host. The bastion host setup requires more configuration steps but is necessary when the target server sits in a private subnet.

Conclusion

You can now use GitHub Copilot with VS Code Remote-SSH through a bastion host by configuring ProxyJump in the SSH config file and enabling SSH agent forwarding. The fixed local server port setting prevents connection drops during long sessions. For optimal performance, ensure the target server has direct outbound HTTPS access to GitHub servers and set the Remote.SSH connect timeout to 30 seconds. If you manage multiple bastion hosts, create separate SSH config entries for each target server to avoid configuration conflicts.