diff --git a/charts/lagoon-remote/ci/linter-values.yaml b/charts/lagoon-remote/ci/linter-values.yaml
index 9c7e7d9d..3a61d065 100644
--- a/charts/lagoon-remote/ci/linter-values.yaml
+++ b/charts/lagoon-remote/ci/linter-values.yaml
@@ -96,5 +96,8 @@ sshPortal:
       6lnrpkhPYdpdKnF3PCEyAAAAAAECAwQF
       -----END OPENSSH PRIVATE KEY-----
 
+sshProxy:
+  enabled: true
+
 storageCalculator:
   enabled: true
diff --git a/charts/lagoon-remote/templates/_helpers.tpl b/charts/lagoon-remote/templates/_helpers.tpl
index a0fd1b6f..7b0060c1 100644
--- a/charts/lagoon-remote/templates/_helpers.tpl
+++ b/charts/lagoon-remote/templates/_helpers.tpl
@@ -191,6 +191,33 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
 
+{{/*
+Create a default fully qualified app name for sshProxy.
+*/}}
+{{- define "lagoon-remote.sshProxy.fullname" -}}
+{{- include "lagoon-remote.fullname" . }}-ssh-proxy
+{{- end }}
+
+{{/*
+Common labels sshProxy.
+*/}}
+{{- define "lagoon-remote.sshProxy.labels" -}}
+helm.sh/chart: {{ include "lagoon-remote.chart" . }}
+{{ include "lagoon-remote.sshProxy.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels sshProxy.
+*/}}
+{{- define "lagoon-remote.sshProxy.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "lagoon-remote.name" . }}
+app.kubernetes.io/component: {{ include "lagoon-remote.sshProxy.fullname" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
 
 {{/*
 Create the name of the service account to use for insights-remote
diff --git a/charts/lagoon-remote/templates/ssh-proxy.deployment.yaml b/charts/lagoon-remote/templates/ssh-proxy.deployment.yaml
new file mode 100644
index 00000000..771136eb
--- /dev/null
+++ b/charts/lagoon-remote/templates/ssh-proxy.deployment.yaml
@@ -0,0 +1,88 @@
+{{- if .Values.sshProxy.enabled -}}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "lagoon-remote.sshProxy.fullname" . }}
+  labels:
+    {{- include "lagoon-remote.sshProxy.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.sshProxy.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "lagoon-remote.sshProxy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "lagoon-remote.sshProxy.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.sshProxy.podSecurityContext | nindent 8 }}
+      containers:
+      - name: ssh-proxy
+        securityContext:
+          {{- toYaml .Values.sshProxy.securityContext | nindent 10 }}
+        image: "{{ .Values.sshProxy.image.repository }}:{{ .Values.sshProxy.image.tag }}"
+        imagePullPolicy: {{ .Values.sshProxy.image.pullPolicy }}
+        command:
+        - socat
+        args:
+        - TCP4-LISTEN:2020,reuseaddr,fork
+        {{- if .Values.sshPortal.enabled }}
+        - TCP:{{ include "lagoon-remote.sshPortal.fullname" . }}:{{ .Values.sshPortal.service.ports.sshserver }}
+        {{- else }}
+        - TCP:{{ .Values.sshProxy.ssh.host }}:{{ .Values.sshProxy.ssh.port }}
+        {{- end }}
+        ports:
+          - name: sshproxy
+            containerPort: 2020
+            protocol: TCP
+        livenessProbe:
+          tcpSocket:
+            port: sshproxy
+          initialDelaySeconds: 300
+        readinessProbe:
+          tcpSocket:
+            port: sshproxy
+          initialDelaySeconds: 300
+        resources:
+          {{- toYaml .Values.sshProxy.resources | nindent 10 }}
+      {{- with .Values.sshProxy.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 50
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app.kubernetes.io/name
+                  operator: In
+                  values:
+                  - {{ include "lagoon-remote.name" . }}
+                - key: app.kubernetes.io/component
+                  operator: In
+                  values:
+                  - {{ include "lagoon-remote.sshProxy.fullname" . }}
+                - key: app.kubernetes.io/instance
+                  operator: In
+                  values:
+                  - {{ .Release.Name }}
+              topologyKey: kubernetes.io/hostname
+      {{- with .Values.sshProxy.affinity }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.sshProxy.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}
diff --git a/charts/lagoon-remote/templates/ssh-proxy.service.yaml b/charts/lagoon-remote/templates/ssh-proxy.service.yaml
new file mode 100644
index 00000000..430b6a5a
--- /dev/null
+++ b/charts/lagoon-remote/templates/ssh-proxy.service.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.sshProxy.enabled -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Values.sshProxy.service.name }}
+  labels:
+    metrics-only: "true"
+    {{- include "lagoon-remote.sshProxy.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.sshProxy.service.type }}
+  ports:
+  - port: {{ .Values.sshProxy.service.port }}
+    targetPort: sshproxy
+    protocol: TCP
+    name: sshproxy
+  selector:
+    {{- include "lagoon-remote.sshProxy.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/charts/lagoon-remote/values.yaml b/charts/lagoon-remote/values.yaml
index ec9440e4..9fe478fe 100644
--- a/charts/lagoon-remote/values.yaml
+++ b/charts/lagoon-remote/values.yaml
@@ -159,6 +159,42 @@ sshPortal:
     ed25519: ""
     rsa: ""
 
+# sshProxy is an optional service that exposes a single `ssh.lagoon.svc` service within a remote
+# this can then be configured to point to the lagoon-core ssh service using `sshProxy.ssh.host` and `sshProxy.ssh.port`
+# or the ssh-portal service that is deployed if the ssh-portal is enabled
+# this service can be used in `lagoon-build-deploy.sshPortalHost` and `lagoon-build-deploy.sshPortalPort` values when configuring the remote
+# and will be exposed by the remote-controller to deployed environments via the LAGOON_CONFIG_SSH_HOST and LAGOON_CONFIG_SSH_PORT values
+# for tasks and pods to use within the cluster scope
+sshProxy:
+  enabled: false
+  replicaCount: 2
+  image:
+    repository: alpine/socat
+    pullPolicy: IfNotPresent
+    tag: "1.7.4.4"
+
+  # if ssh-portal is enabled the following `ssh` section is ignored and the ssh-portal service endpoint is used instead
+  ssh:
+    # set these to be the host and port of your lagoon-core ssh service
+    # example for amazeeio cloud:
+    #   host: ssh.amazeeio.cloud
+    #   port: 30831
+    host:
+    port:
+
+  # if you modify these values and are using `lagoon-build-deploy.sshPortalHost` and `lagoon-build-deploy.sshPortalPort`
+  # you'll need to ensure you update those values too
+  service:
+    name: ssh
+    type: ClusterIP
+    port: 2020
+
+  podAnnotations: {}
+
+  securityContext: {}
+
+  resources: {}
+
 # This subchart is disabled by default until this build-deploy type is in
 # widespread use.
 lagoon-build-deploy:
@@ -172,8 +208,8 @@ lagoon-build-deploy:
   # lagoonTokenHost: ""
   # lagoonTokenPort: ""
   # lagoonAPIHost: ""
-  # sshPortalHost: ""
-  # sshPortalPort: ""
+  # sshPortalHost: ssh.lagoon.svc
+  # sshPortalPort: 22
   # See the parent chart for the full range of values that can be passed here to control builds
   # https://github.com/uselagoon/lagoon-charts/blob/main/charts/lagoon-build-deploy/values.yaml