diff --git a/README.md b/README.md
index 84c4f2393b2648956d439747e6ee2c1a422e1bda..ff8864cb8097d01c3acd919ecc2524196c8970a1 100644
--- a/README.md
+++ b/README.md
@@ -302,3 +302,33 @@ Destroy you cluster.
 
 Snapshot your VM for further use and terminate it.
 
+
+## Tips and tricks
+
+### Controlling your cluster from a remote console
+
+KinD is not designed to be operated remotely because its security is quite limited. Indeed KinD's 
+[API frontend](https://kind.sigs.k8s.io/docs/user/configuration/#api-server) listens by default to a local address/port. 
+However it is possible to [set up an SSH "tunnel"](https://www.ssh.com/academy/ssh/tunneling-example) over which to 
+[convey control commands from your workstation](https://github.com/kubernetes-sigs/kind/issues/3417):
+
+1. Install `kubectl` on your workstation.
+1. Open an SSH tunnel to the instance *from your workstation* (mind that 6443 is the standard kubectl port):
+   ```bash
+   workstation$ ssh -i YOUR_KEY -o IdentitiesOnly=yes -L 6443:localhost:6443 INSTANCE_USER@INSTANCE_IP
+   ```
+1. Add to your KinD config file `kind-config.yaml` the following snippet that fixes the API port:
+   ```yaml
+   networking:
+     apiServerPort: 6443 
+   ```
+1. Recreate your cluster with the new config above.
+1. Leave the SSH tunnel connection open! Switch to a different *local* terminal and import the remote cluster config:
+   ```bash
+   workstation$ scp -i YOUR_KEY -o IdentitiesOnly=yes INSTANCE_USER@INSTANCE_IP:~/.kube/config ~/.kube/
+   ```
+   Now, you should be able to send commands over the tunnel, e.g.:
+   ```bash
+   workstation$ kubectl get services
+   ```
+  
\ No newline at end of file