diff --git a/scripts/bosh-cli.sh b/scripts/bosh-cli.sh
index df72a5083..1a26b10a1 100755
--- a/scripts/bosh-cli.sh
+++ b/scripts/bosh-cli.sh
@@ -12,12 +12,16 @@ if [[ ! -d "${bosh_config_dir}" ]]; then
   exit 1
 fi
 
-tunnel_mux='/tmp/bosh-ssh-tunnel.mux'
+tunnel_mux=$(mktemp --dry-run /tmp/bosh-ssh-tunnel.mux.XXXXXXXX)
+
+socks_port=25555
+while nc -z localhost $socks_port >/dev/null 2>&1; do
+  socks_port=$(( socks_port + 1 ))
+done
 
 function cleanup() {
   echo 'Closing SSH tunnel'
   ssh -S "$tunnel_mux" -O exit a-destination &>/dev/null || true
-
   # Avoid keeping sensitive tokens in bosh config when we don't need them.
   # This will mean we have to sign in to bosh every time we run this script.
   echo 'Cleaning up BOSH config'
@@ -31,7 +35,7 @@ echo 'Getting BOSH settings'
 BOSH_CA_CERT="$(aws s3 cp "s3://gds-paas-${DEPLOY_ENV}-state/bosh-CA.crt" -)"
 
 echo 'Opening SSH tunnel'
-ssh -qfNC -4 -D 25555 \
+ssh -qfNC -4 -D $socks_port \
   -o Hostname="bosh-external.${SYSTEM_DNS_ZONE_NAME}" \
   -o ExitOnForwardFailure=yes \
   -o StrictHostKeyChecking=no \
@@ -42,7 +46,7 @@ ssh -qfNC -4 -D 25555 \
   paas_bosh_ssh
 
 export BOSH_CA_CERT
-export BOSH_ALL_PROXY="socks5://localhost:25555"
+export BOSH_ALL_PROXY="socks5://localhost:$socks_port"
 export BOSH_ENVIRONMENT="bosh.${SYSTEM_DNS_ZONE_NAME}"
 export BOSH_DEPLOYMENT="${DEPLOY_ENV}"
 export BOSH_CONFIG="${bosh_config_dir}/config"