Can't connect ssh through boundary in GCP

Hi, I’m new to Boundary and I’ve been doing some tests with it on a GCP environment.

I created a fairly simple environment to test boundary usage, the environment contains to ec debian 11 instances which is one for boundary, and one that has jenkins installed, both are in the same vpc network. My go is to be able to ssh the jenkins instance from my local machine, using boundary to do it.

So on the boundary instance i’ve installed boundary and docker as follows:

image1362×193 12.1 KB

I’m using the boundary dev command for all my tests, so I didn’t create any config file for the workers and controllers and this is the command I’m using to start the environment:

sudo boundary dev -controller-public-cluster-address=0.0.0.0 -host-address=0.0.0.0 -api-listen-address=0.0.0.0 -proxy-listen-address=XX.XXX.XX.XXX -worker-public-address=0.0.0.0 -login-name=jenkins -password=teste123 &

On the proxy-listen-address I’m passing the private ip of the boundary instance, and I’m using 0.0.0.0 on the other parameter 'cause I saw in some article here that doing that I’d be able to connect to boundary GUI from my local machine, which works fine.

The only change I made to generate objects from boundary dev, is that on the generated host I replaced the default 0.0.0.0 with the internal IP address of the jenkins instance.

That said, I’m currently able to authenticate on boundary from my local machine

image940×183 57.5 KB

But when I try to connect to the target, I get the following error

image940×121 73.5 KB

I’ve been stuck on this for a while now, did a lot of research here and other forums that Google brought me to get to this point but now I can’t figure this one out, so I’d appreciate some help

There are a bunch of different purposes for those address flags, and not all will work with 0.0.0.0.

-api-listen-address and -proxy-listen-address are fine as 0.0.0.0 – in that context it means “listen on all interfaces”. (If you don’t want it to do that, use a specific interface IP there and it will bind only to that IP, which I see you’re doing for the proxy address already.)

-controller-public-cluster-address shouldn’t be 0.0.0.0. That’s the IP that will be advertised to workers for that controller on their initial connection. This may seem a little redundant in a single-controller environment but if you set the listen address to something the workers won’t be able to connect to (like 0.0.0.0 or an IP on a subnet they can’t connect to), you’ll need to set this as well.

-worker-public-address has basically the same purpose and requirements as -controller-public-cluster-address, but instead of advertising controllers to workers it’s the worker address that will be passed to clients to connect. Just as the controller public cluster address defaults to the API listen address, this defaults to the value of the proxy-listen-address.

Lastly, -host-address sets the IP of the default target created by boundary database init. That defaults to localhost (127.0.0.1) but in your case it sounds like you should set it to the private IP of your Jenkins host.