SSH Tunneling with Boundary for db client apps

ercindemir0 · January 9, 2023, 8:52pm

Hi all,

I have a bastion target in the boundary cluster.

This is how I access the target

boundary connect ssh -target-name "X" --target-scope-name "Y"

I want to use this target to ssh tunnel my connection to a database on a db client app. How can I port-forward the session in order to use for this purpose?

I tried to use the following command based on findings from a GitHub discussion but it didn’t work.

boundary connect ssh -target-id ttcp_1234567890 -- -L 1890:127.0.0.1:22

I’ll appreciate the help on this. Thanks!

omkensey · January 10, 2023, 5:56am

Is the database on the bastion host or another system? If it’s not on the bastion host I think you’ll need to put the IP or hostname of the database system in the forwarding argument instead of 127.0.0.1.

But, note that if the database host is somewhere the Boundary worker can connect to it, you can create a target for it directly.

ercindemir0 · January 11, 2023, 7:55pm

Thank you for your reply. @omkensey. My initial intention was to specify the port opened by Boundary. I created my database target and can connect to it on a DB Client App via Boundary Desktop. How can I specify the port on boundary cli so I can use that on my db client app?

I tried both commands below, but specifying the port aside, I can’t even connect to it [it can be connected via Boundary Desktop without any issues].

boundary connect ssh -target-name "X" --target-scope-name "Y"
boundary connect postgres -target-id ttcp_XXXX

omkensey · January 11, 2023, 8:14pm

The desktop app actually just embeds the CLI for the actual connections, so if it works with the desktop it should work with the CLI and as far as I know that latter command should work. Can you prove a diagram (even just an ASCII diagram is fine) of the systems involved – specifically the Boundary client, the worker, and the Postgres database? What ports are open and what can connect directly to what?

ercindemir0 · January 12, 2023, 1:14am

It totally works, I can access the target on cli. The only thing I want to do is, I want specify the port on cli and use that port in my db client app.

Initially I used this following command and it worked

boundary connect ssh -target-id ttcp_1234567890 -- -L 1890:127.0.0.1:22

Now I added this target directly to boundary as you recommended. However, it would be more convenient if I could specify port number and use in the db client app. Hope it makes sense to you. Please do let me know if I’m not much clear here. Thanks!

omkensey · January 12, 2023, 6:22pm

I think you can do what you want with the CLI’s -listen-port argument. That will tell the Boundary client to bind directly to the port you specify.