What's the best practice for accessing hashistack tools with boundary?

I’m looking to use boundary to completely replace my legacy VPN. I already have a beyondcorp architecture for web services, but I am struggling to figure out how to get the hashicorp CLI tools to work. Specifically I’m thinking of Nomad, Consul, and Vault.

For web access I was planning to front the UIs through my existing HTTP authenticating proxies. For the CLI, is the appropriate way to do this to have a target with a crazy high session limit? Is -exec the correct option here and just aliasing all the CLI tools to be wrapped by boundary.

Looking forward to the wisdom of the ancients.