SSH Tunneling
SSH tunneling lets you connect to a database that isn’t directly reachable from your machine. SoftDB opens an SSH connection to a bastion host (or jump server), then forwards a local port through that SSH connection to the database server. The database driver connects to the local port, and traffic flows through the tunnel transparently.
What is SSH Tunneling?
Section titled “What is SSH Tunneling?”When your database lives in a private network (a VPC, a corporate network, or a server behind a firewall), you can’t connect to it directly. But if you have SSH access to a server in that network, you can use it as a relay.
SoftDB handles this automatically:
- SoftDB connects to the SSH server over port 22 (or a custom port).
- It opens a local TCP listener on a random port on
127.0.0.1. - Any connection to that local port is forwarded through the SSH connection to the database host and port.
- The database driver connects to
127.0.0.1:<random-port>instead of the remote host.
The tunnel stays open for the lifetime of the connection. When you disconnect, the tunnel closes.
-
Open the Connection Hub and click New Connection (or edit an existing connection).
-
Fill in the database connection details as normal (host, port, credentials). The Host and Port here are the database’s address as seen from the SSH server — often
localhostif the database is on the same machine as the SSH server. -
Expand the SSH Tunnel section at the bottom of the form.
-
Toggle Enable SSH Tunnel on.
-
Fill in the SSH server details:
- SSH Host: hostname or IP of the SSH server (bastion host)
- SSH Port: SSH port, defaults to
22 - SSH User: your SSH login username
-
Choose an authentication method:
- Password: enter your SSH password
- Private Key: enter the path to your PEM or OpenSSH private key file
-
Click Test Connection to verify the tunnel and database connection together, then Save.
SSH Connection Settings
Section titled “SSH Connection Settings”| Field | Default | Notes |
|---|---|---|
| SSH Host | — | Hostname or IP of the SSH server |
| SSH Port | 22 | Standard SSH port |
| SSH User | — | Your SSH login username |
| SSH Password | — | Used when auth type is Password |
| SSH Key Path | — | Absolute path to your private key file (PEM or OpenSSH format) |
Authentication Methods
Section titled “Authentication Methods”Password authentication
Section titled “Password authentication”Enter your SSH password in the SSH Password field. This is the simplest option but less secure than key-based auth. Many servers disable password authentication entirely.
Private key authentication
Section titled “Private key authentication”Enter the path to your private key file in the SSH Key Path field. SoftDB reads the key file from disk when establishing the tunnel. Supported formats:
- OpenSSH format (
-----BEGIN OPENSSH PRIVATE KEY-----) - PEM format (
-----BEGIN RSA PRIVATE KEY-----,-----BEGIN EC PRIVATE KEY-----, etc.)
The key file must be readable by SoftDB. On macOS and Linux, check permissions with ls -la ~/.ssh/id_rsa — the file should be 600 (owner read/write only).
If your key has a passphrase, SoftDB doesn’t currently support passphrase-protected keys. Use ssh-keygen -p to remove the passphrase, or use ssh-agent and configure your key there.
How It Works
Section titled “How It Works”When you connect with SSH tunneling enabled, SoftDB:
- Reads the SSH config (host, port, user, auth method).
- Dials the SSH server and authenticates.
- Opens a local TCP listener on
127.0.0.1with a randomly assigned port (chosen by the OS). - Replaces the database host/port in the driver config with
127.0.0.1:<local-port>. - Connects the database driver to the local port.
- Each database connection through the local port gets forwarded via a
direct-tcpipSSH channel to<db-host>:<db-port>as seen from the SSH server.
The local port is ephemeral — it changes each time you connect. SoftDB manages this automatically; you never need to know the port number.
Common Configurations
Section titled “Common Configurations”Database on the same server as SSH
Section titled “Database on the same server as SSH”The database host is localhost from the SSH server’s perspective:
SSH Host: bastion.example.comSSH Port: 22SSH User: ubuntu
Database Host: localhostDatabase Port: 5432Database on a separate server in the same network
Section titled “Database on a separate server in the same network”SSH Host: bastion.example.comSSH Port: 22SSH User: ubuntu
Database Host: db.internal.example.comDatabase Port: 5432AWS RDS behind a bastion
Section titled “AWS RDS behind a bastion”SSH Host: ec2-1-2-3-4.compute-1.amazonaws.comSSH Port: 22SSH User: ec2-userSSH Key Path: /home/user/.ssh/my-key.pem
Database Host: mydb.cluster-abc123.us-east-1.rds.amazonaws.comDatabase Port: 5432Troubleshooting
Section titled “Troubleshooting”SSH connection refused
Section titled “SSH connection refused”SSH tunnel: connect to SSH server bastion.example.com:22: connection refusedThe SSH server isn’t reachable on port 22. Check that the server is running, the port is correct, and your firewall allows outbound connections on port 22.
Authentication failed
Section titled “Authentication failed”SSH tunnel: ssh: handshake failed: ssh: unable to authenticateWrong username, password, or key. Verify you can connect manually with ssh -i /path/to/key user@host. If using a key, check that the public key is in ~/.ssh/authorized_keys on the server.
Key file not found
Section titled “Key file not found”SSH tunnel: read private key "/home/user/.ssh/id_rsa": no such file or directoryThe path to the private key is wrong. Use an absolute path and verify the file exists.
Database connection refused through tunnel
Section titled “Database connection refused through tunnel”If the SSH tunnel connects successfully but the database connection fails, the database host/port as seen from the SSH server is wrong. Try connecting to the database directly from the SSH server with psql or mysql to verify the host and port.