Skip to main content

SSH Tunneling

SSH tunneling allows you to securely connect to databases on remote servers that aren’t directly accessible from your Mac. TablePro creates an encrypted tunnel through an SSH server to reach your database.

How SSH Tunneling Works

  1. TablePro creates an SSH connection to your jump server
  2. A local port (e.g., 60000) forwards through the tunnel
  3. Traffic is encrypted between your Mac and the SSH server
  4. The SSH server connects to the database on your behalf

When to Use SSH Tunneling

  • Database server is in a private network
  • Database server only accepts local connections
  • You need to encrypt connections to the database
  • You want to access databases through a bastion/jump host

Setting Up SSH Tunneling

1

Create or Edit Connection

Open the connection form for your database
2

Enable SSH Tunnel

Toggle the SSH Tunnel switch to ON
3

Configure SSH Settings

Enter your SSH server details and authentication
4

Test and Connect

Click Test Connection to verify the tunnel works
SSH tunnel settings

SSH Configuration Options

SSH Server Settings

FieldDescriptionDefault
SSH HostSSH server hostname or IP-
SSH PortSSH server port22
SSH UserSSH username-

Authentication Methods

TablePro supports two SSH authentication methods:
Simple password authentication:
FieldDescription
SSH PassYour SSH password
Password authentication is less secure than key-based authentication. Consider using SSH keys for production servers.

Using SSH Config

If you have entries in your ~/.ssh/config file, TablePro can use them:
  1. TablePro reads your SSH config automatically
  2. Select a host from the SSH Host dropdown
  3. Settings are auto-filled from your config
Example SSH config entry: 
# ~/.ssh/config
Host production-jump
    HostName jump.example.com
    User deploy
    Port 22
    IdentityFile ~/.ssh/production_key
This appears as “production-jump” in the SSH Host dropdown.

Database Connection Settings

When using SSH tunneling, the database host is relative to the SSH server:
FieldValueDescription
Hostlocalhost or 127.0.0.1Database is on the SSH server itself
Hostdb.internalDatabase is on internal network
Port3306, 5432, etc.Database port (unchanged)
The database host should be what the SSH server uses to reach the database, not what your Mac would use.

Common Scenarios

Database on SSH Server

The database runs on the same machine as your SSH server: 
SSH Host:       jump.example.com
SSH User:       deploy

Database Host:  localhost
Database Port:  3306

Database on Internal Network

The database is on a different server, only accessible from the SSH server: 
SSH Host:       jump.example.com
SSH User:       deploy

Database Host:  db.internal.example.com
Database Port:  5432

AWS RDS via Bastion

Connecting to RDS through an EC2 bastion host: 
SSH Host:       bastion.example.com
SSH User:       ec2-user
Key File:       ~/.ssh/aws-key.pem

Database Host:  mydb.abc123.us-east-1.rds.amazonaws.com
Database Port:  5432

SSH Key Setup

Generating SSH Keys

If you don’t have SSH keys: 
# Generate a new key pair
ssh-keygen -t ed25519 -C "[email protected]"

# Or use RSA for broader compatibility
ssh-keygen -t rsa -b 4096 -C "[email protected]"

Key Locations

Default key locations on macOS:
Key TypePrivate KeyPublic Key
Ed25519~/.ssh/id_ed25519~/.ssh/id_ed25519.pub
RSA~/.ssh/id_rsa~/.ssh/id_rsa.pub
ECDSA~/.ssh/id_ecdsa~/.ssh/id_ecdsa.pub

Adding Key to Server

Copy your public key to the SSH server: 
# Using ssh-copy-id
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@server

# Or manually
cat ~/.ssh/id_ed25519.pub | ssh user@server "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Key Permissions

SSH keys must have correct permissions: 
# Fix permissions
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_*
chmod 644 ~/.ssh/id_*.pub
chmod 644 ~/.ssh/config

Troubleshooting

Connection Refused

Symptoms: “Connection refused” when testing SSH tunnel Causes and Solutions:
  1. SSH server not running 
    # Test SSH connection directly
ssh -v user@server
  2. Wrong port
    • Verify SSH port (some servers use non-standard ports)
    • Check with server administrator
  3. Firewall blocking connection
    • Ensure port 22 (or custom port) is open
    • Check both local and server firewalls

Authentication Failed

Symptoms: “SSH authentication failed” or “Permission denied” For Password Authentication:
  1. Verify username and password
  2. Check if password auth is enabled on server
  3. Try connecting via terminal: ssh user@server
For Key Authentication:
  1. Verify key file path is correct
  2. Check key permissions (chmod 600)
  3. Ensure public key is in server’s authorized_keys
  4. Verify passphrase (if key is encrypted)
  5. Try connecting via terminal: 
    ssh -i ~/.ssh/your_key user@server

Private Key Errors

“Private key file not found”:
  • Verify the path exists
  • Use the Browse button to select the file
“Private key file is not readable”: 
chmod 600 ~/.ssh/your_key
“Wrong passphrase”:
  • Re-enter the passphrase
  • Test key manually: ssh-keygen -y -f ~/.ssh/your_key

Tunnel Established but Database Fails

If SSH tunnel connects but database connection fails:
  1. Verify database host is correct (relative to SSH server) 
    # From SSH server, test database connection
ssh user@server "mysql -h localhost -u dbuser -p"
  2. Check database port
    • Ensure port matches the database server’s actual port
  3. Verify database credentials
    • Username/password might be different from SSH credentials

Tunnel Drops Periodically

TablePro includes keep-alive settings to prevent tunnel drops:
  • ServerAliveInterval=60 - Send keep-alive every 60 seconds
  • ServerAliveCountMax=3 - Disconnect after 3 missed responses
If tunnels still drop:
  1. Check network stability
  2. Verify server’s ClientAliveInterval setting
  3. Check for idle timeout settings on firewalls

Security Considerations

Best Practices

  1. Use key-based authentication instead of passwords
  2. Use Ed25519 or RSA keys with 4096+ bits
  3. Protect your private keys with a passphrase
  4. Limit SSH access to specific users/IPs on the server
  5. Use a dedicated jump host rather than direct database access

What Gets Encrypted

DataEncrypted
SSH connectionYes
Database credentialsYes (through tunnel)
Query dataYes (through tunnel)
Local stored passwordsYes (macOS Keychain)

What to Avoid

  • Don’t share private keys
  • Don’t use password authentication on production servers
  • Don’t store SSH passwords in plain text
  • Don’t expose database ports directly to the internet

Advanced: SSH Agent

If you use SSH Agent for key management:
  1. Add your key to the agent: 
    ssh-add ~/.ssh/id_ed25519
  2. TablePro can use keys from SSH Agent automatically
  3. You won’t need to enter passphrases repeatedly

Next Steps

MySQL Connection

MySQL-specific settings and features

PostgreSQL Connection

PostgreSQL-specific settings and features

Connection Management

Managing all your connections

Keyboard Shortcuts

Speed up your workflow