Tunnels

Using Akeyless Connect

Akeyless Secure Remote Access solution has a built-in Tunnel mode, which can be used to connect with various native and thick clients to remote hosts via Akeyless bastions, with a complete audit trail.

While your local machine uses the Akeyless Connect CLI, any thick client can be used to establish the connection to a remote server within your internal network via the Akeyless Bastion.

Prerequisites

Usage

🚧

Note

For security reasons, please bind services only to the local interface. You can use local port forwarding to access the service that is listening on the remote server.

Connections on the local machine made to the forwarded port will, in effect, connect to the remote machine.

akeyless connect --target <user>@<targetserver> \
--via sra-bastion:2222 \
--tunnel='-L 127.0.0.1:<port>:<targetserver>:<port>' \
--cert-issuer-name "<Path/To/SSHCertIssuer>" \
--name "</Path/To/Secret>" \
--bastion-ctrl-proto "http\https"

Where:

  • target: The target resource, e.g. [email protected][:port], us-east-2, `mysql-server:3306, etc.

  • via-bastion : The Secure Remote Access Bastion host which the connection will go through, e.g. ssh-sra-bastion:2222.

  • tunnel : SSH tunnel setting e.g. -T='-L 127.0.0.1::127.0.0.1:'

  • cert-issuer-name : Optional. If already configured inside akeyless-connect.rc file, alternativity provide
    the full path to the SSH Cert Issuer to establish the connection to the bastion.

  • name : Full name of the secret item to use in order to connect. i.e. Dynamic or a Rotated Secret for Database,RDP etc. Or a static secret which contains the credentials of the target system.

  • command : Command to execute on the target remote host (useful for non-interactive mode). e.g. -C='ls -al'

  • ssh-extra-args : Additional SSH arguments (except -i).

RDP

To connect to a remote desktop server via the Akeyless Bastion from your local terminal, run the following command, and open your Remote Desktop client, where you should use the localhost endpoint to connect to your remote server.

akeyless connect -t <RDP User>@<RDP Host> \
-v sra-bastion:2222 \
--tunnel='-L 127.0.0.1:3389:<RDP Host>:3389'\
-c "<Path/To/SSHCertIssuer>" \
-n "/Path/To/RDP/Dynamic/Secret"

Once the tunnel is opened, you can connect with your local RDP client to the TargetServer using your localhost port via the Akeyless Bastion.

K8s

To connect with a remote K8s cluster, you can use the Akeyless Tunnel with a command that will be executed on the remote target server, for example, to start a proxy service on your remote K8s server:

akeyless connect -t <k8s.server.host> \
 -n "/Path/To/K8s/Dynamic/Secret" \
 -c "/Path/To/SSHCertIssuer" \
 -v sra-bastion:2222  \
 --bastion-ctrl-proto=https \
 --tunnel="-L 127.0.0.1:5555:127.0.0.1:5555" \
 --command="proxy -p 5555"

Lens

To work with Lens K8s IDE, open your Lens settings>Proxy and set the proxy server with your localhost interface in the following format: http://127.0.0.1:5555.
Now, you can start interacting with your remote K8s API server using the tunnel. For example, to add a new cluster to lens add, you can use the following template:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <base-64-certificate> 
    server: http://127.0.0.1:5555
  name: AKEYLESS_Lens_K8S
contexts:
- context:
    cluster: AKEYLESS_Lens_K8S
    user: AKEYLESS_Lens_K8S
  name: AKEYLESS_Lens_K8S
current-context: AKEYLESS_Lens_K8S
kind: Config
preferences: {}
users:
- name: AKEYLESS_Lens_K8S

Where the server should point to your local proxy endpoint.

SSH Tools

To work with your native SSH tools, you can run a local tunnel on your host to

akeyless connect -t <user>@<targetServer> \
 -v sra-bastion:2222  \
--tunnel='-L 127.0.0.1:<Port>:<targetServer>:<Port>'

Then any client, for example, SecureCRT, or tmux, etc. can be used to establish connections to the remote targetServer. On your client, open a connection to 127.0.0.1:Port to connect with your remote server.