Tunnels

Using Akeyless Connect

Akeyless Secure Remote Access solution has a built-in Tunnel mode, which can be used to connect with various native and thick clients to remote hosts via Akeyless bastions, with a complete audit trail.

While your local machine uses the Akeyless Connect CLI, any thick client can be used to establish the connection to a remote server within your internal network via the Akeyless Bastion.

Prerequisites

Usage

๐Ÿšง

Warning

For security reasons, please bind services only to the local interface. You can use local port forwarding to access the service that is listening on the remote server.

Connections on the local machine made to the forwarded port will, in effect, connect to the remote machine.

akeyless connect --target <user>@<targetserver> \
--via sra-bastion:2222 \
--tunnel='-L 127.0.0.1:<port>:<targetserver>:<port>' \
--cert-issuer-name "<Path/To/SSHCertIssuer>" \
--name "</Path/To/Secret>" \
--bastion-ctrl-proto "http\https"

Where:

  • target: The target resource, e.g. user@ssh-server[:port], us-east-2, mysql-server:3306, etc.

  • via-bastion: The Secure Remote Access Bastion host which the connection will go through, e.g. ssh-sra-bastion:2222.

  • tunnel: SSH tunnel setting e.g. -T='-L 127.0.0.1:<port>:127.0.0.1:<port>'

  • cert-issuer-name: Optional. If already configured inside akeyless-connect.rc file, alternativity provide
    the full path to the SSH Cert Issuer to establish the connection to the bastion.

  • name : Full name of the secret item to use in order to connect. i.e. Dynamic or a Rotated Secret for Database,RDP etc. Or a static secret which contains the credentials of the target system.

  • command: Command to execute on the target remote host (useful for non-interactive mode). e.g. -C='ls -al'

  • ssh-extra-args: Additional SSH arguments (except -i).

RDP

To connect to a remote desktop server via the Akeyless Bastion from your local terminal, run the following command, and open your Remote Desktop client, where you should use the localhost endpoint to connect to your remote server.

akeyless connect -t <RDP User>@<RDP Host> \
-v sra-bastion:2222 \
--tunnel='-L 127.0.0.1:3389:<RDP Host>:3389'\
-c "<Path/To/SSHCertIssuer>" \
-n "/Path/To/RDP/Dynamic/Secret"

Once the tunnel is opened, you can connect with your local RDP client to the TargetServer using your localhost port via the Akeyless Bastion.

K8s

kubectl

To connect with a remote K8s cluster using a thick client, you can leverage the Akeyless K8s Tunnel that will start a proxy service on your remote K8s server, via the bastion.

First, you can use the following template as an example to add to your ~/.kube/config file:

apiVersion: v1
clusters:
- cluster:
    server: http://127.0.0.1:2345
  name: test-tunnel
contexts:
- context:
    cluster: test-tunnel
    user: test-tunnel
  name: testunnel
current-context: testunnel
kind: Config
preferences: {}
users:
- name: test-tunnel

Then, use the following command to create the tunnel using the same port number as your local server (2345) in the kubeconfig file:

akeyless connect -t <k8s.server.host> \
 -n "/Path/To/K8s/Dynamic/Secret" \
 -c "/Path/To/SSHCertIssuer" \
 -v sra-bastion:2222 \
 --bastion-ctrl-proto=https \
 --k8s-tunnel 2345

๐Ÿ“˜

Note

A remote port on the SSH bastion will automatically be allocated based on availability.

Once that's done, in a new terminal tab you can run kubectl commands as normal after switching to the above kubectl context.

Lens

Similarly, after having run the akeyless connect command as in the previous section, to work with Lens K8s IDE, open your Lens Settings > Proxy and set the proxy server with your localhost interface in the following format: http://127.0.0.1:2345.

Now, you can start interacting with your remote K8s API server using the tunnel.

For example, to add a new cluster to Lens add, you can use the following kubeconfig reference:

apiVersion: v1
clusters:
- cluster:
    server: http://127.0.0.1:2345
  name: AKEYLESS_Lens_K8S
contexts:
- context:
    cluster: AKEYLESS_Lens_K8S
    user: AKEYLESS_Lens_K8S
  name: AKEYLESS_Lens_K8S
current-context: AKEYLESS_Lens_K8S
kind: Config
preferences: {}
users:
- name: AKEYLESS_Lens_K8S

Where the server should point to your local tunnel port.

SSH Tools

To work with your native SSH tools, you can run a local tunnel on your host:

akeyless connect -t <user>@<targetServer> \
 -v <sra-bastion:2222>  \
--tunnel='-L 127.0.0.1:<localPort>:<targetServer>:<targetPort>'

Then, any SSH client (such as SecureCRT, PuTTY, tmux, etc.) can be used to establish connections to the remote targetServer. After running the above command to open the tunnel, on your SSH client, open a connection to 127.0.0.1:localPort to connect with your remote server.