DocsNetwork proxy
Route database connections through SSH tunnels or Tailscale VPN for secure access to private networks.
Some databases sit behind firewalls or inside private networks that Kaelio cannot reach directly. The Network Proxy section on a connection form lets you route traffic through an intermediary so Kaelio can connect securely.
Two proxy types are supported:
| Proxy type | Use case |
|---|---|
| SSH Tunnel | Access databases via a bastion/jump host using SSH |
| Tailscale | Access databases on a Tailscale tailnet using an auth key |
Configuring a proxy
The Network Proxy section appears at the bottom of every connection form that supports it (PostgreSQL, MySQL, SQL Server, Snowflake, Metabase).
Select a Proxy Type from the dropdown.
Fill in the proxy-specific fields described below.
Click Test Proxy to verify connectivity before saving the connection. A successful test shows the proxy exit IP and location.
SSH Tunnel
Route traffic through an SSH bastion host. Kaelio opens an SSH connection and forwards database traffic through it.
| Field | Description |
|---|---|
| SSH Host | Hostname or IP of the bastion server |
| SSH Port | SSH port (default: 22) |
| SSH Username | User to authenticate as on the bastion |
| Auth Method | Password or Private Key |
| SSH Password | Password for password authentication |
| Private Key | PEM-encoded private key for key authentication |
| Passphrase | Passphrase for encrypted private keys (optional) |
Tailscale
Route traffic through a Tailscale tailnet. Kaelio joins your tailnet as an ephemeral node and connects to the target database through the Tailscale network.
| Field | Description |
|---|---|
| Auth Key | Tailscale auth key (tskey-auth-...). Generate one from Tailscale Keys settings with Reusable and Ephemeral enabled. |
| Hostname | Optional node name for the ephemeral Kaelio node in your tailnet (default: kaelio-proxy) |
| Exit Node | Tailscale IP of an exit node in your tailnet (e.g. 100.x.y.z). When set, all traffic is routed through that node. Leave empty for direct routing. |
The Exit Node field is useful when the database is only reachable from a specific machine in your tailnet, or when you want traffic to egress from a particular location. The exit node must already be advertised and approved in your Tailscale admin console.
Testing the proxy
Click Test Proxy to verify that the proxy can establish a connection. On success, the test displays the proxy's exit IP address and location so you can confirm traffic is routing through the expected path.
Related
- Data Sources — Overview of managing connections
- Connection Settings — Enable for chat, schedule scans, and manage connections