Skip to main content

Tunneled MySQL Connections

This document explains how to connect to a MySQL or MariaDB database through an encrypted TCP tunnel. We use the mysql command line utility, but the same tunnel can be used by GUI tools.

Long-lived connections behavior

When you create a TCP or Websocket connection, Pomerium validates the access policy at the time the connection is made.

Currently, there is no mechanism in place to terminate long-running connections if a policy becomes invalid.


This example assumes you've already created a TCP route for this service.

Basic Connection

  1. Create a TCP tunnel, using either pomerium-cli or the Pomerium Desktop client:

    pomerium-cli tcp --listen :3306

    The --listen flag is optional. It lets you define what port the tunnel listens on locally. If not specified, the client will choose a random available port.

  2. Initiate your MySQL connection, pointing to localhost:

    mysql -h -u USER -p

Allow Access from Remote Hosts:

  1. Your MySQL or MariaDB service may not accept connections from remote hosts. Find the bind-address key in the configuration files (usually located in /etc/mysql/) and edit it to accept remote connections. For example:

    # Instead of skip-networking the default is now to listen only on
    # localhost which is more compatible and is not less secure.
    bind-address =
  2. When connecting, you may get an error like ERROR 1130 (HY000): Host '' is not allowed to connect to this MariaDB/MySQL server. You can create a user entry in your database for the Pomerium host:

    CREATE USER 'user'@'pomerium.local' IDENTIFIED BY 'some_pass';
    GRANT ALL PRIVILEGES ON *.* TO 'user'@'pomerium.local'

    Or create a user entry with no host associated:

    CREATE USER 'user'@'%' IDENTIFIED BY 'some_pass';
    GRANT ALL PRIVILEGES ON *.* TO 'user'@'%'

More Resources