Tinkerwell 4 is out now! See what's new or buy now.
Tinkerwell background image
Tinkerwell Logo Tinkerwell
Go back to Blog

Using ProxyJump to connect to a remote host behind a firewall

In this post, we configure ProxyJump to connect to a remote server via a jumphost. This setup allows you to limit SSH connections to a production environment to a single IP address and add an extra layer of protection to your application. Additionally, we use local port forwarding to connect to the remote server via Tinkerwell.

Tinkerwell does not support ProxyJump or ProxyCommand automatically, so if you go through a JumpHost to connect to a production environment and can't access the target host directly, Tinkerwell does not know how to connect.

For this post, we have set up two new Ubuntu 22.04 servers for demonstration purposes. They are called ubuntu-jump and ubuntu-remote. ubuntu-jump is accessible via SSH from anywhere, but ubuntu-remote only allows SSH connections from ubuntu-jump. So if we try to connect to ubuntu-remote via the IP directly, the connection times out.

This setup is the bare minimum that is required to show how it works and it is not related to Tinkerwell directly but useful for anyone who want an extra layer of security for their production environments.

ProxyJump and port forwarding are built into SSH, so the main task is setting up the configuration in our ~/.ssh/config file.

Host ubuntu-jump
User root
IdentityFile /Users/seb/.ssh/id_rsa
ControlPath ~/.ssh/cm-%r@%h:%p
ControlMaster auto
ControlPersist 10m
Host ubuntu-remote
User root
IdentityFile /Users/seb/.ssh/id_rsa
ProxyJump ubuntu-jump

For a real world application, you likely don't connect via the root user but a dedicated user for your purposes. As a recommendation, both servers should also have dedicated key pairs as well. As you can see, the remote host uses your key pair, so even if someone gains access to ubuntu-jump, they can't access ubuntu-remote.

This setup allows us to connect to ubuntu-remote via ubuntu-jump with a single ssh ubuntu-remote command in our local terminal.

If you look at this screenshot closely, you can see that the last login is from the IP address if the jumphost and not from our local machine.

This is already a huge security improvement, but how do we use this in Tinkerwell? Tinkerwell itself can't handle this SSH magic directly, but we can use local port forwarding to connect to a local port with the app – and actually run code on ubuntu-remote.

Go to your terminal and forward a local port – this example uses 2222 to port 22 on ubuntu-remote via localhost.

ssh -NL 2222:localhost:22 ubuntu-remote

After that, create a new SSH connection in Tinkerwell and point it to localhost with port 2222.

So even if the remote host is not accessible for Tinkerwell, the app connects to the local port and gets a tunnel to ubuntu-remote. Connect and run some code to see the magic:

This setup also works for other apps like Transmit or any other app that supports SSH connections but does not automatically use your SSH config file and the ProxyJump command.

Mohamed Said, VP of Engineering at Foodics
“I don't know why anyone wouldn’t use Tinkerwell. I can't even remember how I used to test code on the go before it.”

Mohamed Said

VP of Engineering at Foodics

Christopher Koye, CEO
“All colleagues that work with PHP use Tinkerwell. And it really helps.”
Christopher Koye


Tinkerwell: The PHP Scratchpad

The must-have companion to your favorite IDE. Quickly iterate on PHP code within the context of your web application.

Buy now Learn more