SSH Tunnel
Connect securely to databases behind firewalls via SSH tunnel. Password and key authentication.
Built-in SSH tunnel — no manual terminal setup. Supports password and private key authentication, with optional LAN exposure for team sharing.
DBX can connect to databases through an SSH tunnel, allowing secure access to servers behind firewalls or on private networks.
Configuration
When creating or editing a connection, enable the SSH tunnel option:
| Field | Description |
|---|---|
| SSH Host | Hostname or IP of the SSH server |
| SSH Port | Port for SSH (default: 22) |
| SSH User | Username for SSH authentication |
| Connect Timeout | Maximum time DBX waits while opening the SSH connection; default is 5 seconds |
Authentication Methods
Select a private key file (e.g., ~/.ssh/id_rsa, ~/.ssh/id_ed25519):
- Key Path — Use the file picker to browse and select your key file
- Key Passphrase — Enter the passphrase if your key is password-protected
Key authentication is more secure than password authentication.
Enter your SSH password directly. Works on servers that allow password authentication.
Expose Tunnel to LAN
Enabling LAN exposure means any device on the same network can access the tunneled database port. Only enable this on trusted networks.
By default, the SSH tunnel listens on localhost only. Enable LAN exposure to bind to 0.0.0.0, making the tunnel accessible to other devices on your network — useful for team collaboration or multi-device access.
How It Works
- DBX establishes an SSH connection to the specified server
- Creates a local port that forwards traffic through the tunnel to the database
- Connects to the database through the forwarded local port
The tunnel remains active for the duration of the connection and closes automatically when you disconnect.
SSH, Proxy, And File Databases
SSH tunnels are available for network databases. SQLite and Access connections are file-based and do not use SSH. DuckDB usually uses a local file as well, so only configure SSH when the selected driver profile actually needs a network endpoint.
If your network requires a proxy instead of SSH, use the connection dialog's proxy tab. DBX supports SOCKS5 and HTTP proxy settings with optional username and password.