# Pomerium Desktop and CLI Clients
Pomerium is capable of creating secure connections to services like SSH, Redis, and more by creating a TCP tunnel to the service with a local client. This article describes configuring a route to accept TCP connections, and using either the CLI or GUI client to connect to it.
# Create a TCP Route
Specify this new Route as a TCP Route by prefixing
tcp+in the From field, along with a port suffix.The port is not used to connect to the Pomerium Proxy service from the internet; this will always be port 443 (unless otherwise defined in
config.yaml). Rather, the port defined in From is part of the mapping to the individual route. In this way, you can create multiple routes that share a DNS entry, differentiated by the port to determine which route they use.For example, suppose we have a server called
augurrunning behind Pomerium that has a MySQL server and also listens for SSH connections. We can create routes fortcp+https://augur.example.com:22andtcp+https://augur.example.com:3306.The To field uses
tcp://as a protocol, and specifies the address and port the service listens on.
The example below demonstrates a route to the SSH service on the host running the Pomerium Core or Pomerium Enterprise service:
- from: tcp+https://ssh.localhost.pomerium.io:22 to: tcp://127.0.0.1:22 policy: - allow: or: - email: is: user@companydomain.comCopied!
See the "Configure Routes" section of TCP Support for more detailed information on TCP routes.
# TCP Client Software
You can connect to this route with either the Pomerium CLI or Pomerium Desktop client.
# Install
Download the latest release from GitHub (opens new window).
- Windows: The installer
exewill install and open the Desktop Client. Right click on the system tray icon to interact with it. - Linux: We provide Linux binaries as
.AppImagefiles, which can be executed in place or managed with a tool like AppImageLauncher (opens new window). Interact with the client from the system tray icon. - macOS: Open the
dmgand move the binary to Applications. Interact with the client from the system tray icon.
# Add a Connection
# Destination Url
Matches the From value of the route. Always include the port specified in the route, and do not include the https:// protocol.
# Disable TLS Verification
Allows untrusted certificates from the Pomerium gateway
# Local Address
(optional)
The local address and port number from which to access the service locally. If left blank, the client will choose a random port to listen to on the loopback address.
In most cases, you only need to specify the port (ex: :2222), and the client will listen on all available local addresses.
# Alternate Pomerium Url
(optional)
The Pomerium Proxy service address. This is required if the Destination URL can't be resolved from DNS or a local hosts entry, or if the Proxy service uses a non-standard port.
# CA File Path or CA File Text
(optional)
If your Pomerium proxy is using a certificate signed by a Certificate Authority (CA) that's not in your system's trusted key store, provide the CA certificate here. Alternately, you can toggle Disable TLS Verification.
For more examples and detailed usage information, see TCP Support
# Advanced Configuration
If Pomerium is listening on a port other than 443 (set with the address key), the pomerium-url flag (CLI) or "Alternate Pomerium URL" field (GUI) is required. This specifies the address and port for the client to communicate over, while the standard URL defines the port assignment for the specific route. For example:
pomerium-cli tcp ssh.localhost:pomerium.io:2222 \ --pomerium-url https://ssh.localhost.pomerium.io:8443 \ --listen :2222Copied!