SSH Tunnels
Secure MongoDB connections through SSH tunnels with port forwarding and authentication
SSH Tunnels
SSH tunnels provide secure access to MongoDB databases behind firewalls or in private networks by creating an encrypted connection through an SSH bastion server.
Overview
SSH tunneling wraps your MongoDB connection in an encrypted SSH channel, allowing you to:
- Connect to databases in private networks without exposing MongoDB ports
- Secure connections over untrusted networks
- Access databases behind corporate firewalls
- Avoid complex VPN configurations
SSH tunnels are available on Professional and Enterprise plans. pro
How SSH Tunnels Work
- MongoDash establishes an SSH connection to your bastion server
- SSH creates an encrypted tunnel to the MongoDB server
- MongoDB traffic flows through the secure SSH tunnel
- The bastion server forwards traffic to your MongoDB instance
MongoDash → SSH Tunnel → Bastion Server → MongoDB Database
SSH Authentication Methods
MongoDash supports two SSH authentication methods:
Password Authentication
Simple username/password authentication.
SSH Host: bastion.example.com
SSH Port: 22
SSH Username: mongouser
SSH Password: ••••••••
SSH Key Authentication
Public/private key pair authentication (recommended for production).
SSH Host: bastion.example.com
SSH Port: 22
SSH Username: mongouser
SSH Private Key: [Paste private key content]
SSH Passphrase: [Optional passphrase]
SSH key authentication is more secure than passwords and recommended for production environments.
Configuring SSH Tunnels
Enable SSH tunnel
- Navigate to Add Connection in MongoDash
- Scroll to SSH Tunnel section
- Toggle Use SSH Tunnel to enabled
Enter SSH server details
- SSH Host: Bastion server hostname or IP address
- SSH Port: SSH port (default: 22)
- SSH Username: User account on bastion server
Choose authentication method
- Password: Enter SSH user password
- Private Key: Paste SSH private key content
- Passphrase: Enter key passphrase if required
Configure MongoDB connection
- MongoDB Host: Internal hostname (e.g.,
localhostor internal IP) - MongoDB Port: 27017 (or your MongoDB port)
- Database: Your database name
Test and save
- Click Test Connection to verify SSH and MongoDB connectivity
- Review test results for both SSH and database connection
- Click Save when test succeeds
SSH Key Setup
Generating SSH Keys
Generate an SSH key pair on your local machine:
ssh-keygen -t rsa -b 4096 -C "mongodash-connection"
This creates:
- Private key:
~/.ssh/id_rsa(keep secure, paste into MongoDash) - Public key:
~/.ssh/id_rsa.pub(add to bastion server)
Adding Public Key to Bastion Server
Copy your public key to the bastion server:
ssh-copy-id -i ~/.ssh/id_rsa.pub mongouser@bastion.example.com
Or manually append to authorized keys:
cat ~/.ssh/id_rsa.pub | ssh mongouser@bastion.example.com "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Using Private Key in MongoDash
cat ~/.ssh/id_rsa and copy outputNever share your private key. MongoDash encrypts private keys at rest, but treat them as sensitive credentials.
Port Forwarding Configuration
SSH tunnels use local port forwarding to route MongoDB traffic.
Default Port Forwarding
By default, MongoDash automatically selects a random local port:
Local Port (random) → SSH Tunnel → MongoDB Host:Port
Custom Local Port
Specify a custom local port if needed:
SSH Tunnel Configuration:
- Local Bind Address: 127.0.0.1 (default)
- Local Port: 27018 (custom)
- Remote Host: mongodb-internal.example.com
- Remote Port: 27017
Multiple Database Tunnels
Connect to multiple databases through the same bastion:
Connection 1: localhost:27018 → bastion → db1.internal:27017
Connection 2: localhost:27019 → bastion → db2.internal:27017
Connection 3: localhost:27020 → bastion → db3.internal:27017
Common Configurations
MongoDB on Same Server as SSH
MongoDB running on the SSH bastion server:
SSH Host: bastion.example.com
SSH Port: 22
MongoDB Host: localhost
MongoDB Port: 27017
MongoDB on Private Network
MongoDB on a separate server in the private network:
SSH Host: bastion.example.com
SSH Port: 22
MongoDB Host: mongodb-internal.private
MongoDB Port: 27017
MongoDB Atlas via SSH
Connecting to Atlas through a bastion server:
SSH Host: bastion.example.com
SSH Port: 22
MongoDB Host: cluster0-shard-00-00.mongodb.net
MongoDB Port: 27017
MongoDB Connection String: mongodb://cluster0.mongodb.net/db
For Atlas connections via SSH, use the individual shard hostnames rather than the SRV record.
SSH Tunnel Options
Keep Alive Settings
Configure SSH keep-alive to prevent connection drops:
Server Alive Interval: 60
Server Alive Count Max: 3
These settings send keep-alive packets every 60 seconds and close the connection after 3 failed responses.
Compression
Enable SSH compression for better performance over slow networks:
Compression: Enabled
Strict Host Key Checking
Control SSH host key verification:
- Strict (Recommended): Verify host key against known hosts
- Accept New: Accept new hosts, verify known hosts
- Disabled: Skip host key verification (not recommended)
Disabling host key checking exposes you to man-in-the-middle attacks. Only use for testing in isolated environments.
Security Best Practices
SSH Server Configuration
Harden your SSH bastion server:
- Disable password authentication (force key-based auth)
- Change default SSH port (reduce automated attacks)
- Enable SSH key-only authentication
- Restrict SSH access by IP (firewall rules)
- Use fail2ban (block brute force attempts)
- Keep SSH server updated (security patches)
Example /etc/ssh/sshd_config:
Port 22
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers mongouser
Network Isolation
Design secure network topology:
Internet → Bastion Server (Public) → MongoDB (Private Network)
- Bastion server has public IP and SSH access only
- MongoDB servers have private IPs, no direct internet access
- Firewall rules restrict bastion to MongoDB ports only
Key Management
Protect SSH private keys:
- Use passphrases on private keys
- Rotate keys regularly (every 90 days recommended)
- Revoke compromised keys immediately
- Use separate keys for each environment
- Store keys securely (encrypted storage)
Audit Logging
Enable SSH connection logging on bastion server:
# View SSH connection logs
sudo tail -f /var/log/auth.log
MongoDash Enterprise includes SSH tunnel connection audit logs. View connection history in Audit Logs section.
Troubleshooting SSH Tunnels
Connection Refused
Symptom: "Connection refused" or "Cannot connect to SSH server"
Solutions:
- Verify SSH server hostname and port
- Check firewall allows SSH port (22)
- Confirm SSH service is running:
sudo systemctl status sshd - Test SSH connection manually:
ssh username@bastion.example.com
Authentication Failed
Symptom: "Permission denied" or "Authentication failed"
Solutions:
- Verify SSH username is correct
- Check password or private key
- Ensure public key is in
~/.ssh/authorized_keys - Verify file permissions:
chmod 600 ~/.ssh/authorized_keys - Check SSH logs:
sudo tail /var/log/auth.log
Host Key Verification Failed
Symptom: "Host key verification failed"
Solutions:
- Remove old host key:
ssh-keygen -R bastion.example.com - Verify host key fingerprint with server administrator
- Update known_hosts file
- Check for man-in-the-middle attack (DNS spoofing)
MongoDB Connection Through Tunnel Failed
Symptom: SSH connects but MongoDB connection fails
Solutions:
- Verify MongoDB host/port from bastion server
- Test MongoDB connection from bastion:
mongo mongodb-internal:27017 - Check MongoDB firewall rules
- Verify MongoDB is binding to correct interface
- Confirm network routing from bastion to MongoDB
Tunnel Timeout
Symptom: Connection drops after period of inactivity
Solutions:
- Enable SSH keep-alive settings
- Increase server timeout values
- Check network equipment timeout settings
- Configure MongoDB connection pool settings
Use the connection test feature to diagnose SSH and MongoDB connectivity separately. MongoDash reports which step failed.