# Pomerium Desktop and CLI Clients

Pomerium is capable of creating secure connections to services like SSH, Redis, and more by creating a TCP tunnel to the service with a local client. This article describes configuring a route to accept TCP connections, and using either the CLI or GUI client to connect to it.

# Create a TCP Route

  1. Specify this new Route as a TCP Route by prefixing tcp+ in the From field, along with a port suffix.

    The port is not used to connect to the Pomerium Proxy service from the internet; this will always be port 443 (unless otherwise defined in config.yaml). Rather, the port defined in From is part of the mapping to the individual route. In this way, you can create multiple routes that share a DNS entry, differentiated by the port to determine which route they use.

    For example, suppose we have a server called augur running behind Pomerium that has a MySQL server and also listens for SSH connections. We can create routes for tcp+https://augur.example.com:22 and tcp+https://augur.example.com:3306.

  2. The To field uses tcp:// as a protocol, and specifies the address and port the service listens on.

The example below demonstrates a route to the SSH service on the host running the Pomerium Core or Pomerium Enterprise service:

See the "Configure Routes" section of TCP Support for more detailed information on TCP routes.

# TCP Client Software

You can connect to this route with either the Pomerium CLI or Pomerium Desktop client.

For more examples and detailed usage information, see TCP Support

# Advanced Configuration

If Pomerium is listening on a port other than 443 (set with the address key), the pomerium-url flag (CLI) or "Alternate Pomerium URL" field (GUI) is required. This specifies the address and port for the client to communicate over, while the standard URL defines the port assignment for the specific route. For example:

pomerium-cli tcp ssh.localhost:pomerium.io:2222 \
   --pomerium-url https://ssh.localhost.pomerium.io:8443 \
   --listen :2222