Connect to a remote database behind NAT

Time · ~5 min Level · Beginner Protocol · PostgreSQL / MySQL / any TCP

You need to query a database — PostgreSQL, MySQL, Redis, MongoDB — that runs on a server with no public IP, and you want to use your normal client: psql, DBeaver, a migration tool. The right way is not to open the database port to the internet. With LRO the database keeps listening on localhost on its own machine, and you reach it on a local port on yours, through an encrypted tunnel.

Roles for this task: the machine that runs the database is the Client (the endpoint lives on it); your computer, where you run the DB client, is the Support (it opens the local port you connect to). New here? Start with your first tunnel; unsure which side is which, see choosing the agent role.

  1. Confirm the database listens locally

    On the database machine, the server should listen on 127.0.0.1 — the default for most installs. Nothing about it needs to face the internet; LRO connects to it from the same machine.

    $ ss -ltn | grep 5432 # postgres on 127.0.0.1:5432 (3306 for MySQL, 6379 Redis)

    This is the safe posture: the database is bound to loopback, so it is unreachable from the network directly, and LRO never changes that. The remote machine runs the LRO agent in Client mode; your computer runs it in Support mode.

  2. Add the database endpoint on the client agent

    In the panel, Endpoints → Create endpoint. Pick the client agent (the database machine), name it e.g. Office Postgres, and set target 127.0.0.1 and port 5432.

    Endpoints list with an Office Postgres endpoint on the client agent pointing at 127.0.0.1:5432
    Fig 1. The database endpoint lives on the client agent — target 127.0.0.1:5432, the local Postgres.
  3. Open a tunnel from your machine

    Tunnels → Add tunnel. Choose your computer as the support agent, pick the Office Postgres endpoint, and set a listen port — matching the database default (5432) keeps client commands simple, but any free local port works. Create it; it goes Active in a moment.

    Tunnels table with an active tunnel from lab-server to admin-laptop listening on 0.0.0.0:5432
    Fig 2. The active tunnel — your machine listens on 5432 and forwards to the remote 127.0.0.1:5432.
  4. Connect with your database client

    On your computer, point your client at the listen port. The connection lands on the remote database through the tunnel — here with psql:

    $ psql -h 127.0.0.1 -p 5432 -U appuser -d shopdb
    psql session through the LRO tunnel running SELECT version() and a query against the orders table
    Fig 3. A real query against the remote database — over a port that only exists on your laptop.

    Everything that speaks the database protocol works the same way, pointed at the local port — dumps, restores, migrations:

    $ pg_dump -h 127.0.0.1 -p 5432 -U appuser shopdb > shopdb.sql $ DATABASE_URL=postgres://appuser@127.0.0.1:5432/shopdb npm run migrate

    GUI clients are the same: in DBeaver, pgAdmin or TablePlus, set host 127.0.0.1 and port 5432 — the tunnel does the rest.

Notes

Query any database, anywhere — without exposing a single port.

Create an account →