# Tunneled MySQL Connections

This document explains how to connect to a MySQL or MariaDB database through an encrypted TCP tunnel. We use the mysql command line utility, but the same tunnel can be used by GUI tools.

# Basic Connection

  1. Create a TCP tunnel, using either pomerium-cli or the Pomerium Desktop client:

  2. Initiate your MySQL connection, pointing to localhost:

    mysql -h -u USER -p

# Allow Access from Remote Hosts:

  1. Your MySQL or MariaDB service may not accept connections from remote hosts. Find the bind-address key in the configuration files (usually located in /etc/mysql/) and edit it to accept remote connections. For example:

    # Instead of skip-networking the default is now to listen only on
    # localhost which is more compatible and is not less secure.
    bind-address            =
  2. When connecting, you may get an error like ERROR 1130 (HY000): Host '' is not allowed to connect to this MariaDB/MySQL server. You can create a user entry in your database for the Pomerium host:

    CREATE USER 'user'@'pomerium.local' IDENTIFIED BY 'some_pass';
    GRANT ALL PRIVILEGES ON *.* TO 'user'@'pomerium.local'

    Or create a user entry with no host associated:

    CREATE USER 'user'@'%' IDENTIFIED BY 'some_pass';
    GRANT ALL PRIVILEGES ON *.* TO 'user'@'%'

# More Resources

Last Updated: 10/14/2021, 2:35:31 PM

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. Pomerium is a registered trademark.