ConfigsJul 17, 2026·3 min read

Warpgate — Transparent SSH, HTTPS, and Database Bastion

A smart bastion host written in Rust that provides transparent SSH, HTTPS, MySQL, and PostgreSQL proxying with built-in authentication and session recording.

Agent ready

Ready-to-run agent install

This asset can be installed after the agent chooses its runtime, checks the plan, and runs the matching command.

Native · 98/100Policy: allow
Agent surface
Any MCP/CLI agent
Kind
Skill
Install
Single
Trust
Trust: Established
Entrypoint
Warpgate Overview
Direct install command
npx -y tokrepo@latest install 6221a99b-81dd-11f1-9bc6-00163e2b0d79 --target codex

Run after dry-run confirms the install plan.

Introduction

Warpgate is a smart bastion host and privileged access management (PAM) tool written in Rust. It acts as a transparent proxy for SSH, HTTPS, MySQL, and PostgreSQL connections, requiring no additional client-side software. Users connect to Warpgate using their standard tools, and it forwards the connection to the target after authentication.

What Warpgate Does

  • Proxies SSH connections transparently — no agent or special client needed
  • Proxies HTTPS traffic with SNI-based routing to internal web applications
  • Proxies MySQL and PostgreSQL connections with credential injection
  • Records SSH sessions with full terminal replay capability
  • Provides a web-based admin UI for managing targets, users, and audit logs

Architecture Overview

Warpgate is a single Rust binary that listens on configurable ports for SSH, HTTPS, MySQL, and PostgreSQL protocols. For SSH, it implements a full SSH server that authenticates the user, then opens a client connection to the target host. For HTTPS, it performs TLS termination and reverse-proxies to backends. Database proxying intercepts the authentication handshake and injects stored credentials. All sessions are logged to a SQLite database with optional terminal recordings.

Self-Hosting & Configuration

  • Download a prebuilt binary or build from source with cargo
  • Run warpgate setup to generate the initial configuration and admin credentials
  • Configure targets (SSH hosts, HTTPS endpoints, databases) in the YAML config file
  • TLS certificates can be auto-provisioned via built-in ACME (Let's Encrypt) support
  • Authentication supports passwords, SSH keys, SSO via OpenID Connect, or TOTP 2FA

Key Features

  • Zero client-side software required for SSH, HTTPS, and database access
  • Built-in session recording and audit trail with web-based replay
  • OpenID Connect SSO integration for enterprise identity providers
  • Automatic TLS certificate management via ACME
  • Single static binary with embedded web UI, no runtime dependencies

Comparison with Similar Tools

  • Teleport — feature-rich PAM platform; Warpgate is lighter and simpler to deploy
  • Boundary (HashiCorp) — identity-aware proxy; Warpgate adds HTTPS and database proxying
  • Apache Guacamole — browser-based remote desktop; Warpgate focuses on SSH and protocol proxying
  • sshuttle — VPN-over-SSH tool; Warpgate is a bastion proxy with audit capabilities
  • StrongDM — commercial PAM; Warpgate is free, open source, and self-hosted

FAQ

Q: Do users need to install anything on their machines? A: No. Users connect with their standard SSH client, web browser, or database client.

Q: Can I use it as a reverse proxy for web apps? A: Yes. Warpgate can proxy HTTPS traffic to internal web services with automatic TLS.

Q: How are database credentials handled? A: Credentials for target databases are stored in Warpgate's configuration. Users authenticate to Warpgate, which then injects the real credentials when connecting to the target.

Q: Does it support Kubernetes access? A: Warpgate supports SSH and HTTPS proxying which can be used with kubectl via an HTTPS proxy. Native Kubernetes API proxying is a planned feature.

Sources

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets