Introduction
Warpgate is a smart bastion host and privileged access management (PAM) tool written in Rust. It acts as a transparent proxy for SSH, HTTPS, MySQL, and PostgreSQL connections, requiring no additional client-side software. Users connect to Warpgate using their standard tools, and it forwards the connection to the target after authentication.
What Warpgate Does
- Proxies SSH connections transparently — no agent or special client needed
- Proxies HTTPS traffic with SNI-based routing to internal web applications
- Proxies MySQL and PostgreSQL connections with credential injection
- Records SSH sessions with full terminal replay capability
- Provides a web-based admin UI for managing targets, users, and audit logs
Architecture Overview
Warpgate is a single Rust binary that listens on configurable ports for SSH, HTTPS, MySQL, and PostgreSQL protocols. For SSH, it implements a full SSH server that authenticates the user, then opens a client connection to the target host. For HTTPS, it performs TLS termination and reverse-proxies to backends. Database proxying intercepts the authentication handshake and injects stored credentials. All sessions are logged to a SQLite database with optional terminal recordings.
Self-Hosting & Configuration
- Download a prebuilt binary or build from source with cargo
- Run warpgate setup to generate the initial configuration and admin credentials
- Configure targets (SSH hosts, HTTPS endpoints, databases) in the YAML config file
- TLS certificates can be auto-provisioned via built-in ACME (Let's Encrypt) support
- Authentication supports passwords, SSH keys, SSO via OpenID Connect, or TOTP 2FA
Key Features
- Zero client-side software required for SSH, HTTPS, and database access
- Built-in session recording and audit trail with web-based replay
- OpenID Connect SSO integration for enterprise identity providers
- Automatic TLS certificate management via ACME
- Single static binary with embedded web UI, no runtime dependencies
Comparison with Similar Tools
- Teleport — feature-rich PAM platform; Warpgate is lighter and simpler to deploy
- Boundary (HashiCorp) — identity-aware proxy; Warpgate adds HTTPS and database proxying
- Apache Guacamole — browser-based remote desktop; Warpgate focuses on SSH and protocol proxying
- sshuttle — VPN-over-SSH tool; Warpgate is a bastion proxy with audit capabilities
- StrongDM — commercial PAM; Warpgate is free, open source, and self-hosted
FAQ
Q: Do users need to install anything on their machines? A: No. Users connect with their standard SSH client, web browser, or database client.
Q: Can I use it as a reverse proxy for web apps? A: Yes. Warpgate can proxy HTTPS traffic to internal web services with automatic TLS.
Q: How are database credentials handled? A: Credentials for target databases are stored in Warpgate's configuration. Users authenticate to Warpgate, which then injects the real credentials when connecting to the target.
Q: Does it support Kubernetes access? A: Warpgate supports SSH and HTTPS proxying which can be used with kubectl via an HTTPS proxy. Native Kubernetes API proxying is a planned feature.