Tunnel Commands
The doover tunnel command group provides tools for creating and managing secure tunnels to remote Doover agents. This enables SSH access and other network connections to devices that may be behind firewalls or NAT.
Available Commands
| Command | Description |
|---|---|
get | List tunnels for an agent |
open | Open an arbitrary tunnel |
open-ssh | Open an SSH tunnel and connect |
activate | Activate a tunnel |
deactivate | Deactivate a tunnel |
close-all | Close all tunnels for an agent |
Listing Tunnels
The doover tunnel get command lists all tunnels configured for an agent.
Usage
doover tunnel get [OPTIONS]
Options
| Option | Description | Default |
|---|---|---|
--profile | Configuration profile to use | default |
--agent | Agent ID to list tunnels for | From profile |
Example
doover tunnel get
Output:
ssh-tunnel (tunnel.doover.com:12345) - Active http-proxy (tunnel.doover.com:12346) - Inactive docker-remote (tunnel.doover.com:12347) - Inactive
Opening Tunnels
Opening an Arbitrary Tunnel
The doover tunnel open command creates a tunnel to any hostname and port on the remote device.
Usage
doover tunnel open <ADDRESS> [OPTIONS]
Arguments and Options
| Argument/Option | Description | Default |
|---|---|---|
ADDRESS | Host and port in format hostname:port | (required) |
--protocol | Protocol for the tunnel | http |
--timeout | Tunnel timeout in minutes | 15 |
--restrict-cidr/--no-restrict-cidr | Restrict to your IP address | True |
--profile | Configuration profile to use | default |
--agent | Agent ID for the tunnel | From profile |
Example
# Open HTTP tunnel to local web server doover tunnel open localhost:8080 # Open TCP tunnel with custom timeout doover tunnel open 127.0.0.1:5000 --protocol tcp --timeout 30 # Open tunnel without IP restriction (less secure) doover tunnel open localhost:3000 --no-restrict-cidr
How It Works
- The CLI checks if a tunnel already exists for the specified address
- If an existing tunnel has different settings, it updates the tunnel configuration
- If no tunnel exists, a new one is created
- The tunnel endpoint is returned (e.g.,
tunnel.doover.com:12345)
IP Restriction
By default, tunnels are restricted to your current public IP address. This means only connections from your IP can use the tunnel. To disable this:
doover tunnel open localhost:8080 --no-restrict-cidr
Note: Disabling IP restriction reduces security. Only use this when necessary.
Opening an SSH Tunnel
The doover tunnel open-ssh command is a convenience wrapper that opens an SSH tunnel and immediately connects.
Usage
doover tunnel open-ssh [OPTIONS]
Options
| Option | Description | Default |
|---|---|---|
--timeout | Tunnel timeout in minutes | 15 |
--restrict-cidr/--no-restrict-cidr | Restrict to your IP address | True |
--profile | Configuration profile to use | default |
--agent | Agent ID for the tunnel | From profile |
Example
# Open SSH tunnel and connect doover tunnel open-ssh
Interactive session:
No tunnel found. Opening tunnel... Please wait... Activated tunnel tunnel_abc123. Waiting for tunnel to open... Tunnel is open. Please enter your SSH username: doovit Opening SSH session with host: tunnel.doover.com, port: 12345, username: doovit...
The command:
- Creates a tunnel to
127.0.0.1:22on the remote device - Waits for the tunnel to become active
- Prompts for SSH username
- Executes
sshto connect through the tunnel
Activating and Deactivating Tunnels
Activating a Tunnel
The doover tunnel activate command activates an inactive tunnel.
Usage
doover tunnel activate [TUNNEL_ID] [OPTIONS]
Arguments
| Argument | Description | Default |
|---|---|---|
TUNNEL_ID | ID of the tunnel to activate | Interactive selection |
Example
# Activate a specific tunnel doover tunnel activate tunnel_abc123 # Interactive tunnel selection doover tunnel activate
When no tunnel ID is provided, you'll be prompted to select from available tunnels:
Select an agent: > ssh-tunnel (tunnel.doover.com:12345) http-proxy (tunnel.doover.com:12346) docker-remote (tunnel.doover.com:12347)
Deactivating a Tunnel
The doover tunnel deactivate command deactivates an active tunnel.
Usage
doover tunnel deactivate [TUNNEL_ID] [OPTIONS]
Example
# Deactivate a specific tunnel doover tunnel deactivate tunnel_abc123 # Interactive tunnel selection doover tunnel deactivate
Closing All Tunnels
The doover tunnel close-all command closes all tunnels for an agent.
Usage
doover tunnel close-all [OPTIONS]
Options
| Option | Description | Default |
|---|---|---|
--profile | Configuration profile to use | default |
--agent | Agent ID | From profile |
Example
doover tunnel close-all
Output:
Successfully closed all tunnels.
This command publishes a message to the agent's tunnels channel requesting closure of all open tunnels.
Tunnel Properties
When a tunnel is created, it has the following properties:
| Property | Description |
|---|---|
endpoint | The public endpoint (host:port) to connect through |
hostname | The target hostname on the remote device |
port | The target port on the remote device |
protocol | The protocol (tcp, http, etc.) |
timeout | How long the tunnel stays active (minutes) |
is_active | Whether the tunnel is currently active |
ip_restricted | Whether the tunnel is restricted to specific IPs |
ip_whitelist | List of allowed IP addresses |
is_favourite | Whether the tunnel is marked as a favourite |
Use Cases
Remote Development
Connect to a development server running on a remote device:
# Open tunnel to development server doover tunnel open localhost:3000 --timeout 60 # Access at the returned endpoint curl http://tunnel.doover.com:12345
Remote Docker Access
Access Docker daemon on a remote device for doover app run:
# Open tunnel to Docker daemon doover tunnel open localhost:2375 --protocol tcp # Use with docker commands export DOCKER_HOST=tcp://tunnel.doover.com:12345 docker ps
Debugging
SSH into a device for debugging:
# Quick SSH access doover tunnel open-ssh # Or manually doover tunnel open 127.0.0.1:22 --protocol tcp ssh user@tunnel.doover.com -p 12345
Database Access
Connect to a database running on a remote device:
# Open tunnel to PostgreSQL doover tunnel open localhost:5432 --protocol tcp --timeout 30 # Connect with psql psql -h tunnel.doover.com -p 12345 -U myuser -d mydb
Security Considerations
Use IP restriction - Keep
--restrict-cidrenabled (default) to limit tunnel access to your IPSet appropriate timeouts - Use the minimum timeout needed for your task
Close tunnels when done - Use
doover tunnel deactivateordoover tunnel close-allAvoid exposing sensitive services - Be cautious when tunneling to services with sensitive data
Troubleshooting
Tunnel Not Opening
If the tunnel doesn't become active:
- Verify the agent is online and connected to Doover
- Check that the target service is running on the remote device
- Ensure the agent has permission to create tunnels
Connection Refused
If you can't connect through the tunnel:
- Verify the tunnel is active:
doover tunnel get - Check IP restrictions if connecting from a different location
- Verify the target service is listening on the specified port
SSH Connection Issues
For open-ssh problems:
- Verify SSH is running on the remote device (port 22)
- Ensure your SSH keys or credentials are correct
- Check that the username exists on the remote system
Timeout Too Short
If tunnels close before you're done:
# Create tunnel with longer timeout doover tunnel open localhost:22 --protocol tcp --timeout 60
For persistent access, consider setting up a proper VPN instead of tunnels.