SSH Tunnel

You can connect Fivetran to your destination using an SSH tunnel when direct port access is not available or when you want an additional layer of security. With this method, Fivetran establishes an outbound SSH connection to a bastion (jump-box) server that you control. The bastion forwards traffic securely to your destination, allowing Fivetran to sync data without exposing the destination to the public internet. This approach is commonly used to keep destinations inside private networks while still enabling Fivetran access through a controlled, encrypted channel.

To connect using an SSH tunnel, you must set up a tunnel server that can reach your destination port. The server’s SSH port must be accessible from Fivetran’s IP addresses. You also need to create a dedicated SSH user account for Fivetran.

Fivetran generates a unique public SSH key for each destination. We support multiple connections on a single SSH tunnel depending on the data volume and network bandwidth.

Follow the SSH tunnel setup instructions for your operating system:

Linux

Expand for instructions

Create SSH user

Create group fivetran:
```
sudo groupadd fivetran
```
Create user fivetran:
```
sudo useradd -m -g fivetran fivetran
```
Switch to the fivetran user:
```
sudo su - fivetran
```
Create the .ssh directory:
```
mkdir ~/.ssh
```
Set permissions:
```
chmod 700 ~/.ssh
```
Change to the .ssh directory:
```
cd ~/.ssh
```
Create the authorized_keys file:
```
touch authorized_keys
```
Set permissions:
```
chmod 600 authorized_keys
```
Using your favorite text editor, add the public SSH key from the destination setup form in your Fivetran dashboard to the authorized_keys file. The key must be all on one line. Make sure that you don’t introduce any line breaks when cutting and pasting. The public SSH key is generated uniquely for each destination.

OpenSSH version 8.8 and higher disable RSA keys by default. To enable RSA key usage, add the following lines to your sshd_config file (located in /etc/ssh):

PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-rsa-cert-v01@openssh.com
HostKeyAlgorithms=ssh-rsa,ssh-rsa-cert-v01@openssh.com

As an extra layer of security, Fivetran enables TLS on your SSH connection by default. We recommend that you keep TLS enabled unless you know it is safe to forgo it. To disable TLS, set the Require TLS through Tunnel toggle to OFF.

If you set the Require TLS through Tunnel toggle to OFF, Fivetran first attempts to connect over TLS inside the SSH tunnel. If this fails, Fivetran automatically retries the connection in clear text inside the SSH tunnel. You are responsible for configuring this option as per your corporate security policies.

Once the user is created, you'll need to allow port access.

Allow port access

Make sure that port access is allowed from:

Fivetran's IP to your tunnel server's SSH port
Your SSH tunnel server to your destination port

If your SSH server and destination are hosted in AWS, you can use the following steps to configure port access.

AWS configuration steps

To configure an SSH server in AWS, open the EC2 console and select Running Instances:
1. Select the instance you intend to use as an SSH tunnel:
2. Select the Security groups and then select default:
3. Go to the Inbound tab.
4. Click Edit.
5. Fill in Fivetran's IP and your SSH port (do not use a load balancer).
6. For VPC or EC2 classic, add a security rule:
7. Select SSH, enter Fivetran's IP, and click Save:
8. To complete setting up your destination connection, follow the setup instructions for your specific destination. You can confirm your server's SSH key by comparing the SHA 256 displayed when running the setup tests.

OpenSSH

Expand for instructions

Install OpenSSH

Learn more in Microsoft's OpenSSH for Windows overview documentation.

Install the sshd server.

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Verify that the OpenSSH server is installed.

Get-WindowsCapability -Online | ? Name -like 'OpenSSH.Server*'

If OpenSSH is installed, you'll see the following message:

Name : OpenSSH.Server~~~~0.0.1.0

State : Installed

Set the firewall to allow inbound TCP connections on port 22.

New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

Start both the sshd service and the ssh-agent.

Start-Service sshd
Set-Service -Name sshd -StartupType 'Automatic'
Start-Service ‘ssh-agent’
Set-Service -Name ‘ssh-agent’ -StartupType 'Automatic'

Create Fivetran user and group

Windows does not allow a user and a group to have the same name.

Add a local Fivetran user.

net user fivetran <password> /add /comment:"User for establishing SSH connection to Fivetran service." /passwordchg:no /passwordreq:no /logonpasswordchg:no

Add a Fivetran group.

net localgroup fivetran-group /comment:"Group for establishing SSH connection to Fivetran service." /add

In Windows command prompt, switch to the SSH server directory.
```
cd C:\ProgramData\ssh\ && start notepad .\sshd_config
```
Allow password authentication for the Fivetran user.
```
PasswordAuthentication yes
```
Allow the Fivetran user to connect to the SSH server. Add the following line to the sshd_config file.
```
AllowUsers fivetran
```

If your Windows build is 1809 or later, comment out the following lines in the sshd_config file:

# Match Group administrators
# AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

Save the sshd_config file.
Restart the agent and the sshd service. If the following command fails, you can restart from the Task Manager (Alt + Ctrl + Delete).
```
Restart-Service ssh-agent; Restart-Service sshd
```

OpenSSH version 8.8 and higher disable RSA keys by default. To enable RSA key usage, add the following lines to your sshd_config file (located in /etc/ssh):

PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-rsa-cert-v01@openssh.com
HostKeyAlgorithms=ssh-rsa,ssh-rsa-cert-v01@openssh.com

Set up client

In your command line, go into the SSH server using Windows VM.
```
ssh fivetran@<Public IPv4 DNS>
```
Enter your password.
Create an .ssh folder in your home directory.
```
mkdir .ssh
```

Add an authorized_keys file.

If your client is Windows PowerShell:

type nul > authorized_keys
echo <fivetran-ui-public-key> >> authorized_keys
icacls C:\Users\fivetran\.ssh\authorized_keys /inheritance:r

If your client is Linux:

touch authorized_keys
chmod 600 authorized_keys
echo <fivetran-ui-public-key> >> authorized_keys

If you're running PowerShell in elevated mode, your setup is complete. If you're not running PowerShell in elevated mode, follow the instructions below.

An elevated PowerShell prompt displays Administrator: Windows PowerShell on the top of the prompt's border.

Finish setup (non-elevated PowerShell only)

Allow public key authentication.
```
PubkeyAuthentication yes
```

Remove password authentication.

PasswordAuthentication no
PermitEmptyPasswords no

Save the sshd_config file.
Verify that inheritance has been disabled and remove Administrator.
a. Right click on the authorized_keys file.
b. Select Properties.
c. Select the Security tab.
d. Select Advanced.
e. Verify that the bottom left reads Enable Inheritance, which means that inheritance is disabled.
f. Remove Administrator from the file security permissions.

Restart the agent and the sshd service.

Restart-Service ssh-agent; Restart-Service sshd

PuTTY/KiTTY

Expand for instructions

Generate private key

Launch PuTTYgen.
Under Actions, click Generate to generate a public/private key combination. The OpenSSH public key appears in the top box.
Make a note of your OpenSSH public key. You will need this later.
Click Save private key. When you're prompted to save a .ppk file, save the file on your desktop.
You do not need to save the key with a passphrase.

Configure connection

Launch KiTTY (run kitty-0.74.4.7.exe on your desktop).
Configure your session.
- Host Name: Enter fivetran@<GCP VM IP>
- Port: 22
In the left menu, click Auth.
In the Private key file for authentication field, enter the private key you created in the previous step.
Click Tunnels.
In the Port forwarding section, make sure that the following checkboxes are selected:
- Local ports accept connections from other hosts
- Remote ports do the same
In the Source port field, add the high port (55432).
In the Destination field, add your destination address and its corresponding port (for example, localhost:5432 for a server hosted on the same VM).
Make sure that Remote is selected.
Click Add to add a port forwarding rule.
In the left menu, go to Connection.
Set the seconds between keepalives value to 5.
Select both Reconnect options.
Return to the Tunnels page.
In the Saved Sessions/New Folder field, enter a name for this connection.
Hit Save. Another session populates in the bottom box.
Click Open, then leave the session open.