Proxy Application Ports

Learn how to connect to your Andasy machine's ports through a secure WireGuard VPN tunnel.

The andasy proxy command allows you to create a secure connection to ports on your Andasy machines through a WireGuard VPN tunnel. This enables you to access services running on your machines (like databases, web servers, or custom applications) directly from your local machine as if they were running locally.

Overview

All Andasy machines are isolated from each other and from the public internet through a private VPN network that uses WireGuard. This isolation provides enhanced security for your applications. The proxy command creates a secure tunnel that forwards traffic from a port on your local machine to a port on your Andasy machine, allowing you to connect to services that aren't publicly exposed.

How It Works

When you run andasy proxy, the CLI:

  1. Establishes a WireGuard VPN connection to your organization's private network
  2. Creates a local listener on your machine at the specified local port
  3. Forwards all traffic from your local port through the VPN tunnel to the remote port on your Andasy machine

This means you can connect to localhost:5000 on your machine, and the traffic will be securely forwarded to port 5432 (or any other port) on your Andasy machine.

Command Syntax

andasy proxy <local_port:remote_port> [flags]

The command requires a port mapping in the format local_port:remote_port, where:

  • local_port is the port on your local machine where the proxy will listen
  • remote_port is the port on your Andasy machine that you want to connect to

Aliases

The proxy command can be invoked using any of the following aliases:

  • proxy
  • tunnel
  • tun

Usage

To create a proxy connection, run:

andasy proxy <local_port:remote_port> -a <app-name>

Replace <app-name> with the name of your application. If you're currently in the root directory of your application, you can omit the -a flag as long as a andasy.hcl file exists in the root directory.

The proxy will remain active until you stop it (usually with Ctrl+C). While it's running, you can connect to the local port using any client application.

Available Flags

FlagShort FormDescriptionRequired
--app-aThe target Andasy application nameYes*
--bind-addr-bLocal address to bind to (default: :: which means all interfaces)No
--debug-dEnable debugging mode for troubleshootingNo
--proto-pProtocol to use: tcp or udp (default: tcp)No
--help-hDisplay help informationNo
--json-jOutput results in JSON formatNo
--verbose-vEnable verbose output for detailed loggingNo

* The -a flag is required unless you're in a directory with a andasy.hcl file.

Examples

Connecting to a PostgreSQL Database

If your application has a PostgreSQL database running on port 5432, you can connect to it from your local machine:

# Start the proxy
andasy proxy 5000:5432 -a my-app

# In another terminal, connect using psql
psql -h localhost -p 5000 -U postgres -d mydatabase

Or using a database GUI tool like DBeaver or pgAdmin, connect to:

  • Host: localhost
  • Port: 5000

Connecting to a Web Server

If your application runs a web server on port 8080, you can access it locally:

# Start the proxy
andasy proxy 3000:8080 -a my-web-app

# Open your browser and navigate to
# http://localhost:3000

Custom Port Forwarding

You can use any local port that's available on your machine:

# Forward local port 9000 to remote port 3306 (MySQL)
andasy proxy 9000:3306 -a my-app

# Forward local port 6379 to remote port 6379 (Redis)
andasy proxy 6379:6379 -a my-app

Binding to a Specific Interface

By default, the proxy listens on all network interfaces (::). To bind to a specific interface (like localhost only):

# Only listen on localhost (more secure)
andasy proxy 5000:5432 -a my-app -b 127.0.0.1

# Listen on all IPv4 interfaces
andasy proxy 5000:5432 -a my-app -b 0.0.0.0

Using UDP Protocol

For services that use UDP (like DNS or some game servers):

# Forward UDP traffic
andasy proxy 5353:53 -a my-app -p udp

Debugging Connection Issues

If you're experiencing connection problems, enable debug mode:

# Enable debug mode to see detailed connection information
andasy proxy 5000:5432 -a my-app -d

Common Use Cases

Database Development and Debugging

Connect your local development tools to databases running on Andasy machines:

# PostgreSQL
andasy proxy 5432:5432 -a my-app

# MySQL/MariaDB
andasy proxy 3306:3306 -a my-app

# Redis
andasy proxy 6379:6379 -a my-app

Testing Web Applications

Access web applications running on Andasy machines without exposing them publicly:

# Forward web server port
andasy proxy 8080:8080 -a my-web-app

# Access via browser at http://localhost:8080

API Development

Test API endpoints locally while they run on remote machines:

# Forward API server port
andasy proxy 3000:3000 -a my-api

# Use curl or Postman to test
curl http://localhost:3000/api/health

Custom Service Access

Connect to any TCP/UDP service running on your Andasy machine:

# Forward any custom port
andasy proxy 9000:9000 -a my-app

Understanding Port Mapping

The port mapping format local_port:remote_port works as follows:

  • 5000:5432 - Listen on local port 5000, forward to remote port 5432
  • 5432:5432 - Listen on local port 5432, forward to remote port 5432 (same port)
  • 3000:8080 - Listen on local port 3000, forward to remote port 8080

You can use any available local port. If a port is already in use, choose a different one.

Security Considerations

  • Private Network: All traffic goes through WireGuard VPN, ensuring it's encrypted and isolated
  • No Public Exposure: Services don't need to be publicly accessible; they remain private
  • Organization Isolation: Machines are isolated by organization, so you can only proxy to machines in your own organization
  • Local Binding: Use -b 127.0.0.1 to only allow connections from your local machine

Troubleshooting

Port Already in Use

Problem: Error message indicating the local port is already in use.

Solution:

  • Choose a different local port: andasy proxy 5001:5432 -a my-app
  • Or stop the application using the port: lsof -i :5000 (Linux/Mac) or netstat -ano | findstr :5000 (Windows)

Connection Refused

Problem: Cannot connect to the proxied port.

Solutions:

  • Verify the remote port is correct and the service is running
  • Check that the app name is correct: andasy apps list
  • Ensure you're in the correct organization
  • Try enabling debug mode: andasy proxy 5000:5432 -a my-app -d

App Not Found

Problem: Error indicating the app doesn't exist.

Solution:

  • Verify the app name: andasy apps list
  • Ensure you're authenticated: andasy auth status
  • Check that you have access to the organization

VPN Connection Issues

Problem: Proxy fails to establish VPN connection.

Solutions:

  • Check your internet connection
  • Verify WireGuard is properly configured (usually automatic)
  • Try with verbose mode: andasy proxy 5000:5432 -a my-app -v
  • Ensure you have proper permissions for the organization

Service Not Responding

Problem: Proxy connects but the service doesn't respond.

Solutions:

  • Verify the service is running on the remote machine: andasy ssh -a my-app then check the service
  • Confirm the remote port number is correct
  • Check if the service is bound to localhost only (should bind to 0.0.0.0 or the VPN interface)

Best Practices

  1. Use Specific Ports: Choose local ports that don't conflict with common services (avoid 22, 80, 443, 5432, etc. unless necessary)

  2. Bind to Localhost: For security, bind to 127.0.0.1 when you only need local access:

    andasy proxy 5000:5432 -a my-app -b 127.0.0.1

  3. One Proxy Per Terminal: Run each proxy in its own terminal window so you can easily stop them individually

  4. Check Port Availability: Before starting a proxy, ensure the local port is available

  5. Use Debug Mode: When troubleshooting, always use -d flag to see detailed connection information

Further Resources