SOCKS5 Network Transport

SOCKS5 network transports enable Firetiger agents to connect to databases and services that sit behind a SOCKS5 proxy — typically a bastion host or jump box that fronts a private network. This is useful when your data sources are not reachable from the public internet but are reachable from a proxy you already operate.

How It Works

  1. You run a SOCKS5 proxy (e.g., on a bastion host) that can reach your private database or service
  2. You create a Firetiger Network Transport with the proxy’s host, port, and optional credentials
  3. You create a Firetiger Connection that uses this SOCKS5 Network Transport
  4. When an agent queries the connection, Firetiger’s proxy opens a connection to your SOCKS5 server, which dials the target on its behalf

Because Firetiger only talks to the SOCKS5 proxy, the target host only needs to be reachable from the proxy — not from Firetiger directly. Unlike the Tailscale transport, SOCKS5 is stateless: there is no ephemeral node to provision, so connections do not pay a tailnet cold-start cost.

Prerequisites

  • A running SOCKS5 (RFC 1928) proxy reachable from Firetiger’s network transport proxy
  • The target database or service must be reachable from the SOCKS5 proxy
  • If the proxy requires authentication, a username and password (RFC 1929 username/password authentication is supported)

Setup

Step 1: Run a SOCKS5 Proxy

Stand up a SOCKS5 proxy on a host that can reach your private targets and is itself reachable from Firetiger. A standalone SOCKS5 server such as Dante running on a bastion host is a common choice.

An SSH dynamic forward (ssh -D) also speaks SOCKS5, but note that it opens the listener on the machine where you run ssh — not on the remote host — and tunnels traffic through the SSH connection. Run it on a host Firetiger can reach (not your laptop):

# run on a Firetiger-reachable host; tunnels out through `bastion`
ssh -D 0.0.0.0:1080 user@bastion

The proxy must be reachable from Firetiger. Bind it to an interface and address that Firetiger’s network transport proxy can connect to (not only 127.0.0.1), and restrict access with a firewall or username/password auth.

Step 2: Create the Network Transport

Create the network transport in Firetiger using the proxy’s connection details:

  1. Navigate to https://ui.cloud.firetiger.com/integrations/network-transports
  2. Create Network Transport > SOCKS5 Proxy
  3. Enter your SOCKS5 proxy connection details:
Field Required Description
displayName Yes A human-readable name for the transport
host Yes SOCKS5 proxy hostname or IP, reachable from Firetiger
port Yes SOCKS5 proxy port (e.g., 1080)
username No Username for SOCKS5 username/password authentication (RFC 1929)
password No Password for SOCKS5 authentication. Stored in a secrets manager; omitted from create/update/list responses but returned by Get (like tailscale.oauthClientSecret)

You can also create the transport via the API:

ftops api network-transports create --id <transport-id> --from-file transport.json

{
  "displayName": "Bastion SOCKS5",
  "socks5": {
    "host": "bastion.internal.example.com",
    "port": 1080,
    "username": "firetiger",
    "password": "secret"
  }
}

Step 3: Create a Connection Using the Transport

  1. Create a Connection via https://ui.cloud.firetiger.com/integrations/connections/new
  2. Select a Connection type (e.g. Postgres, or an MCP server)
  3. Under Network Transport, select your SOCKS5 Network Transport
  4. Configure the Connection details

The host should be the address of the target as the SOCKS5 proxy resolves it — for example, the private IP or internal DNS name reachable from the bastion (such as db.internal.example.com). The proxy performs the final dial, so the target does not need to be reachable from Firetiger directly.

For HTTP-based connections such as MCP servers, the server URL points at the same target host and the service’s port — e.g. http://db.internal.example.com:8080/. Both http:// and https:// server URLs work over a transport.

Click Save + Test to verify that the connection is working.

Troubleshooting

Connection refused when establishing the transport

Firetiger could not reach the SOCKS5 proxy itself. Verify that host and port are correct and that the proxy is reachable from Firetiger’s network (not bound only to 127.0.0.1, and not blocked by a firewall).

Authentication failed

The proxy requires username/password authentication and the supplied credentials are missing or incorrect. Update the network transport’s username and password. If you rotate the password on the proxy, update it on the transport as well.

Transport establishes but the connection times out

The SOCKS5 proxy connected, but it could not reach the target host and port.

  • Verify the target is reachable from the proxy host (e.g., nc -vz db.internal.example.com 5432 from the bastion)
  • Confirm the connection’s host/port use an address the proxy can resolve and route to (a private IP or internal DNS name), not a public endpoint
  • Check that the proxy’s egress firewall allows the target host and port
This site uses Just the Docs, a documentation theme for Jekyll.