viaduct is a simple and powerful CLI application for creating, managing, and using SSH tunnels via a bastion host. It securely delegates secret management to gopass.
- Configuration Management: Easily add, list, and delete multiple tunnel configurations.
gopassIntegration: Passwords and TOTP secrets are securely managed via yourgopasspassword store.- Background Process Management: Start and stop tunnels that run as background processes without blocking your terminal.
- TOTP Support: Handles bastion connections that require a TOTP code by retrieving the secret from
gopass.
Before using viaduct, you must install and configure the following tools on your machine:
- Go (version 1.22+): To compile the application. See: go.dev
- GnuPG (GPG): The encryption tool used by gopass.
- gopass: The command-line password manager. See: gopass.pw
You must have a gopass store initialized with a valid GPG key.
- Clone this repository.
- Open a terminal in the
viaductfolder and run:# Download the necessary dependencies go mod tidy # Compile the binary go build .
- (Optional) Move the
viaductbinary to a directory in your system'sPATH.
Adds a new configuration. If a password or TOTP secret is required, viaduct will invoke gopass to prompt you for it securely.
$ ./viaduct add
# ... configuration questions ...
# If you choose password authentication:
Preparing to save the secret in gopass at path: viaduct/my-tunnel/bastion_password
Gopass will now prompt you for the secret...
gpg: [... gpg prompts for your passphrase ...]
Enter password for viaduct/my-tunnel/bastion_password:
Retype password for viaduct/my-tunnel/bastion_password:
✅ Secret saved successfully in gopass.
✅ Tunnel 'my-tunnel' added successfully.viaduct start [tunnel_name]
Starts a tunnel. viaduct will automatically fetch the necessary secrets from gopass.
viaduct stop | list | delete
These commands work as before. delete will also remove the associated secrets from the gopass store.