Frequently asked questions

Can I use the OpenSSH client when using Border0?

Yes, you can! ie, you will be able to ssh to machines just like you were used to before like this:

ssh [email protected]

To do that, make sure you add the following to your SSH configuration.

Match host *border0.io exec "border0 client ssh-keysign --host %h"
  IdentitiesOnly yes
  IdentityFile ~/.ssh/%h
  ProxyCommand border0 client tls --host %h
  ServerAliveInterval 120
  ServerAliveCountMax 2

Here we use the SSH ProxyCommand to make sure traffic goes through Border0. Note that the border0 client needs to be installed on your system. This is needed so we can help authenticate the user and tunnel the traffic securely through the Border0 cloud to your connector.

A simple one-liner to add this to your ssh config can be found below:

echo -e "Match host *border0.io exec \"border0 client ssh-keysign --host %h\""\
"\n  IdentitiesOnly yes"\
"\n  IdentityFile ~/.ssh/%h"\
"\n  ProxyCommand border0 client tls --host %h"\
"\n  ServerAliveInterval 120"\
"\n  ServerAliveCountMax 2" | tee -a ~/.ssh/config

Can I use Ansible when using Border0?

yes, you can! Make sure to update your ssh config file as described here and it should just work!

What database clients does Border0 support?

Border0 integrates with a various database clients. This means you can use the Border0 cli, discover all database you have access to as a client, and Border0 can help you start your favorite database client with the correct configuration. Currently the following database clients are supported:

  • mysql
  • mysqlworkbench
  • mycli
  • dbeaver
  • datagrip
  • psql
  • pgcli

Can I use any database client to connect to a database through Border0?

Yes, you can connect any database client to a local listerner like this (select "local listener" as a client).

$ border0 client db
? choose a host: rnacentral-border0-demo.border0.io [created by andree]
? choose a client: local listener
listening on

This will start a TCP listener on the printed port, in this example port 58808. You can now use any database client to connect to that local listener and connect to your database through Border0.

Are there any example or sandbox server I can connect to?

Absolutely! To help you get hands-on experience with Border0, we offer a variety of sandbox servers that serve as Socket origin servers. These servers are designed to let you test different functionalities, including SSH, HTTP, MySQL, and PostgreSQL connections. Below are the details:

TypeDNS Namecredentials
port 22
username: border0
password: Border0<3Ssh
port 80 (http)
no auth required
port 3306
username: border0
password: Border0<3MySql
port 5432
username: border0
password: Border0<3Psql
port 5900
password: Border0<3VNC
TCP Echotcp.playground.border0.io
port 9000
no auth required

You can use these servers to test various functionalities and configurations of Border0. It's a safe way to understand how the system works and to validate your use-cases. Note these instances will be periodically wiped and are monitored for abuse.

How do I make sure a user has read-only access to my Mysql or Psql database

Using border0 policies you can configure what type of commands, or queries a user is allowed to perform on your mysql or postgres database.

A read only policy would look like this

    "action": [
    "condition": {
        "when": {
            "after": "2022-02-02T22:22:22Z",
            "before": null,
            "time_of_day_after": "00:00 UTC",
            "time_of_day_before": "23:59 UTC"
        "where": {
            "allowed_ip": [
            "country": null,
            "country_not": null
        "who": {
            "domain": null,
            "email": [
                "[email protected]"
    "version": "v1"

For more information see this section on database policies.

How do I modify the left side menu in client.border0.com?

The client portal, as shown below, allows Border0 administrators to group sockets for easy and convenient navigation. The grouping is then represented as the left-side menu, as seen below. Grouping can be modified by adding tags to your sockets. The following tag naming convention is used:

border0_client_categoryThis is the name used as the main categorization. If the it contains the string aws, gcp, google or azure we'll automatically assign the corresponding icon. For any other type, we'll use a generic icon.
If the value looks like an AWS account number, then we'll also add an AWS icon.
border0_client_subcategoryIs shown as a sub-menu under the border0_client_category item.
border0_client_iconIf present, the value of this will be rendered as the icon on the socket tile.
The following reserved values will render the corresponding icons: aws_ec2 aws_ecs aws_rds docker kubernetes network mysql postgresql
Alternatively, you can pick any icon name from https://icon-sets.iconify.design/ to be rendered as the icon. For example: octicon:thumbsup-16
border0_client_icon_urlsame as border0_client_icon, and can take any img url which will be shown as the icon, Takes precedence over border0_client_icon
border0_client_icon_textThis text string will be used as the tooltip text a user sees when hovering over the border0_client_icon (see above). This can be any text string.

Tags can be added to a Socket at any time by editing the Socket details and add/delete/modify the tags.

Managing tags for Sockets

Managing tags for Sockets

How do I run the Border0 connector as a Docker container?

Running the connector from a container is easy. As long as the Border0 binary is available on the container and you have a connector token.
First create, create a new connector, or select one from your existing connectors here

From there, navigate to token tab, and create a new token for your connector.
Now you can start the connector like this from Docker.

BORDER0_TOKEN=xxxx border0 connector start 

You can also use the Border0 Docker image, and use it like this, this basically gives you an instant Bastion host.

$ docker run -ti -e BORDER0_TOKEN=$CONNECTORTOKEN ghcr.io/borderzero/border0 connector start

Alternatively, you can store the token in a file, and mount it as a volume, and provide the connetcor with the appropriate config file like below

$ cat ~/config.yaml

$ docker run -ti -v ~/config.yaml:/etc/border0/config.yaml ghcr.io/borderzero/border0 connector start --config /etc/border0/config.yaml

{"level":"info","ts":"2023-09-13T21:21:11Z","msg":"reading the config","config_path":"/etc/border0.conf"}
{"level":"info","ts":"2023-09-13T21:21:11Z","msg":"starting the connector service"}
{"level":"info","ts":"2023-09-13T21:21:11Z","msg":"connecting to connector server","server":"capi.border0.com:443"}
{"level":"info","ts":"2023-09-13T21:21:12Z","msg":"new socket","socket":"7e4a4fdd-c23c-4b84-9c85-1a9da3498753"}
Welcome to Border0.com
docker-connector-ssh - https://client.border0.com/#/ssh/docker-connector-ssh-border0-demo.border0.io


How do I accesses my Kubernetes containers

Using Border0, you can make kubectl exec functionality available to users without these users needing a VPN and using just their SSO credentials.
Border0 admins can create an SSH socket with service type 'kubectl exec'. Make sure that the connector has the correct permissions to connect to the Kubernetes API. For more details, also see kubernetes example and docs here

I have a web app in a Docker container, how do I make that available?

There are various ways to do this. In this FAQ we'll assume you have a one-off web app, say an internal web app that runs on one container, and you'd like to make it available to your SSO users. To do this we'll run the border0 connector and the webapp in Docker with the help of supervisord. In this example we'll use a simple http python web server that runs on localhost port 12345.

Follow the steps below, Also see this video for video demo of these steps

  1. create a new connector in the portal
  2. Create a token for that connector in the portal (token tab) and record the token.
  3. Create an HTTP socket linked to your connector. Record the Socket name for later. Use the web app as upstream information, in this casehttp://localhost:12345
  4. create a supervisord.conf config file that looks like this. This start a python web server and the border0 connector.
command=python3 -m http.server 12345
command=/border0 connector start --config /etc/border0.yaml
  1. create a border0.yaml file with the token:
token: eyJhbGxxxxx..
  1. Create a Dockerfile
# Use a base image with Python installed
FROM python:3.8-slim
# Install 'border0' package and supervisord
RUN apt-get update && apt-get install -y supervisor
# Copy our supervisord.conf file from our project directory into the Docker container
COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
ADD https://download.border0.com/linux_amd64/border0 /
run chmod a+rx /border0
COPY border0.yaml /etc/border0.yaml
# Run supervisord
CMD ["/usr/bin/supervisord"]

Now build and start the docker container:

docker build . -t border0container
docker run  border0container

Alternatively, you can provide the BORDER0_TOKEN as an enviroment variable to Docker like below. In that case remove --config /etc/border0.yamlfrom the supervisord file.

docker run -e BORDER0_TOKEN=$CONNECTORTOKEN border0container

Your HTTP Service should now be available through border0 using the socket name recorded in step 3 above.

How do I know what my Border0 org name is?

You can find the organization name in the top left corner of the admin portal. The org name shown there is the one you're currently logged into. Note that as an administrator you can have multiple organizations. Listing them and changing between them can be from the Organizations page

What Single sign-on Identity providers are supported

By default the following identity providers are enabled for Clients to log in and authenticate in order to access Sockets.

  • Google
  • Github
  • Azure

Premium Border0 customers can use the "bring your own identity provider" feature. This allows you to integrate with existing identity providers such as Google Workspace, Okta, or any OpenID Connect (OIDC) or SAML provider. For more details see our docs on identity providers and this blog: Introducing Custom Identity Providers for Border0.

How do I delete my border0 account?

To request your personal information be deleted, contact [email protected].

Can I get a notification when my connectors is offline?

Yes, you can configure each connector to send a state notifications message from the organization notification settings page.
So note: you need a notification profile. More documentation about notifications can be found at https://docs.border0.com/docs/setup-notifications

To enable a notification for Connector status changes, make sure you enable this event type in the notification profile.
By default, all connectors will send a notification message when it's offline for more than 10 minutes and when they return online. The duration interval can be configured in the connector details page.