Access to ports only open on localhost

I’m looking at using Tailscale to replace a badly homebrewed SSH port forwarding service and I’m a little inexperienced in lower level networking. I have a Microsoft SQL Server running on a remote machine that isn’t opening its port to external access. With my SSH port forwarding service it works well enough to forward the port to a jump server where it can be accessed remotely but just simply installing Tailscale (no ACL) seemed to require me to switch it to external access and add a Windows firewall record to allow incoming traffic.

What am I missing (software, config etc…) to avoid changing the SQL server config but still access it as if I was remoting into the machine.
Note:
I can access the SQL Server locally with their management tool.
I can access the SQL Server remotely by forwarding the local port the server is listening on.
I want to avoid needing to change the configuration of anything existing but obviously if I’m installing Tailsacle then I could install something else at the same time if needed.

I think you’re going to need something other than just tailscale - that won’t redirect local only ports like SSH will.
If you already have a link in, or willing to install another tool to do it, then I’d suggest it’s a better solution just to open SQL server directly. You don’t have to open it to anything other than the Tailscale network - restrict to either the network interface or network range in the windows firewall or SQL server configuration and it won’t talk to anything else.

Adding another different layer is not really going to be any better than the SSH port forwarding you’ve got now, either in complexity or security.

My suggestions (in order):

  1. if you don’t want to change the SQL setting, personally I’d say think again. By forwarding the local port, you’re opening it up anyway, just in a less conventional and supportable way.
  2. If you can’t change the SQL settings for another reason, the SSH solution is probably as good as anything else you’d end up with. I can’t think of anything better off the top of my head.
  3. I’d only look for something else if the extra machine (jump server) is a problem. I’m afraid I don’t know of anything myself - most of my servers are Linux and SSH is the obvious answer there. When I do use windows, I find powershell is very good these days - a quick search found this but I’ve not read it past the first couple of lines. It seems to be a windows equivalent of SSH port forwarding though.

Thanks for the detailed response. I think you are right that the best solution is to simply ask the DB owners to configure the server to allow TCP connections via the Tailscale network interface. The existing homebrew solution can be a bit flakey in terms of reliable connectivity and lacks automatic certificate rotation so Tailscale has some distinct benefits.

I tinkered with Windows local port proxying but while it looked like I could pair up the ports, the DB still wouldn’t allow a connection via the Tailscale network interface. I think its more a limitation of the DB server than the configuration though. But shows that applying the KISS principle is probably the best even if it requires a more skilled person to do the initial configuration.