Connect your server

After you log in for the first time, /app shows a Connect your server card. This is where you tell the dashboard how to reach the box you'll install Proxima Gateway on.

The form

The SSH user is locked to root for the install — Proxima needs to write to /usr/local/bin, place a systemd unit, and restart the service.

Allowlist note

If your server only accepts SSH from specific IPs, you'll see a yellow "Allow these IPs first" panel above the form. Copy each IP into your firewall's inbound SSH allowlist (or ufw allow from <ip> to any port 22) before testing the connection.

Test connection

Click Test connection. The dashboard:

1. Opens an SSH session with the credentials you entered.
2. Runs id -u && uname -srm to confirm it landed as root and to read the OS string.
3. Closes the session.

You'll see one of three results:

• ✅ Connection successful — you'll see the OS line (e.g. Linux 5.15.0-91-generic x86_64). Now click Save credentials.
• ❌ Authentication failed — wrong password, or root login is disabled in /etc/ssh/sshd_config (PermitRootLogin yes to enable).
• ❌ Connection refused / timed out — the dashboard's IP isn't allowed inbound, or SSH is on a non-default port and you haven't updated the SSH port field.

Save credentials

Once the test passes, Save credentials persists the values:

• host, port, user are stored as plain columns
• password is encrypted with AES-256-GCM using the dashboard's KEK (the SERVER_SSH_KEY_KEK env var, never logged or returned by any API)

The card flips to Connected — ready to install.

Changing credentials later

If your server's IP changes or you rotate the root password:

1. Click Change credentials (visible on the Connected card before install, or use Edit after install).
2. Re-test and re-save.

The encrypted blob is overwritten — there's no history kept of the old password.

Next → Install the binary