How to Setup QG Shield, QGTunnel with SFTP

    Table of contents

    As we all know, Secure FTP allows you to transfer data securely between servers. So how do we set that up with QuotaGuard Shield?

    We suggest you use a SOCKS proxy using our QGTunnel software. These setup instructions should get you started:

    Step 1. Download QGTunnel and Save to Root of Your Project

    curl | tar xz

    Step 2. Log in to our dashboard and setup the tunnel

    Using the Heroku CLI you can log into our dashboard with the following command:

    heroku addons:open quotaguardstatic

    Or if you prefer, you can login from the Heroku dashboard by clicking on QuotaGuard Static on the resources tab of your application.

    Once you are logged into our dashboard, in the top right menu, go to Setup (Gear Icon), click on QGTunnel Configuration, then Create Tunnel.

    Remote Destination: tcp://
    Local Port: 2222
    Transparent: true
    Encrypted: false

    This setup assumes that the remote SFTP server is located at and is listening on port 22. This is usually the default port.

    The Local Port is the port number that QGTunnel will listen on. In this example we set it to 2222, because port 22 is probably in use on the localhost and it is also in the reserved port range (0-1023).

    Transparent Mode allows QGTunnel to override the DNS for to, which redirects traffic to the QGTunnel software. This means you can connect to either or to connect through the tunnel.

    Encrypted Mode is disabled because SFTP is already encrypted and you will not want to waste your time setting up additional end-to-end encryption.

    Step 3.

    Change Your Code to Connect Through the Tunnel.

    With transparent mode you will only have to change to connect to port 2222 instead of 22. You can also connect to

    Without transparent mode, you will want to connect to

    Step 4:

    Change the startup code that starts up your application. In Heroku this is done with a Procfile. Basically you just need to prepend your startup code with “bin/qgtunnel”.

    So for a Procfile that was previously:

    web: your-application your arguments

    you would now want:

    web: bin/qgtunnel your-application your arguments

    If you do not have a Procfile, then heroku is using a default setup in place of the Procfile based on the framework or language you are using. You can usually find this information on the Overview tab of the application in Heroku’s dashboard. It is usually under the heading “Dyno Information”.

    Step 5:

    Commit and push your code.

    Be sure that the file bin/qgtunnel is added to your repository.

    If you are using transparent mode, be sure that vendor/nss_wrapper/ is also added to your repository.

    If you are not using transparent mode, you will want to set the environment variable QGTUNNEL_DNSMODE to DISABLED to avoid seeing an error message in your logs.

    Step 6:

    If you have problems, enable the environment variable QGTUNNEL_DEBUG=true and then restart your application while watching the logs. Send QuotaGuard Support the information in the logs. Please redact any sensitive information, including your QuotaGuard connection URL.


    After you get everything working, I suggest you download your QGTunnel configuration from our dashboard as a .qgtunnel file and put that in the root of your project. This prevents your project from relying on our website during startup.

    Alternatively you can put the contents of the downloaded configuration file in a QGTUNNEL_CONFIG environment variable.

    Ready to Get Started?

    Get in touch or create a free trial account