diff --git a/docs/.vuepress/config.js b/docs/.vuepress/config.js
index b56de69d4..7a6b30340 100644
--- a/docs/.vuepress/config.js
+++ b/docs/.vuepress/config.js
@@ -158,6 +158,7 @@ module.exports = {
             "local-oidc",
             "mtls",
             "nginx",
+            "tcp",
             "tiddlywiki",
             "traefik-ingress",
             "vs-code-server",
diff --git a/docs/guides/tcp.md b/docs/guides/tcp.md
new file mode 100644
index 000000000..cbbb471fe
--- /dev/null
+++ b/docs/guides/tcp.md
@@ -0,0 +1,174 @@
+---
+title: TCP Services
+lang: en-US
+meta:
+  - name: keywords
+    content: pomerium identity-access-proxy ssh tcp postgres database redis mysql
+description: >-
+  This guide covers how to use Pomerium to protect TCP services such as SSH, Postgres and Redis.
+---
+
+# Securing TCP based services
+
+The following guide demonstrates how to use Pomerium's [TCP Proxying](/topics/tcp-support.md) support with various TCP services such as databases and other non-HTTP protocols.  It also covers integration points with them when possible.
+
+The source files from this guide can be found on [GitHub](https://github.com/pomerium/pomerium/tree/master/examples/tcp/).
+
+## Background
+
+When replacing a traditional VPN, there are often non-HTTP based applications which must still be reachable.  Pomerium is able to provide the same type of protection to these services by using a client side application to proxy TCP connections.  Authentication and authorization configuration is shared with standard HTTP routes, and the underlying transport is still encrypted between the end-user and Pomerium.
+
+Important notes:
+
+- Pomerium authorizes HTTP on a request-by-request basis, but TCP is authorized on a per-connection basis.
+- Pomerium is only authorizing the TCP *connection*. It does not interact with application level authorization systems at this time.
+
+## How it works
+
+* Create a standard Pomerium configuration for your [identity provider (IdP)](/docs/identity-providers/)
+* `pomerium-cli` runs on your workstation, listening on loopback for TCP connections
+* When an inbound connection is made, `pomerium-cli` proxies the connection through `pomerium`, authenticating the user if needed
+* Pomerium authorizes the connection and forwards it to the upstream service
+* The connecting application functions as normal
+
+## Pre-requisites
+
+This recipe is designed to run on a local docker-compose instance. The included configuration can be adopted for any TCP service, however.
+
+* docker
+* docker-compose
+* A copy of the [example repo](https://github.com/pomerium/pomerium/tree/master/examples/tcp/) checked out
+* Valid credentials for your OIDC provider
+* The [Pomerium Client](/docs/installation.md#pomerium-cli) installed
+* (Optional) `mkcert` to generate locally trusted certificates
+
+## Certificates (optional)
+
+This demo comes with its own certificates, but `pomerium-cli` and your browser will not trust them by default. You may instead provide your own or use [mkcert](https://github.com/FiloSottile/mkcert) to generate locally trusted certificates.
+
+After installing `mkcert`, run the following inside the example repo:
+
+```bash
+mkcert -install
+   mkcert '*.localhost.pomerium.io'
+```
+
+This will install a trusted CA and generate a new wildcard certificate:
+
+- `_wildcard.localhost.pomerium.io.pem`
+- `_wildcard.localhost.pomerium.io-key.pem`
+
+To provide your own certificates through another mechanism, please overwrite these files or update `docker-compose.yaml` accordingly.
+
+## Configure
+
+### Pomerium
+
+Update `config.yaml` with your IdP settings and desired policy if adopting for your environment
+
+<<< @/examples/tcp/config.yaml
+
+### Docker Compose
+
+Create a `docker-compose.yaml` file to run Pomerium and, optionally, the services being demonstrated.
+
+Included in our compose file:
+
+- SSH
+- Postgres
+- Redis
+
+<<< @/examples/tcp/docker-compose.yaml
+
+## Connect
+
+To connect to your service, ensure [`pomerium-cli`](/docs/installation.md#pomerium-cli) is in your `$PATH` and run the `tcp` command, specifying the service you wish to reach.
+
+```bash
+pomerium-cli tcp [hostname]:[port]
+```
+
+`pomerium-cli` will select a random port on `localhost` by default, but you can specify a port manually if desired.  Keep reading for some specific application examples using the sample `docker-compose.yaml`.
+
+## Redis
+
+```bash
+# Start a proxy to redis in the background
+% pomerium-cli tcp redis.localhost.pomerium.io:6379 --listen localhost:6379 &
+3:01PM INF tcptunnel: listening on 127.0.0.1:6379
+
+# Start the redis client
+% redis-cli
+3:01PM INF tcptunnel: opening connection dst=redis.localhost.pomerium.io:6379 proxy=redis.localhost.pomerium.io:443 secure=true
+3:01PM INF tcptunnel: opening connection dst=redis.localhost.pomerium.io:6379 proxy=redis.localhost.pomerium.io:443 secure=true
+3:01PM INF tcptunnel: connection established
+127.0.0.1:6379> keys *
+ 1) "type.googleapis.com/session.Session_last_version"
+ 2) "type.googleapis.com/user.User"
+ 3) "type.googleapis.com/session.Session"
+ 4) "type.googleapis.com/user.User_version_set"
+ 5) "type.googleapis.com/user.User_last_version"
+ 6) "server_version_last_version"
+ 7) "type.googleapis.com/session.Session_version_set"
+ 8) "server_version_version_set"
+ 9) "server_version"
+10) "type.googleapis.com/directory.User_last_version"```
+```
+
+## Postgres
+
+In our example docker-compose, we have configured `supersecret` as the password for the `postgres` user.
+
+```bash
+# Start a proxy to postgres in the background
+% pomerium-cli tcp pgsql.localhost.pomerium.io:5432 --listen localhost:5432 &
+3:07PM INF tcptunnel: listening on 127.0.0.1:5432
+
+# Connect and list the schemas after password authentication
+% psql -h localhost -W -U postgres -c '\dn'
+Password:
+3:06PM INF tcptunnel: opening connection dst=pgsql.localhost.pomerium.io:5432 proxy=pgsql.localhost.pomerium.io:443 secure=true
+3:06PM INF tcptunnel: connection established
+  List of schemas
+  Name  |  Owner
+--------+----------
+ public | postgres
+(1 row)
+```
+
+## SSH
+
+SSH clients can make use of external programs to establish a connection to a host.  Most frequently, this is for using an SSH jump host to reach a target system.  However, any transport application can be used.  `pomerium-cli`'s `tcp` command can be used in conjunction with this configuration.  Read on to see how.
+
+More Info:
+
+- [https://man.openbsd.org/ssh_config.5#ProxyCommand](https://man.openbsd.org/ssh_config.5#ProxyCommand)
+- [https://www.redhat.com/sysadmin/ssh-proxy-bastion-proxyjump](https://www.redhat.com/sysadmin/ssh-proxy-bastion-proxyjump)
+
+### Setup
+
+To configure your SSH client to use Pomerium's TCP support for SSH routes, create an entry as follows in your `ssh_config` or `~/.ssh/config`:
+
+```
+Host *.localhost.pomerium.io
+    ProxyCommand pomerium-cli tcp --listen - %h:%p
+```
+
+* Be sure to substitute your domain for `localhost.pomerium.io`
+* Be sure `pomerium-cli` is in your `$PATH`
+
+### Connecting
+
+That's it!  A Pomerium proxy will be started *automatically* whenever you ssh to a host under `localhost.pomerium.io`.
+
+In our example docker-compose, we have an SSH server configured with `supersecret` as the password for `myuser`.
+
+```bash
+% ssh myuser@ssh.localhost.pomerium.io
+3:19PM INF tcptunnel: opening connection dst=ssh.localhost.pomerium.io:22 proxy=ssh.localhost.pomerium.io:443 secure=true
+3:19PM INF tcptunnel: connection established
+myuser@ssh.localhost.pomerium.io's password:
+Welcome to OpenSSH Server
+
+5c9f4fa5f5f7:~$
+```
diff --git a/examples/tcp/README.md b/examples/tcp/README.md
new file mode 100644
index 000000000..bdcb1dcff
--- /dev/null
+++ b/examples/tcp/README.md
@@ -0,0 +1,29 @@
+# Pomerium as a TCP proxy for SSH and Redis
+
+Run this demo locally on your docker-compose capable workstation, or replace `localhost.pomerium.io` with your own domain if running on a server.
+
+## Includes
+
+- TCP connection authentication and authorization managed by pomerium
+- SSH client configuration and demo server
+- Redis demo server
+- Postgres demo server
+
+## How
+
+- [Install](https://www.pomerium.com/docs/installation.html#pomerium-cli) `pomerium-cli` in your `$PATH`
+- Update `config.yaml` for your e-mail address, if not using gmail/google
+- Replace secrets in `config.yaml`
+- Run `docker-compose up` from this directory
+- SSH:
+  - Run `ssh -F ssh_config myuser@ssh.localhost.pomerium.io`
+  - Log in with password `supersecret`
+- Redis:
+  - Run `pomerium-cli tcp redis.localhost.pomerium.io:6379 --listen localhost:6379 &`
+  - Run `redis-cli`
+- Postgres:
+  - Run `pomerium-cli tcp pgsql.localhost.pomerium.io:5432 --listen localhost:5432 &`
+  - Run `psql -h localhost -W -U postgres`
+  - Log in with password `supersecret`
+- ???
+- Profit
diff --git a/examples/tcp/_wildcard.localhost.pomerium.io-key.pem b/examples/tcp/_wildcard.localhost.pomerium.io-key.pem
new file mode 100644
index 000000000..2ad75e316
--- /dev/null
+++ b/examples/tcp/_wildcard.localhost.pomerium.io-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDXfeTmeNmQFK3r
+CrLcdh9pVrsSjbNOAP2BIQ3AfGdf/S0UqjU1UhXOb2gLm5Dsj/vFvs/fSkiahBdj
+7zR1dh7jdOnf3QgcAjIMTo7sJggsABHBF0vHVMXJtNoWmZ+AYOirsn22N3EoUNmX
+jlr19LnW07DtkHJFPYsYFy01uOEKGbzKQh8E6DFv3tPNp/raUHkGSAUpT11tZcdf
+vbSHuSN4xzGOs6T9QCnu0wCGb2MJNa8l5dhtVuy59jcZWM2i4EBLnXsYbHhkg/uZ
+xnVfm3YxgNM8bA2T1DqSUxjpLt7Dty9MHBaEyHVrH/nXYluF1wI7jNC2A7dE6VKq
+AkSmFKG7AgMBAAECggEARCYmW9TgSTahAfIyOpKIwJGTO/zgNc0OXuYLKVKuhqbU
+uPJTPXemOdD1wKYEISwv3YvIxb8CUwtvMkWV+4fNoPV6eTe3ttPi7A10Ga61auTi
+uIQbjQB8RJwTVI5k6P681n/uTdAe0zcueUWl8p7gntX34EmMOeWKtaWuwIylbsG8
+Ftvls8dI/soHUBgZT9HHo3ZitaRQtDYN+YjqAWfQCtPFrBJ5TPS9W6z3cmB/2l19
+nkwZljomj+mJZseEStQUOH/YXf7jpZCWNuxj9l9C+/F5pmiQX6w87thohVXFPmXx
+zEExPHePvThx4CxrUGyBeWfzUaYMfzx1T/gyMixDYQKBgQD642G2ElXQSnlZZoLf
+gMYTazAjtv7PIRVcVjOJfUORx5LP4sV7CkWokIMdbzfiVkerWt6kb2HDhBskvdFW
+ag6Fl8t/Miyi+ZTrE/PmZJqs7fGtmSqjY8wWKfcN6gyTPkh789DXU7ddJIiJLQ10
+sf5Mg2sQkMLQo5XnnauV/SmKiQKBgQDb4eL/MmSR7yKnjxjvek7xXJGqaEXBmazn
+pUhp6B+7aHsAg/u71DjzirMn2Ra3+WQ+sDQwbkMQuokqBPUij0Bcv61QSaocjrnb
+PmwtXlHeyk9RnGj60oW55gIuJw0EseI17IaqHJPyDNVCQ9WJteI4y8Da+m0E5ohZ
+udXzk9DpIwKBgCK3xnS4ktFxDNvXOLMPEdnsEkxO7XHiRR9y+kzDXc9Vi7ZizisZ
+n8wUu2AeXOBgSiinOXoNw7yXkl4COm633GyWNd3TJqQi332sVCsErvbRMolwUZss
+mzhR9FMjmTvi+YrVkYfKmOw1uwMojd0hKGyUHwO61IqkqIDVq8Hkt5PpAoGBAMlH
+RdwF7ToJhdeMjm7pr0oSSuWK/g/y9Ow3yMnpyuJrCe2248FUy61k0gswFjPi/3jD
+I4MR7CJsHxNv5lX0fB5q9+P/CtGJdWjVA4GkTZ175I/4dcDk5bT+cBB/ftNFYqWq
+Frux3Vw9kxpNrjOZY7RKEAhkJVfPEBHSo5+NODexAoGAXohoO9jOeLtYFOYRdKxj
+bbL7fwiR+ecBakiuakoIFc+ibH57fDvxA6YkbLFOVNrpsTVNIbgO9Jois3GhrEGH
+8TbGfohpmwC7nZ62aFJSNxD48gYvYzMamo0WymM1uH3jwlJY/kVO6KHopcN8+kQS
+/zG8+V/OgnBBvyfWWX8ygio=
+-----END PRIVATE KEY-----
diff --git a/examples/tcp/_wildcard.localhost.pomerium.io.pem b/examples/tcp/_wildcard.localhost.pomerium.io.pem
new file mode 100644
index 000000000..fc28599ff
--- /dev/null
+++ b/examples/tcp/_wildcard.localhost.pomerium.io.pem
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEAjCCAmqgAwIBAgIRAJGdiQDsLfchZYUtx06mQpswDQYJKoZIhvcNAQELBQAw
+RTEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMQ0wCwYDVQQLEwR0ZXN0
+MRQwEgYDVQQDEwtta2NlcnQgdGVzdDAeFw0xOTA2MDEwMDAwMDBaFw0zMDA4MjQx
+OTQyNTBaMDgxJzAlBgNVBAoTHm1rY2VydCBkZXZlbG9wbWVudCBjZXJ0aWZpY2F0
+ZTENMAsGA1UECxMEdGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANd95OZ42ZAUresKstx2H2lWuxKNs04A/YEhDcB8Z1/9LRSqNTVSFc5vaAubkOyP
++8W+z99KSJqEF2PvNHV2HuN06d/dCBwCMgxOjuwmCCwAEcEXS8dUxcm02haZn4Bg
+6KuyfbY3cShQ2ZeOWvX0udbTsO2QckU9ixgXLTW44QoZvMpCHwToMW/e082n+tpQ
+eQZIBSlPXW1lx1+9tIe5I3jHMY6zpP1AKe7TAIZvYwk1ryXl2G1W7Ln2NxlYzaLg
+QEudexhseGSD+5nGdV+bdjGA0zxsDZPUOpJTGOku3sO3L0wcFoTIdWsf+ddiW4XX
+AjuM0LYDt0TpUqoCRKYUobsCAwEAAaN6MHgwDgYDVR0PAQH/BAQDAgWgMBMGA1Ud
+JQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAU0t8UaNj7
+xry1h0qnTAm8Sxv69aMwIgYDVR0RBBswGYIXKi5sb2NhbGhvc3QucG9tZXJpdW0u
+aW8wDQYJKoZIhvcNAQELBQADggGBAJhOdplKGoR7/83qDjELdjhaoecZASqs5M+P
+Sxm7z5s+KSbElebw6/rHJciKAlT9tqHQO6CqliQ9hl4AHWxi+cjpwfxyqWn/VGIa
+4WoGyInd/I2PDne+5bIj0MXkikilk5NsJtypvGGjZJTF2T07QfXLlLi3nYTMHYzt
+TLZpu7vK+B2ZGCGG4o9pws5ZFjtuOXEDGsE1APPp3xjvC/uJt2xgqo4XcRGIVHgm
+mY2yi5KmUCAv0HHdDjxZoqEDazv8t/VuPc3hJcuUcIBZvyMFyPNMqN5ePI7D5TkD
+zOqW28I8jpB5zdDpCr4qXsU+Cf+4fB0jDncBq95n1v8EJsm7zeTIFZNgLv3ISthF
+lGEFS1zv+ybCOYPl3H0yd13S6N4QUHbESXHvZ2l2V1qDiKrfFcVhQ5ZEDD7/HDqT
+N+v7zzMOzmPNCSiky1lMMj/vP87AjaliJnvBcT4F5iU867ws/Refh+yege2l6roO
+LEM1YmdMYuNFbCsS2BbQsK9mbDkcmQ==
+-----END CERTIFICATE-----
diff --git a/examples/tcp/config.yaml b/examples/tcp/config.yaml
new file mode 100644
index 000000000..37e656147
--- /dev/null
+++ b/examples/tcp/config.yaml
@@ -0,0 +1,27 @@
+authenticate_service_url: https://authenticate.localhost.pomerium.io
+certificates:
+  - cert: /pomerium/cert.pem
+    key: /pomerium/key.pem
+shared_secret: CHANGEME
+cookie_secret: CHANGEME
+idp_client_id: CHANGEME
+idp_client_secret: CHANGEME
+idp_provider: google
+policy:
+  - from: tcp+https://redis.localhost.pomerium.io:6379
+    to: tcp://redis:6379
+    allowed_domains:
+      - gmail.com
+
+  - from: tcp+https://ssh.localhost.pomerium.io:22
+    to: tcp://ssh:2222
+    allowed_domains:
+      - gmail.com
+
+  - from: tcp+https://pgsql.localhost.pomerium.io:5432
+    to: tcp://pgsql:5432
+    allowed_domains:
+      - gmail.com
+
+databroker_storage_type: redis
+databroker_storage_connection_string: redis://redis:6379
diff --git a/examples/tcp/docker-compose.yaml b/examples/tcp/docker-compose.yaml
new file mode 100644
index 000000000..e69e10cb2
--- /dev/null
+++ b/examples/tcp/docker-compose.yaml
@@ -0,0 +1,32 @@
+version: "3"
+services:
+  pomerium:
+    image: pomerium/pomerium:master
+    volumes:
+      - ./_wildcard.localhost.pomerium.io.pem:/pomerium/cert.pem:ro
+      - ./_wildcard.localhost.pomerium.io-key.pem:/pomerium/key.pem:ro
+      - ./config.yaml:/pomerium/config.yaml:ro
+    ports:
+      - 443:443
+
+  redis:
+    image: redis:latest
+    expose:
+      - 6379
+
+  ssh:
+    image: linuxserver/openssh-server:latest
+    expose:
+      - 2222
+    environment:
+      PASSWORD_ACCESS: "true"
+      USER_PASSWORD: supersecret
+      USER_NAME: myuser
+
+  pgsql:
+    image: postgres
+    restart: always
+    environment:
+      POSTGRES_PASSWORD: supersecret
+    expose:
+      - 5432
diff --git a/examples/tcp/rootCA-key.pem b/examples/tcp/rootCA-key.pem
new file mode 100644
index 000000000..1b5ac7f1e
--- /dev/null
+++ b/examples/tcp/rootCA-key.pem
@@ -0,0 +1,40 @@
+-----BEGIN PRIVATE KEY-----
+MIIG/gIBADANBgkqhkiG9w0BAQEFAASCBugwggbkAgEAAoIBgQCub8x6MRI1aWZV
+k7qfpQn7CK6fCHNceBhSQFMHBJXQLEAe34uNgF1h+NQGM2zaKDZ8hIsRNZq0dV/g
+Xyd7AMA5C8DyyHfqzoiHJeTXKoqGEmi/MyXfnHr6N4rQpoG97SbACKYfNOh/MD05
+gIg51LrbTK1GzFyg0AVntsvmm3r3NNHv/BJKVKV+2HZx1D83xcBstdLDAPdtmU3z
+STzixQYDTlzs1gUrJPfJAi1sAMM/RbDKTmgsYJopxADRYldOIvZEZqPrupInUi4v
+iFEosb0dpSSeHkKBgVl81X2ro+WH4vgfoeGkpu6mh67FfN1WljMf63E6yOEBcqxE
++Vc9O+ysruODnma1d+DfXoHoZInUhzUM7nTdbsftmb0C5bFA3ts16WGZ1g21Hi7m
+NH2MdW2hLyRngAU9AHTWObdBxb4MBmBSF5ZIElcsfLABilHG508L2ZYM+uqOb0iW
+AMcVyrli7EaDEOF/oUv7WsDAekwGKKfy9exfWhw7+yn+UYG4oPUCAwEAAQKCAYAx
+e5d2xjrTGf4koo6bQPcO1kyq4nvPLGZB1ut2ny9caWEbIPD2iAZ1h1+mDqp/TE8A
+jZzhmeIz9OPowzVw6CqfRB1NAd86pbIHHJHJE9FN7ST3sCu7PimIl37yZ3mAhiiq
+6wks6xZVFjsX98UtGpKTKTIyVkCkgb42yJ0Y4txECiDPwiLyIQb9b6xR6BKy4I8Q
+h5etJ7YIyidZr1ntPlTRVUZ5DNFUht0fkVWPQLwiU8Ot8AYPKKwy0t4kh5Aao0Hf
+CDQP6Y5/XXKLl5bNi/SO5eg6jk3DnILwPkjXM3tVxcag+KmMc4GfVmVVDP+QkmVl
+LtGOHuBeyicdC5/jt6xMwbsEdY/YFjlO4WDH/5e8F7KG1X3OjTmqwdNjSNg4rXni
+u0ZEG+/o80ha21lCys+QpQ9PQmYPaGlzVPY9z0F6JsAlXNbNRIIOsJNEKlAICWXF
+9YyAaD8pV60UhK67q5wZ3uxyAjplM5+930asL5MPgb4BEvRY4bWlOe55lySXsbUC
+gcEA0HnqdCQBfmiylZv4Uh8JVojSZcZFtFU8V02TY/XrWjwzWv8z1ZXnzx18kAz7
+islThqlvr38HXwFfUNDhI/IIp+8zcvT9T56e1T8jYxhcaTZBEZ7XlG/jWbWbRx/k
+JEctixh7J5EhbsxhC7TfuH9lQ2r50WvmmrGpLoqHDe5fyKFTpbUkrGB19idiw9oI
+awjxOgN+uRrTFjuOPhxgfSwJGwPnE0my8lS/5fPvNUuQdWecqEe3CTFjVXY44IzB
+7W9HAoHBANYzbsNClt8HgLyp0XZg4W19BuCic6qJZhOSVoUlGFTTa2dTQnSfq5NL
+O1GCfZ/fy0QZvvBebf+Mf3WycEv/BbxRT0lDP0QjdamHkn9mGK+ODmYxvPu7Lqk9
+5acrXM8uXuK4bkT2eXKE2H7x9jrnxpSI/zE3cwic+GlQWH85ywAKwT07g3BiM5GJ
+pHpoJGwxraBUDb6HPTgTsVzPtvCbKqYw9uUalPDGI1Pc0iEitT5s41HT57P10hnD
+gOkIyOXj4wKBwEBQfC3cNcHDluRku5TKEl1p1E6lfjeF3Bmqyv+ZjEPIMqet91W6
+60qP9C+Ucb19IpF2kAf6DlIW4ErURcCLGHSGbL7YKZV4f9OVqNsXVtr2a9h9wk/+
+vIqeZgrpIb63Xqt8n/Gy6jd+QaoU4LfQRXMo+2zJ9theWq0K+2Mm2NHSQzXpziiH
+kZygxe1ZxCMRHSoijeOZDOnc8aLjqjizbxOwfocKw3PTBWhxeqhcaXJuxnt7tFHX
+tKdW03Eiu2j+XQKBwQCdyCcX1+4wfWNcFa9Aht6m+wjc4W1YOnuhgRMQYqHIoi+k
+XdU++Pq2th0MzpVg9cXR9TEL+FMIgeLFvNoxcLo13KMNsWZh98jNRxsnkvouHvMG
+Xi76MwiNDBYljLCBwIOOeBJp5DDTpX2gDPW2sFI7yapJA7JNrurhEJkPpm+dKU7s
+nvEUEJIx63Tn4dyqgfGGf0Pci9wReZgVaMA1/eZtovXLD0iVDy6osKlsVRey0xyj
+gvdTPYk1Byjm/1yU0scCgcEAgCzLcqc7O1t9kXNo48Lh+O3wtxYVZ0FTHAz0TtcR
+oVaRaok3aSEkCuZlBf4a9CJCKxzkDPg7dNNcUt5ng16XxJoEcIgf8FeS+BZS9L0O
+bLOQoAggW41OlRnX9yQIti9w/MR+qRzKSftTZcP8ySls4SCphlqsx/a7JXncgwI8
+QmML5MzfffKdB1RNs5yVWyzSsxHgmVGLcA9UziomcUPCrpXp10C/yzGnMPAyAwlo
+9k5AET80ZLKc7XYQ0NxI2yCf
+-----END PRIVATE KEY-----
diff --git a/examples/tcp/rootCA.pem b/examples/tcp/rootCA.pem
new file mode 100644
index 000000000..9ab4190ab
--- /dev/null
+++ b/examples/tcp/rootCA.pem
@@ -0,0 +1,26 @@
+-----BEGIN CERTIFICATE-----
+MIIEWTCCAsGgAwIBAgIQBA3zYaPnHKhRmKC37lWvEjANBgkqhkiG9w0BAQsFADBF
+MR4wHAYDVQQKExVta2NlcnQgZGV2ZWxvcG1lbnQgQ0ExDTALBgNVBAsTBHRlc3Qx
+FDASBgNVBAMTC21rY2VydCB0ZXN0MB4XDTIwMDgyNDE5NDIwOVoXDTMwMDgyNDE5
+NDIwOVowRTEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMQ0wCwYDVQQL
+EwR0ZXN0MRQwEgYDVQQDEwtta2NlcnQgdGVzdDCCAaIwDQYJKoZIhvcNAQEBBQAD
+ggGPADCCAYoCggGBAK5vzHoxEjVpZlWTup+lCfsIrp8Ic1x4GFJAUwcEldAsQB7f
+i42AXWH41AYzbNooNnyEixE1mrR1X+BfJ3sAwDkLwPLId+rOiIcl5NcqioYSaL8z
+Jd+cevo3itCmgb3tJsAIph806H8wPTmAiDnUuttMrUbMXKDQBWe2y+abevc00e/8
+EkpUpX7YdnHUPzfFwGy10sMA922ZTfNJPOLFBgNOXOzWBSsk98kCLWwAwz9FsMpO
+aCxgminEANFiV04i9kRmo+u6kidSLi+IUSixvR2lJJ4eQoGBWXzVfauj5Yfi+B+h
+4aSm7qaHrsV83VaWMx/rcTrI4QFyrET5Vz077Kyu44OeZrV34N9egehkidSHNQzu
+dN1ux+2ZvQLlsUDe2zXpYZnWDbUeLuY0fYx1baEvJGeABT0AdNY5t0HFvgwGYFIX
+lkgSVyx8sAGKUcbnTwvZlgz66o5vSJYAxxXKuWLsRoMQ4X+hS/tawMB6TAYop/L1
+7F9aHDv7Kf5Rgbig9QIDAQABo0UwQzAOBgNVHQ8BAf8EBAMCAgQwEgYDVR0TAQH/
+BAgwBgEB/wIBADAdBgNVHQ4EFgQU0t8UaNj7xry1h0qnTAm8Sxv69aMwDQYJKoZI
+hvcNAQELBQADggGBAFZT6Zdg+tt+8t6Bo9Boe8uOKnqrCSuOCyMIajDLgijPRlHf
+iJRggRjGT2Ig7c0nzL5SfeuExoMPMUmkfNAKki3VhK7cxLijDtn4fOmyyW5OO7AT
+zwSmOyakHXq4ip3klysNGVPzxjwHBuK5rCdPa2X1WXN4PeM6NQvGZB34hQ1962om
+1gad4YardZ81fVLJfOlCtIPD87TSreVGxiawUIAAGWgDuVMouN4PvqTUyEmorgxi
+hSaiVDCSlS/nuW5fuOGzZ1Ko9UhbCsmO3bbLzXKcjuwKeyzgyjozHMyx5gUhhOFk
+kqDIuIven3j+uLke0WAK++Z11vM8fVn0wB80RqubuTbqJzvH3w0R/PWVd0yAMFNu
+Y2Z+AZ0OwMm9BtqfwoW5PZSIMF06q6IbLmuLEH/5dE9xDN0s5Ia8gn7ySYqso+62
+yJjURRgGJeXLkrjfeSav39D0bg+JCB7J63Z7BCz6/Jv1TL45yWbeMmtqFPH6nS5t
+25uIk/1regWTCajVMg==
+-----END CERTIFICATE-----
diff --git a/examples/tcp/ssh_config b/examples/tcp/ssh_config
new file mode 100644
index 000000000..7458e39e4
--- /dev/null
+++ b/examples/tcp/ssh_config
@@ -0,0 +1,2 @@
+Host *.localhost.pomerium.io
+    ProxyCommand pomerium-cli tcp --listen - %h:%p