One of the most innovative products I have encountered in a long time is the Teleport Access Plane, or Teleport as it is more commonly known. Teleport is a very powerful OSS and commercial product that provides a functional reverse proxy for SSH, RDP, K8s, databases, and web applications in a single product/service, where administrators can seamlessly grant access to their enterprise infrastructure, while simultaneously enabling privileged access management, MFA/2FA, and zero-trust environments. It is by far the coolest connectivity product/service that I have experienced in a long time and it should definitely be in your IT toolbox and homelab.

What is it?

I'm always looking for more efficient ways to work and get things done. Effective security can be painful to implement, manage, and maintain. From professionals to hobbyists, how we access infrastructure and keep it safe should be paramount.

In my case, Teleport allows me the ability to traverse and access infrastructure behind NAT and firewalls, installed on-premise or across multiple clouds, or running ephemerally on container hosts and orchestration with a single account with MFA.

The magic to how it all works is a combination of built-in features:

1. Automatic rotation of short-lived certificates / keys - If a certificate or key is compromised, it's already invalid before a bad actor can make use of it.
2. TLS Routing - All proxied protocols are negotiated via an outbound TLS tunnel on 443 from a Teleport-enabled node or proxy point.
3. Multi-factor Authentication is built-in and enabled from the start - If you want to use external authentication providers, the enterprise edition supports everything (Oauth, SAML, Active Directory, LDAP, etc.).
4. Role-based Access Control - This allows for a lot of power in how access to systems is granted without having to deal with managing multiple firewalls.
5. The ability to map one user to many different accounts - Sometimes you need to log into to different systems as different users. Teleport makes that super-easy, while it's auditing doesn't leave you with that awful feeling associated with traditional account sharing. Create users that are purpose-driven, and reduce the complexity and danger associated with one overly-powerful super-user.
6. Machine ID - This is a bot user that has RBAC associated to facilitate machine to machine communication. This is the key to my new method for securing Ansible-related activities via GitLab CI/CD pipelines.

Teleport Changed My Life

Typically, how we access and use systems is one of the most daunting and challenging aspects of remote work, systems administration, and cloud. There are pros and cons to many approaches, but generally great customer experience can result in negative security consequences. On the other hand, higher levels of security often makes for more cumbersome tooling, painful interfaces, or adds complexity. With Teleport deployed as a proxy/bastion in your environment, both you and your users will be able to move away from having to support VPNs, IPSEC tunnels, and other types of connectivity-related middleware. Also, the ability to work from either a web application or a native CLI from your favorite OS makes Teleport extremely desirable. The service is lightweight, along with being easy to deploy and manage. I have always wanted to protect every systems asset with MFA/2FA, as well as strong certificates and passwords. Teleport makes all of that cinch to manage centrally.

OSS vs. Enterprise Edition

There's more on Teleport's website about the differences between editions; however, in a nutshell (at the time when this article was published) the main differences are as follows:

1. External SSO providers in the OSS product are limited to GitHub only, but the OSS version has no local user limits.
2. Cloud SaaS hosting is only available via the Enterprise Edition. If you want to use OSS, you'll have to host your own cluster, but it's not that difficult.
3. Session Moderation / Device Access / Additional security compliance features/functionality. In most cases, Teleport is OSS fully featured (and then some), for the average homelab user or hobbyist.

How do I use it?

Manage your SSH environments automatically...

Setting up unique ssh keys across multiple systems can be a nightmare to manage. In order to follow best-practices, each unique user and systems need to have independent keys that rotate often. To accomplish beyond a couple of systems requires some form of secrets management and/or key management service. Teleport replaces your SSH daemon (if you want it to do so) and the server access module facilitates the rotation of short-lived certificates to protect your sessions and infrastructure access seamlessly.

Access virtual machines behind NAT...

Regardless of how you want to interact with the most common services listening on your virtual machines (ex: ssh, databases, RDP, etc.), the reverse TLS routing feature, allows your VMs to create an outbound tunnel back to your Teleport cluster over TCP port 443. This enables various supported protocols and services to be reached from your Teleport cluster with great ease. With this simple feature, as long as there is nothing blocking outbound TCP/443 on a NAT-based VM, I can reach private VMs in my test environments without having to setup any bridging or more complicated network configuration.

Ansible + Teleport Machine ID = Secure IaC-driven Homelabs...

By integrating Machine ID on GitLab runners, I'm able to run Ansible roles/plays/tasks against my inventories securely without opening up any ports other than outbound 443 on a given system. Because Teleport also manages the rotation of certificates/keys automatically, I also can eliminate complicated logic and additional security overhead. Non-interactive as well as interactive SSH sessions are recorded and everything is included in the Teleport cluster audit logs. Win!

Secure internal device web-based admin and IoT-related consoles for external access...

By integrating Teleport's Application Access module with internal websites, I can protect all of my critical administrative web application sites and weak IoT-related APIs. This provides a mechanism for reaching into insecure sights and services remotely over https, while Teleport encrypts the communication and generates unique SSL certificates for each site or applications. This is much more intuitive than traditional manual configuration of static reverse proxies. The service also allows for multiple nodes to have different paths to the same site for greater availability and redundancy.

Remote homelab database access...

All of us are at different stages in our homelab journey. At some point, you may find yourself running various databases in the cloud or on-premise. Managing access to these discrete resources among multiple users can be challenging and problematic. By leveraging the Database Access module, you can simplify granting access to a wide range of database platforms. This can reduce or eliminate complicated firewall exceptions, VPNs, and database-level RBAC administration, while also increasing security through leveraging auto-rotating short-lived certificates. This is accomplished by shifting the RBAC and MFA to Teleport and allowing it to encrypt your external traffic. In some cases, you may be able to install the Teleport proxy services locally on the database server, to prevent the database from ever presenting an external listener.

Dealing with switching between multiple K8s clusters...

By leveraging Teleport agents in your various K8s clusters, you can simplify access control to your various K8s assets. While there are cool applications and services, like Lens IDE and Rancher Server, that can help with K8s sprawl and proxying, Teleport is a lightweight solution to handle both proxying access to K8s cluster resources, as well as seamlessly switching connections without having to externally backup/restore kubeconfig yamls for various clusters/roles. Switching clusters and dynamically updating your kubeconfig yaml can be done with a simple command in seconds. This reduces or eliminates specifying complicated syntax and having to maintain the security on multiple configuration files.

Dealing with Windows endpoints/servers in a Microsoft Active Directory...

While this use case technically doesn't apply to me at home, it is possible to proxy RDP connectivity via Teleport agentlessly as well. If I still had Windows in my homelab, this would be an effortless way to handle RDP connections securely to various endpoints. Session recording and auditing is also supported and I can vouch for it's utility in a business environment.

How do I set it up and where can I find more information?

Teleport's Documentation is vast and comprehensive for multiple use cases, so I would definitely start there. In addition, I am planning to release additional articles about my current homelab's configuration which is managed via Ansible IaC that is executed from the GitLab SaaS using GitLab Runners that are fully integrated with Teleport OSS.

There's a catch, right?

With every tool there are pros and cons, but Teleport definitely has more benefits than downsides. In my opinion, Teleport's greatest strength is that all of its functionality is installed in a single package that's incredibly easy to manage. This allows any supported system to have any Teleport cluster role or advanced function enabled at any given time. The most basic Teleport function is to be a Teleport node (or a connected member of a cluster). The Teleport package supports all major flavors of Linux, MacOS, and various NIX-like operating systems. While the CLI tools to manage and interact with Teleport clusters are available for Microsoft Windows OSes, Microsoft Windows systems can not function as nodes or any other Teleport cluster role. This is probably Teleport's single greatest weakness; however, this limit can be mitigated agentlessly from other Teleport nodes in most cases.