Open Source ZTNA: Teleport

Published by Matt Clemons on

These days, implementing Zero Trust principles is a necessity. Teleport is an open source solution that offers seamless and secure access to applications, servers, and other critical resources. In this guide, I’ll walk through setting it up.

What I’m Using

  • A Windows system running RDP
  • 2 Linux Boxes (Ubuntu 20.04)
    • A Cluster Server
    • A Desktop Service Node box on the same LAN as the RDP host.
  • Teleport 16.4.8 (installed on cluster and service nodes).
  • DNS records for the Teleport Proxy and applications:
    • A record: teleport.example.net → Cluster server public IP.
    • Wildcard CNAME: *.teleport.example.net → teleport.example.net.
  • Open ports on the cluster server:
    • 443 (HTTPS for the Teleport Proxy).
  • My example resources:
    • ESX
    • RDP
    • SSH

Step 1: Add DNS Records

Ensure your DNS records are correctly configured:

  • A record: teleport.example.net → Cluster server public IP.
  • Wildcard CNAME: *.teleport.example.net → teleport.example.net.

Step 2: Install Teleport 16.4.8

Linux Systems (Cluster Server and Desktop Service)

  • Download the .deb package: 
curl -O https://cdn.teleport.dev/teleport_16.4.8_amd64.deb
  • Install Teleport: 
sudo dpkg -i teleport_16.4.8_amd64.debsudo apt install -f
  • Verify the installation: 
teleport version 
Expected output:Teleport v16.4.8 git:v16.4.8-0-g54d391f go1.22.9

Windows Systems

  • Download the cert and installer for the Teleport Windows Auth Service:
curl.exe -fo teleport.cer https://teleport.example.com/webapi/auth/export?type=windows
curl.exe -fo teleport-windows-auth-setup-v16.4.8-amd64.exe https://cdn.teleport.dev/teleport-windows-auth-setup-v16.4.8-amd64.exe
  • Run the installer and follow the prompts.

Step 3: Configure the Cluster Server

The cluster server serves as the heart of your Teleport setup, managing authentication and proxy services.

  • Edit /etc/teleport.yaml on the cluster server:
version: v3
teleport:
  nodename: maint-virtual-machine
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  cluster_name: teleport.example.net
  proxy_listener_mode: multiplex
proxy_service:
  enabled: "yes"
  web_listen_addr: 0.0.0.0:443
  public_addr: teleport.example.net:443
  acme:
    enabled: "yes"
    email: you@email.com
app_service:
  enabled: "yes"
  apps:
    - name: gmail
      uri: https://mail.google.com
      public_addr: gmail.teleport.example.net
    - name: esx
      uri: https://192.168.1.60/
      public_addr: esx.teleport.example.net
      insecure_skip_verify: true
  • Restart Teleport:
sudo systemctl restart teleport

Step 4: Create the Admin Password

  • Log in to the cluster server.
  • Set a password for the teleport-admin user:
tctl users add teleport-admin --roles=editor,access --logins=root,ubuntu

You can now login to the GUI with teleport-admin and this password https://teleport.example.net.

Step 5: Generate a Join Token for the Desktop Service

  • On the cluster server, generate a token for the desktop service:
tctl tokens add --type=windowsdesktop
  • Copy the generated token and save it in /tmp/token on desktop-service system.

Step 6: Configure the Desktop Service

The Desktop Service connects Windows hosts for RDP and application access.

  • Edit /etc/teleport.yaml on the desktop-service system:
version: v3
teleport:
  proxy_server: teleport.example.net:443
  auth_token: /tmp/token
windows_desktop_service:
  enabled: yes
  static_hosts:
  - name: host1
    ad: false
    addr: 10.33.33.29
auth_service:
  enabled: no
proxy_service:
  enabled: no
ssh_service:
  enabled: no
  • Restart Teleport: 
sudo systemctl restart teleport

Step 7: Create the Role and Assign Permissions

  • Define a role for accessing Windows desktops:
kind: role
version: v6
metadata:
  name: windows-desktop-admins
spec:
  allow:
    windows_desktop_labels:
      "*": "*"
    windows_desktop_logins: ["Administrator", "neo"]
  • Apply the role:
sudo tctl create -f windows-desktop-admins.yaml
  • Update the user to include the new role:
ROLES=$(tsh status -f json | jq -r '.active.roles | join(",")') sudo tctl users update teleport-admin --set-roles="${ROLES},windows-desktop-admins"

Troubleshooting and Common Errors

Time Mismatch

If access to RDP fails, ensure that the Windows host and Teleport systems are synchronized to the correct time.

Connection Issues

If you see missing port in address errors, double-check the proxy_server and addr settings in /etc/teleport.yaml.

Access Denied

Make sure the user roles include the necessary windows_desktop_logins and windows_desktop_labels. Also logout and back in to the Teleport GUI.

Final Steps

Access your resources:

Teleport makes it easy and free to implement Zero Trust with secure, flexible, and auditable access.

Categories: ZeroTrust

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Networking

Tailscale

Tailscale is a Zero Trust Network Access (ZTNA) solution that simplifies secure connectivity via a mesh VPN with Wireguard. It’s insanely easy to setup and get working. You get 3 devices with the free version. Read more