How To Connect To Internal Resources

I’m trying to set up a Teleport environment (OSS), where I can connect to a proxy server that is hosted on DigitalOcean (in my case) and through that access nodes that are located at home (behind a firewall), without having to open ports in my firewall. Having it act sort of like a VPN and/or jumphost/bastion host when I’m not physically located at home.

I’ve read through the documentation twice, but I’m still not sure on how to properly connect my local proxy server (at home) with my remote proxy server (at DigitalOcean).

  1. Do I first create a cluster on DigitalOcean, and then join my proxy and nodes to that cluster?
  2. Can I run the auth server at home, and have my DigitalOcean proxy use it for auth?
  3. Can I access web resources through Teleport at all, or do I need to manually configure a HTTPS reverse proxy?
  4. Any other ideas and tips on how to create this kind of setup?

My advice would probably be to set up an auth and proxy pair (a cluster) in DigitalOcean, then join each node at home to that cluster using what we call “Teleport IoT” or node tunnelling - https://gravitational.com/teleport/docs/admin-guide/#adding-a-node-located-behind-nat

The older/more traditional way to do this would be to set up clusters both at home and in DigitalOcean, then link the home (leaf) cluster to the DigitalOcean (root) cluster using Teleport’s trusted clusters feature - https://gravitational.com/teleport/docs/trustedclusters/

Pros of node tunnelling:

  • Quicker to set up
  • Simpler to understand
  • Each node creates its own tunnel rather than needing a cluster to do it, makes it good for devices that move around like laptops

Pros of trusted clusters:

  • Supports Kubernetes forwarding/integration from one cluster to another (which you can’t do with node tunnelling)
  • Less connections/overhead

For your situation I would advise just using node tunnelling as it’s a really simple way to do exactly what you want.

Hopefully this answers your first question.

You could, but you’d then have to forward a port at home to allow the DigitalOcean proxy to connect. It’s preferred to colocate proxies and auth servers where possible.

Not currently. This has been requested and it’s something we may look at doing in future, but it isn’t currently on the roadmap.

For what it’s worth, I’d recommend using Caddy as a reverse proxy. It’s written in Go and is a single binary (just like Teleport) - it supports HTTP/2, along with automatic HTTPS everywhere using LetsEncrypt and is really simple to configure.

Let us know how you get on.