Teleport as TCP L4 Proxy

Hi, just new to teleport and loving it. Once you understand the architecture and configurations, things are working quite smoothly.

I had one question in terms of TCP traffic forwarding via teleport. I have a Trusted Cluster - ‘main’ and ‘guest’ and guest placed behind a NAT.

Is there is any method/config to forward all TCP/HTTP requests from main node to guest node to any port(s)? ( This is a non-kubernetes environment for now.)

I am running a service on ‘main’, which needs to connect to ‘guest’:. I hope there is some way to enable this setup with teleport.

Cheers!

tsh ssh supports TCP port forwarding, similar to the ssh client itself.

You can use a command like tsh ssh --proxy=main -L 11000:localhost:80 login@guest to forward port 11000 locally (on the machine where you run tsh) to localhost:80 on the guest machine.

If you want to forward multiple ports, tsh ssh also supports -D parameter like ssh does, which makes a SOCKS proxy listen on the port you specify and forward all requests. I think tsh ssh --proxy=main -D 1080 login@guest would work for this. It sets up a local SOCKS proxy on the machine where you’re running tsh on port 1080 which tunnels over to the guest machine - any connections you make to that will be forwarded over. You’ll need a SOCKS-compatible client to do the connections, though.

Is this the sort of thing you were looking for?

Thanks @gus for your reply. Thanks for confirming that SSH proxying can be enabled via teleport.

I was probably looking for a capability where application request routing can done via teleport. Probably using forward and reverse proxying capabilities in some form by the ‘teleport proxy’. Or maybe there is a way to enable nginx/http on the teleport proxy which can be configured to perform these request routing more efficiently?

Probably looking at this design?

Another solution that I maybe referencing is - ‘inlets-oss’ and ‘inlets-pro’ which enables this using websockets i assume.

I am probably looking for a solution capability that can route any application request via teleport proxy to the destination end over any TCP port. That would be the bomb!

1 Like

We don’t have this exact functionality currently, but something very similar (Teleport as an application gateway for proxying HTTPS services) is being actively worked on and we’re looking to release the functionality in the future (by the end of the year)