Friday, March 12, 2021

OCI Teleport

Here's a fun lil project, configure Gravitational Teleport on Oracle Cloud Infrastructure Free Tier

Teleport is a "Unified Access Plane" for your infrastructure. In this example I'm going to show how I configured Web SSH Access to OCI via Teleport.

Setup OCI

  • Sign up for a free account here:
    • Verify email
    • In creating an account you will need to give them a credit card. You shouldn't ever be charged anything as long as you don't use any non-free resources.
    • Once you create an account you will get an email after the setup completes.

Create Virtual Cloud Network (VCN)

  • OCI Cloud Console > Set up a network with a wizard
  • Select root compartments from Comartments drop down on left side of screen.
  • This should start the VCN Wizard
    • You want "VCN with Internet Connectivity" > Start VCN Wizard
      • VCN Name: vcn-demo
      • Compartment: username(root)
      • Defaults for the rest:
        • VPN CIDR Block:
        • Public Subnet CIDR Block:
        • Private Subnet CIDR Block:
        • Use Hostnames in this VCN: Checked
      • Next
      • Create
    • View Virtual Cloud Network

Create Teleport Host

  • Settings > Compute > Instances
  • Create Instance
  • Name: instance-teleport
  • Compartment: username(root)
  • Placement and Hardware > Edit
  • Change Image to Oracle Linux 8
  • Make sure Always Free AD & Shape selected
  • Networking: Make sure vcn-demo is selected, and in public subnet
  • Add SSH Keys
    • - Generate & Save Private Key
  • Click Create
  • Wait a few minutes for Instance to be created

Verify Connecitivity

  • Settings > Compute > Instances
    • Make a note of the Public IP, use it in the following as $node_ip_addr
  • Go to
    • Sign up for free hostname
    • Setup hostname to point to $node_ip_addr
  • nslookup
  • chmod 600 ssh-key-2021-03-12.key
  • ssh -i ssh-key-2021-03-12.key
Install Teleport
  • sudo su -
  • sudo yum-config-manager --add-repo
  • sudo yum install teleport

Setup TLS

  • Install Certbot
    • Prereq install snapd, docs here
      • sudo dnf install
      • sudo dnf upgrade
      • sudo yum install snapd
      • sudo systemctl enable --now snapd.socket
      • sudo ln -s /var/lib/snapd/snap /snap
      • Log out and back in to update paths
      • sudo snap install core
      • sudo snap refresh core
    • sudo snap install --classic certbot
    • sudo ln -s /snap/bin/certbot /usr/bin/certbot
    • # Fix firewall issue on  next command by opening port 80
      • sudo firewall-cmd --zone=public --permanent --add-port=80/tcp
      • sudo firewall-cmd --reload
      • Update network firewall
        • OCI Settings > Networking > VCNs > Root Compartment > vcn-demo
        • Security Lists > Default Security List for vcn-demo
        • Add Ingress Rules
          • Source CIDR:
          • Destination Port Range: 80
    • sudo certbot certonly --standalone
      • Enter email address
        • Read TOS and Agree to share email address
        • Enter domain name:
    • Delete Network firewall rule allowing traffic on port 80
Configure & Launch Teleport

  • vi /etc/teleport.yaml which should be a new file and consist of the following:
    • teleport:
          data_dir: /var/lib/teleport
          enabled: true
          cluster_name: "teleport"
          - proxy,node,app:f7adb7ccdf04037bcd2b52ec6010fd6f0caec94ba190b765
          enabled: true
              env: staging
          enabled: true
          debug_app: true
          enabled: true
          - key_file: /etc/letsencrypt/live/
            cert_file: /etc/letsencrypt/live/
  • Start Teleport
    • teleport start --config=/etc/teleport.yaml
  • Open firewall to port 3080
    • Host firewall
      • sudo firewall-cmd --zone=public --permanent --add-port=3080/tcp
      • sudo firewall-cmd --reload
    • Network firewall
      • OCI Settings > Networking > VCNs > Root Compartment > vcn-demo
      • Security Lists > Default Security List for vcn-demo
      • Security Lists > Default Security List for vcn-demo
      • Add Ingress Rules
        • Source CIDR:
        • Destination Port Range: 3080
  • Verify teleport is accessible

Running teleport
  • Cancel the session we previously started teleport and start via
  • service teleport start
  • Create a user
    • adduser devuser
    • /usr/local/bin/tctl users add devuser --logins=devuser,root --roles=admin
    • Should see something like the following:
      • User "devuser" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:

        NOTE: Make sure points at a Teleport proxy which users can access.
  • Visit the tokenized URL to configure a password & MFA for devuser

This was a fun exercise to tinker with a new app. The next iteration of this install would be to include OCI VPN options so the app is never intentionally exposed at any point, and spend a little more time with certs to see if I can simplify the install & config process.

No comments: