Here's a fun lil project, configure Gravitational Teleport on Oracle Cloud Infrastructure Free Tier
Teleport is a "Unified Access Plane" for your infrastructure. In this example I'm going to show how I configured Web SSH Access to OCI via Teleport.
Setup OCI
- Sign up for a free account here: https://www.oracle.com/cloud/free/
- Verify email
- In creating an account you will need to give them a credit card. You shouldn't ever be charged anything as long as you don't use any non-free resources.
- Once you create an account you will get an email after the setup completes.
Create Virtual Cloud Network (VCN)
- OCI Cloud Console > Set up a network with a wizard
- Select root compartments from Comartments drop down on left side of screen.
- This should start the VCN Wizard
- You want "VCN with Internet Connectivity" > Start VCN Wizard
- VCN Name: vcn-demo
- Compartment: username(root)
- Defaults for the rest:
- VPN CIDR Block: 10.0.0.0/16
- Public Subnet CIDR Block: 10.0.0.0/24
- Private Subnet CIDR Block: 10.0.1.0/24
- Use Hostnames in this VCN: Checked
- Next
- Create
- View Virtual Cloud Network
Create Teleport Host
- Settings > Compute > Instances
- Create Instance
- Name: instance-teleport
- Compartment: username(root)
- Placement and Hardware > Edit
- Change Image to Oracle Linux 8
- Make sure Always Free AD & Shape selected
- Networking: Make sure vcn-demo is selected, and in public subnet
- Add SSH Keys
- - Generate & Save Private Key
- Click Create
- Wait a few minutes for Instance to be created
Verify Connecitivity
- Settings > Compute > Instances
- Make a note of the Public IP, use it in the following as $node_ip_addr
- Go to noip.com
- Sign up for free teletele.ddns.net hostname
- Setup hostname teletele.ddns.net to point to $node_ip_addr
- nslookup teletele.ddns.net
- chmod 600 ssh-key-2021-03-12.key
- ssh -i ssh-key-2021-03-12.key opc@teletele.ddns.net
Install Teleport
- sudo su -
- sudo yum-config-manager --add-repo https://rpm.releases.teleport.dev/teleport.repo
- sudo yum install teleport
Setup TLS
- Install Certbot
- Prereq install snapd, docs here https://snapcraft.io/docs/installing-snap-on-red-hat
- sudo dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
- sudo dnf upgrade
- sudo yum install snapd
- sudo systemctl enable --now snapd.socket
- sudo ln -s /var/lib/snapd/snap /snap
- Log out and back in to update paths
- sudo snap install core
- sudo snap refresh core
- sudo snap install --classic certbot
- sudo ln -s /snap/bin/certbot /usr/bin/certbot
- # Fix firewall issue on next command by opening port 80
- sudo firewall-cmd --zone=public --permanent --add-port=80/tcp
- sudo firewall-cmd --reload
- Update network firewall
- OCI Settings > Networking > VCNs > Root Compartment > vcn-demo
- Security Lists > Default Security List for vcn-demo
- Add Ingress Rules
- Source CIDR: 0.0.0.0/0
- Destination Port Range: 80
- sudo certbot certonly --standalone
- Enter email address
- Read TOS and Agree to share email address
- Enter domain name: teletele.ddns.net
- Delete Network firewall rule allowing traffic on port 80
Configure & Launch Teleport
- vi /etc/teleport.yaml which should be a new file and consist of the following:
teleport: data_dir: /var/lib/teleport auth_service: enabled: true cluster_name: "teleport" listen_addr: 0.0.0.0:3025 tokens: - proxy,node,app:f7adb7ccdf04037bcd2b52ec6010fd6f0caec94ba190b765 ssh_service: enabled: true labels: env: staging app_service: enabled: true debug_app: true proxy_service: enabled: true listen_addr: 0.0.0.0:3023 web_listen_addr: 0.0.0.0:3080 tunnel_listen_addr: 0.0.0.0:3024 public_addr: teletele.ddns.net:3080 https_keypairs: - key_file: /etc/letsencrypt/live/teletele.ddns.net/privkey.pem cert_file: /etc/letsencrypt/live/teletele.ddns.net/fullchain.pem
- Start Teleport
- teleport start --config=/etc/teleport.yaml
- Open firewall to port 3080
- Host firewall
- sudo firewall-cmd --zone=public --permanent --add-port=3080/tcp
- sudo firewall-cmd --reload
- Network firewall
- OCI Settings > Networking > VCNs > Root Compartment > vcn-demo
- Security Lists > Default Security List for vcn-demo
- Security Lists > Default Security List for vcn-demo
- Add Ingress Rules
- Source CIDR: 0.0.0.0/0
- Destination Port Range: 3080
- Verify teleport is accessible
- https://teletele.ddns.net:3080/
Running teleport
- Cancel the session we previously started teleport and start via
- service teleport start
- Create a user
- adduser devuser
- /usr/local/bin/tctl users add devuser --logins=devuser,root --roles=admin
- Should see something like the following:
- User "devuser" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h:
https://teletele.ddns.net:3080/web/invite/sometoken
NOTE: Make sure teletele.ddns.net:3080 points at a Teleport proxy which users can access. - Visit the tokenized URL to configure a password & MFA for devuser
This was a fun exercise to tinker with a new app. The next iteration of this install would be to include OCI VPN options so the app is never intentionally exposed at any point, and spend a little more time with certs to see if I can simplify the install & config process.