Setting up Teleport access using Cloudflare tunnel (cloudflared)

[webvictim]

This guide will describe how to set up Teleport traffic to ingress via Cloudflare tunnel (cloudflared), rather than forwarding a port from your external IP to the Teleport host.

This setup is useful in situations where:

• your ISP uses CGNAT or some other form of Double NAT which makes port forwarding difficult or impossible
  • this is common in countries where IPv4 addresses are scarce, or with mobile internet providers
• you don't want to expose your public IP to the world via DNS record
• your external IP changes regularly and DNS record TTLs are too long
• you would rather keep traffic secure inside Cloudflare's network than expose a web server to the outside world

Notes

• example.com is my domain
• teleport.example.com is where I want my Teleport server accessible on the internet
• Teleport is listening internally on localhost on port 3080
• Teleport does not need any TLS certificates configured unless you want to
  • Teleport will generate a self-signed cert valid for localhost (stored at /var/lib/teleport/webproxy_cert.pem by default) which you can tell cloudflared to look for
  • disabling cloudflared TLS verification is the easiest and quickest way to set this up for testing
  • in production, I would recommend configuring certbot or similar to get trusted TLS certs and providing them to Teleport using the proxy_service.https_keypairs configuration
    • you could also combine this guide with Caddy as a reverse proxy to get automatic HTTPS certs as described in this guide: Using Teleport behind Caddy as a reverse proxy #16370

Non-goals

• This guide does not cover Teleport application access, as this is more complicated to set up on Cloudflare's free plan when using a subdomain like teleport.example.com (as the free wildcard certificate Cloudflare issues only covers one level, not two levels as in app.teleport.example.com)
  • it's considerably easier to set up if you use a dedicated domain for serving Teleport itself (like myteleport.com) and then subdomains for each app (app.myteleport.com)
  • you can also pay Cloudflare $10/month for Advanced Certificate Manager which will enable multiple wildcard certs, or use Cloudflare for SaaS which has a free tier for up to 100 domains, but you must configure each domain separately
    • configuring these is out of scope for this guide.

Teleport configuration

Teleport is installed straight onto a Raspberry Pi and uses the config file below. This guide assumes you have Teleport working correctly before attempting to configure Cloudflare.

/etc/teleport.yaml:

version: v3
teleport:
  log:
    output: stderr
    severity: DEBUG
  data_dir: /var/lib/teleport
auth_service:
  enabled: yes
  cluster_name: teleport.example.com
  authentication:
    type: github
    second_factor: webauthn
    webauthn:
      rp_id: teleport.example.com
ssh_service:
  enabled: yes
  labels:
    type: node
  commands:
  - name: hostname
    command: ['/bin/hostname']
    period: 1h0m0s
  - name: teleport_version
    command: ['/usr/local/bin/teleport', 'version']
    period: 1h0m0s
  - name: arch
    command: ['/bin/uname', '-m']
    period: 1h0m0s
  - name: os
    command: ['/bin/uname', '-s']
    period: 1h0m0s
proxy_service:
  enabled: yes
  web_listen_addr: 0.0.0.0:3080
  # the public address is the public hostname/port that can be used to connect to Teleport from the outside
  # Cloudflare listens on port 443 and redirects via tunnel to port 3080, where Teleport's web UI is served
  public_addr: teleport.example.com:443
  # (optional) Paths to certs from certbot
  https_keypairs: {}

Config for Teleport agents joining remotely

version: v3
teleport:
  proxy_server: teleport.example.com:443

Cloudflare configuration

1. Log into the Cloudflare web UI
2. Click "Zero Trust" in the left hand menu

3. Select "Networks", then "Tunnels"
4. Click "Create a tunnel" at the top

5. Choose "Cloudflared" and give your tunnel a name ("Teleport" or "Homelab" are good choices)
6. Click "Save tunnel" at the bottom right
7. Follow the instructions to set up and install cloudflared on your server (you can use the same server that's running Teleport)
8. Add in the public hostname you'll be using for Teleport (teleport.example.com in my case) and the hostname to send traffic to (localhost if you're running on the same machine, or another hostname which can be resolved from the cloudflared host if not)

• you must use HTTPS as the protocol, as Teleport's web listener uses HTTPS

9. Open the "TLS" section and make some changes:

• set "Origin Server Name" to localhost
• set "No TLS Verify" to on

10. Open the "HTTP Settings" section and set "HTTP Host Header" to teleport.example.com (replace with your own server name and domain)

11. Click "Save tunnel" at the bottom right

You should now be able to see your tunnel's ID in the UI:

Cloudflare should automatically add a CNAME record for teleport.example.com pointing to the ID of your tunnel. You can check by going back to the root of the Cloudflare admin console, opening your domain and going to "DNS -> Records" at the left-hand side:

Notice that the record for teleport should be a proxied (orange-cloud) CNAME record pointing to <tunnel-id>.cfargotunnel.com:

At this point, you should be able to connect to Teleport via the hostname you configured and have all the traffic routed via Cloudflare tunnel.

Troubleshooting

• If you get an error when trying to connect to your site, you can click on the Connector ID in the Cloudflare tunnel configuration to show the "Connector diagnostics" screen, which will also allow you to view live logs from the tunnel to view any errors.

• You should also check your Teleport logs (journalctl -fu teleport) to see whether there are obvious errors.

• Make sure that your DNS server is returning the correct IPs (Cloudflare edge PoP IPs) rather than your home IP or NXDOMAIN.

• Some browsers like Chrome can do internal caching of DNS records, so trying a different browser or device can help to flush out cached records. Assuming things work on another device, these cached records should clear themselves within a day or so.

• If you haven't configured Teleport with https_keypairs or ACME support, double check that "No TLS Verify" is set to "on" as detailed above. Failure to do this will result in cloudflared being unable to connect to Teleport.