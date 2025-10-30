Step 1 - Deploy Teleport Community Edition
This guide will walk you through deploying Teleport Community Edition.
You'll spin up a single-instance Teleport cluster on a Linux server, ideal for small-scale demos or home lab environments. Once deployed, you can move ahead in the guide to connecting your infrastructure, setting up role-based access control (RBAC), and auditing your access.
How it works
The Teleport cluster consists of two services:
- Teleport Auth Service: The certificate authority for your cluster. It issues certificates and conducts authentication challenges. The Auth Service is typically inaccessible outside your private network.
- Teleport Proxy Service: The cluster frontend, which handles user requests, forwards user credentials to the Auth Service, and communicates with Teleport instances that enable access to specific resources in your infrastructure.
You can read more about the architecture of Teleport in the Core Concepts page.
Prerequisites
You will need the following to deploy a demo Teleport cluster. If your environment doesn't meet the prerequisites, you can get started with Teleport by signing up for a free trial of Teleport Enterprise Cloud and jumping ahead to Step 2: Connect infrastructure.
Also, if you want to get a feel for Teleport commands and capabilities without setting up any infrastructure, take a look at the browser-based Teleport Labs.
As for this guide, you can work through it with either a remote virtual machine (e.g., an Amazon EC2 instance) or a local Docker container. Make sure you have met the following requirements for your platform:
- Remote virtual machine
- Local Docker container
- A Linux host with only port
443open to ingress traffic. You must be able to install and run software on the host. Either configure access to the host via SSH for the initial setup (and open an SSH port in addition to port
443) or enter the commands in this guide into an Amazon EC2 user data script, Google Compute Engine startup script, or similar.
You must also have one of the following:
- A registered domain name.
- An authoritative DNS nameserver managed by your organization, plus an existing certificate authority. If using this approach, ensure that your browser is configured to use your organization's nameserver.
-
Install mkcert so you can set up a local certificate authority and create a certificate for running the Teleport Web UI with HTTPS.
-
Install the mkcert CA:mkcert -install
-
Create a directory on your workstation in which to place TLS credentials for Teleport:mkdir teleport-tls
-
Generate a certificate and private key for Teleport:cd teleport-tlsmkcert localhost
-
Add the mkcert CA certificate to the
teleport-tlsdirectory so your Docker container can access it:cp "$(mkcert -CAROOT)/rootCA.pem" .
-
Start a local Docker container where you can follow the remaining instructions in this guide:docker run -it -v .:/etc/teleport-tls -p 3080:443 ubuntu:22.04
-
Make sure
curlis installed on your container:apt-get update && apt-get install -y curl
-
On the container, move the mkcert CA certificate into the directory where your container stores CA certs (installing
curlsets this up for you). When starting, Teleport verifies its TLS certificate against the CA:cp /etc/teleport-tls/rootCA.pem /etc/ssl/certs/mkcertCA.pem
Finally, you will need a multi-factor authenticator app such as Authy, Google Authenticator, or 1Password.
Step 1/4. Configure DNS
If you are following this guide with a local Docker container, you can skip to Step 2.
If you are following this guide with a virtual machine, set up two DNS
A
records, each pointing to the IP address of your Linux host. Assuming
teleport.example.com is your domain name, set up records for:
|Domain
|Reason
teleport.example.com
|Traffic to the Proxy Service from users and services.
*.teleport.example.com
|Traffic to web applications registered with Teleport. Teleport issues a subdomain of your cluster's domain name to each application.
Step 2/4. Set up Teleport on your Linux host
In this step, you will log into your Linux host, download the Teleport binary, generate a Teleport configuration file, and start the Teleport Auth Service, Proxy Service, and SSH Service on the host.
Install Teleport
On your Linux host or container, run the following command to install the Teleport binary:
curl https://cdn.teleport.dev/install.sh | bash -s 18.2.10
Configure Teleport
Generate a configuration file for Teleport using the
teleport configure command.
This command requires information about a TLS certificate and private key.
The instructions depend on whether you are running Teleport on the public internet, a local container, or a private network:
- Public internet deployment with Let's Encrypt
- Docker container
- Private network deployment
Let's Encrypt verifies that you control the domain name of your Teleport cluster by communicating with the HTTPS server listening on port 443 of your Teleport Proxy Service.
You can configure the Teleport Proxy Service to complete the Let's Encrypt verification process when it starts up.
On the host where you will start the Teleport Auth Service and Proxy Service,
run the following
teleport configure command. Assign
teleport.example.com to the
domain name of your Teleport cluster and [email protected] to
an email address used for notifications (you can use any domain):
sudo teleport configure -o file \ --acme --acme-email=[email protected] \ --cluster-name=teleport.example.com
Port 443 on your Teleport Proxy Service host must allow traffic from all sources.
The Docker container you started while beginning this guide mounts the
teleport-tls directory in
/etc/, including a TLS certificate and private
key for Teleport.
On the container, run the following
teleport configure command:
teleport configure -o file \ --cluster-name=localhost \ --public-addr=localhost:443 \ --cert-file=/etc/teleport-tls/localhost.pem \ --key-file=/etc/teleport-tls/localhost-key.pem
On your Teleport host, place a valid private key and a certificate chain in
/var/lib/teleport/privkey.pem
and
/var/lib/teleport/fullchain.pem respectively.
The leaf certificate must have a subject that corresponds to the domain of your Teleport host, e.g.,
*.teleport.example.com.
On the host where you will start the Teleport Auth Service and Proxy Service,
run the following
teleport configure command. Assign teleport.example.com to the domain name of your Teleport cluster.
sudo teleport configure -o file \ --cluster-name=teleport.example.com \ --public-addr=teleport.example.com:443 \ --cert-file=/var/lib/teleport/fullchain.pem \ --key-file=/var/lib/teleport/privkey.pem
Start Teleport
-
Start Teleport on your virtual machine or container by following the instructions below:
- Virtual machine
- Local container
Enable and start the Teleport systemd service:sudo systemctl enable teleportsudo systemctl start teleport
Run the following command:teleport start --config="/etc/teleport.yaml"
-
Access the Teleport Web UI via HTTPS at the domain you created earlier at teleport.example.com and accept the terms of using Teleport Community Edition.
If you are running Teleport on a local Docker container, visit https://localhost:3080.
You should see a welcome screen similar to the following:
Step 3/4. Create a Teleport user and set up multi-factor authentication
In this step, we'll create a new Teleport user,
teleport-admin, which is
allowed to log into SSH hosts as any of the principals
root,
ubuntu, or
ec2-user.
-
If you are following this guide on a local container, open another terminal and access your container:docker exec -it <CONTAINER_ID> /bin/bash
-
On your VM or container, run the following command (remove
sudoif using a local container).
tctlis a client tool for configuring the Teleport Auth Service:sudo tctl users add teleport-admin --roles=editor,access --logins=root,ubuntu,ec2-user
The command prints a message similar to the following:
User "teleport-admin" has been created but requires a password. Share this URL with the user to complete user setup, link is valid for 1h: https://teleport.example.com:443/web/invite/123abc456def789ghi123abc456def78 NOTE: Make sure teleport.example.com:443 points at a Teleport proxy which users can access.
If using a local container, replace the host and port with
localhost:3080.
-
Visit the provided URL in order to create your Teleport user.OS User Mappings
The users that you specify in the
loginsflag (e.g.,
root,
ubuntuand
ec2-userin our examples) must exist on your Linux host. Otherwise, you will get authentication errors later in this tutorial.
If a user does not already exist, you can create it with
adduser <login>or use host user creation.
If you do not have the permission to create new users on the Linux host, run
tctl users update teleport-admin --logins=root,ubuntu,ec2-user,$(whoami)to explicitly allow Teleport to authenticate as the user that you have currently logged in as.
-
Teleport enforces the use of multi-factor authentication by default. It supports one-time passwords (OTP) and multi-factor authenticators (WebAuthn). In this guide, you will need to enroll an OTP authenticator application using the QR code on the Teleport welcome screen.
Logging in via the CLI
In addition to Teleport's Web UI, you can access resources in your
infrastructure via the
tsh client tool.
Install
tsh on your local workstation:
- Mac
- Windows - Powershell
- Linux
Download the signed macOS .pkg installer for Teleport, which includes
tsh.
In Finder double-click the
pkg file to begin installation:
curl -O https://cdn.teleport.dev/teleport-18.2.10.pkg
Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.
curl.exe -O https://cdn.teleport.dev/teleport-v18.2.10-windows-amd64-bin.zip
Unzip the archive and move tsh.exe to your %PATH%
NOTE: Do not place tsh.exe in the System32 directory, as this can cause issues when using WinSCP.
Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\<username>) instead.
All of the Teleport binaries in Linux installations include
tsh. For more
options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see
our installation page.
curl -O https://cdn.teleport.dev/teleport-v18.2.10-linux-amd64-bin.tar.gztar -xzf teleport-v18.2.10-linux-amd64-bin.tar.gzcd teleportsudo ./install
Teleport binaries have been copied to /usr/local/bin
Log in to receive short-lived certificates from Teleport. Replace teleport.example.com with your Teleport cluster's public address as configured above:
tsh login --proxy=teleport.example.com --user=teleport-admin> Profile URL: https://teleport.example.com:443 Logged in as: teleport-admin Cluster: teleport.example.com Roles: access, editor Logins: root, ubuntu, ec2-user Kubernetes: enabled Valid until: 2022-04-26 03:04:46 -0400 EDT [valid for 12h0m0s] Extensions: permit-agent-forwarding, permit-port-forwarding, permit-pty
Step 4/4. Access your server with Teleport
Now that you have Teleport running and a user configured, you can access your Linux server through the Teleport Web UI (it will be automatically enrolled since Teleport is running on it).
Click on
Connect to access it via the web-based terminal, or use Teleport's
tsh CLI tool to SSH into it:
tsh ssh root@<server-name>
Next step: deploy Teleport Agents
At this point, you've launched your own Teleport Community Edition cluster and created a user. You can now move on to the next step of connecting your infrastructure.