Version: 18.x (unreleased)

Using VNet

This guide explains how to use VNet to connect to TCP applications available through Teleport.

VNet automatically proxies connections from your computer to TCP apps available through Teleport. A program on your device can connect to tcp-app.teleport.example.com , without having to know about Teleport. Underneath, VNet authenticates the connection with your credentials, using the same TLS routing technology as tsh proxy app . This is all done client-side – VNet sets up a local DNS name server and a virtual network device.

VNet is available on macOS and Windows in Teleport Connect and tsh, with plans for Linux support in a future version.

macOS

Windows A client machine running macOS Ventura (13.0) or higher.

Teleport Connect, version 16.0.0 or higher. A client machine running Windows 10 or higher.

Teleport Connect, version 17.3.0 or higher.

Open Teleport Connect and log in to the cluster. Find the TCP app you want to connect to. TCP apps have tcp:// as the protocol in their addresses.

Click "Connect" next to the TCP app. This starts VNet if it's not already running. Alternatively, you can start VNet through the connection list in the top left.

Details First launch on macOS During the first launch, macOS will prompt you to enable a background item for tsh.app. VNet needs this background item in order to configure DNS on your device. To enable the background item, either interact with the system notification or go to System Settings > General > Login Items and look for tsh.app under "Allow in the Background". During the first launch, macOS will prompt you to enable a background item for tsh.app. VNet needs this background item in order to configure DNS on your device. To enable the background item, either interact with the system notification or go to System Settings > General > Login Items and look for tsh.app under "Allow in the Background".

Once VNet is running, you can connect to the application using the application client you would normally use to connect to it.

Support for multiple ports Unless the application specifies multiple ports, VNet proxies connections over any port used by the application client. For multi-port apps, the port number must match one of the target ports of the app. To see a list of target ports, click the three dot menu next to an application in Teleport Connect or execute tsh apps ls . If per-session MFA is enabled, the first connection over each port triggers an MFA check.

VNet is going to automatically start on the next Teleport Connect launch, unless you stop VNet before closing Teleport Connect.

VNet is available in tsh as well. Using it involves logging into the cluster and executing the command tsh vnet .

tsh login --proxy=teleport.example.com tsh vnet

On the client computer, VNet uses IPv4 addresses from the CGNAT IP range 100.64.0.0/10 by default, and needs to configure addresses and routes for this range. This can conflict with other VPN-like applications, notably Tailscale also uses this range.

If you are experiencing connectivity problems with VNet, check if you are running Tailscale or another VPN client, and try disabling it to see if the issue persists. To avoid the conflict and run VNet alongside Tailscale or another VPN client you can configure VNet to use a different IPv4 range, see our VNet configuration guide.

Sometimes connectivity issues are not related to VNet, and you can narrow that down by trying to connect to your app without VNet. Make sure your app appears in the Connect resources view, or the output of tsh apps ls . Turn off VNet and try creating a local proxy to your app (with debug logging enabled) with tsh proxy app -d <app-name> .

If VNet doesn't have a chance to clean up before stopping, such as during sudden device shut down, it may leave leftover DNS configuration files in /etc/resolver . Those files tell your computer to talk to a DNS server operated by VNet when connecting to your cluster. But since VNet is no longer running, there's no DNS server to answer those calls.

To clean up those files, simply start VNet again. Alternatively, you can remove the leftover files manually.

Start VNet with tsh vnet -d . Look at /var/log/vnet.log and note the IPv6 and IPv4 CIDR range used by VNet.

From tsh vnet -d: INFO [VNET] Running Teleport VNet. ipv6_prefix:fd60:67ec:4325:: vnet/vnet.go:317

From /var/log/vnet.log: INFO Setting an IP route for the VNet. netmask:100.64.0.0/10 vnet/osconfig_darwin.go:47

Send a query for a TCP app available in your cluster, replacing tcp-app.teleport.example.com with the name of your app:

dscacheutil -q host -a name tcp-app.teleport.example.com name: tcp-app.teleport.example.com ipv6_address: fd60:67ec:4325::647a:547d

name: tcp-app.teleport.example.com ip_address: 100.68.51.151

The addresses reported by dscacheutil should belong to ranges reported by VNet above.

Querying for anything other than an address of a TCP app should return the address belonging to the Proxy Service.

dscacheutil -q host -a name dashboard.teleport.example.com name: dashboard.teleport.example.com ipv6_address: 2606:2800:21f:cb07:6820:80da:af6b:8b2c

name: dashboard.teleport.example.com ip_address: 93.184.215.14

Querying for both addresses should result in some output being emitted by tsh vnet -d .

When submitting an issue, make sure to include logs from /var/log/vnet.log , as well as Teleport Connect logs or the output of tsh vnet -d , depending on which client you use.