Simplifying Zero Trust Security for AWS with Teleport
Jan 23
Virtual
Register Now
Teleport logoTry For Free
Background image

Overview

Teleport Node Tunneling, also known as Teleport IoT, lets you add a remote node to an existing Teleport Cluster through a tunnel. This can be useful for IoT applications, or for managing a couple of servers in a different network.

Connecting IoT Devices to Teleport

Ben: Hi. In this video, I'll be giving a quick overview of Teleport in IoT mode and how you can set it up on a Raspberry Pi or any other small, embedded computer you have hanging around. So if you've been on our site, you may have seen a few things. You see we have the Linux servers; we have Windows. But you might also see we have an IoT cell tower. We introduced this feature back in 4.3. But it's a very powerful feature that you can use not only for small IoT devices but a range of other devices that you need to connect back to a central Teleport cluster. If you come into our documentation, we have full information about Teleport IoT, and we actually call it adding a node located behind the NAT, which is network address translation. Prior to this, we had Teleport accessing the auth server directly. And when you issue tokens, an invite token, you'd get a certificate, and then this deals with all of your CA rotations and everything else. What the IoT mode does — it dials back to the Teleport proxy. And as long as the proxy URL is public, nodes will be able to join. So we have more information here about how you can set up changing to the ports, how to set up Port 443. But let me just show you another diagram that would explain this a bit better.

Ben: So in my setup, I have Teleport running in an AWS host. It's highly available. But I have a range of devices which I want to connect to this Teleport cluster and access them. Some of them are small, embedded devices, such as a Raspberry Pi running ARM services, and then this could be plugged in statically. But you might also have devices, such as sort of moving robots or things on the go, that connect over mobile networks. And the way in which this Teleport Node Tunneling works is — all this device needs is an outbound connection, and it will always dial back to the Teleport proxy. And this is very helpful. Let's say you have one customer who has medical devices and this hospital network is very secure, there's no inbound connections to SSH or anything else, but the devices themselves make a tunnel from the device back to Teleport and the sysadmins can access those devices. So the flow for people trying to connect to them — I would connect to Teleport, I'd use GitHub SSO, then Teleport will be able to look up where is this device. If it's still sending the [inaudible] back and it can connect, you'll be able to connect to it.

Ben: So I'm going to show you setting up Node Tunneling on a Raspberry Pi. So let me change to my terminal here. I've already configured a very basic Raspberry Pi. I've used the Raspberry Pi default OS, but also you can use Ubuntu for ARM or any other sort of distro. But this is an ARM processor and, so far, I've configured this to SSH. And I'll share this, but you could also just bake Teleport into your setup to get this up and running. So I have it installed. So let's get started by installing Teleport.

Ben: So to get started, I come here and I'm going to install Teleport on this node. So if we come down here to Linux, you can see we have a range of different operating systems. I'm actually running 32-bits ARM. So we have two ARMs. So it's this one here, ARMv7, 32-bit. That's the RPM. And we also have the tar.gz. So we start by — okay. So this is going to download Teleport. Give it a few minutes. This is a particularly low-powered Raspberry Pi, so the installation does take a little bit of time. If you were to look into go into sort of large production, you could build your own Ras Pi image with Teleport built into it, so. And I'm just going to install Teleport. Okay. So here it says, "Thank you for installing Teleport." It should have this command line. So if you're interested in getting a swag package and getting our newsletter, you can send this, and I will be sending you an email with the swag packet. But we're going to ignore that for now.

Ben: So let's check that Teleport is installed. We have 6.2.8 installed, the version of Go. So let's clear this. So we have Teleport installed. But if I come to my Teleport host, we're going to have to add it. In here, we have a few steps about how you obtain a node join token. I've already logged in. So I'm on my pop-os box. Yes, see, I've logged in. I'm going to create a node join token that's valid for an hour. And here can just run this in the cluster.

Ben: So there's one thing here that we're going to change. So you see here, it has this auth server, this is an internal IP address. So this isn't accessible on the internet and the same with the ports. So I'm going to change this to the public address of my proxy, which is acme-demo.teleport.sh: 443. Okay. So we're going to just write sudo teleport start -d. And you see it will — it's attempting to join. In this case, I've just used the command line. You can also use a Teleport YAML file and then you can add — makes it easy to add labels and everything else. So let's just see if we have a new node in our list. Okay. So here we have it. We have Raspberry Pi. Oh, let me move up. So we have Raspberry Pi, which is using tunnel which has been connected. But then we come across another potential roadblock.

Ben: So you see here, we have a range of principles to log in. But if I log in as, let's say, ubuntu, this isn't going to work because this isn't a valid principle for this host. I think, in my case, because I'm running a sudo, I think I should be able to log in as root@raspberrypi. And then it's also giving me the standard Message of the Day, that I've just configured this and I have a password. But you might want to also change the username. One thing I’m gonna do now is I'll say change my Roles to add in a Pi user. So now I can log in as the Pi user. Oh, I need to — now what I need to do is I actually need to log out and back in again to get the new certificate for the Pi user. And here we are. Now we're logged in at pi@raspberrypi. And actually, this small device here, which we've connected to over Wi-Fi — it sort of completes the example of, "This is a device in my home which has my home network, but I'll be able to now connect to it." Let's see — my very small Pi is chugging along, and you can see the Teleport service running here.

Ben: So this brings me to the end of my demo. Hopefully, you can see all of the building blocks about how you can install Teleport on ARM devices, how you change the address of the auth server to point to the proxy. And that's pretty much it. If you have any questions, please leave a comment in our GitHub discussions or contact us in our community Slack Channel. Thank you.

Key links:

Join The Teleport Community

Background image

Try Teleport today

In the cloud, self-hosted, or open source
Get StartedView developer docs