Fail to add node

Upon running the below, i get the error.

tsh ssh centos@ip-172-31-38-97.us-east-2.compute.internal 3620ms  Fri Jan 8 02:38:17 2021
error: failed connecting to node ip-172-31-38-97.us-east-2.compute.internal. dialing through a tunnel: no tunnel connection found: no node reverse tunnel for 93713410-a909-4af6-b48e-6d2d3d50b797.ip-172-31-44-55.us-east-2.compute.internal found, dialing directly: dial tcp 172.31.38.97:3022: i/o timeout

Please run tsh ls and verify the node is listed. You should see a table output that looks similar to this:

➜  ~ tsh ls
Node Name        Address           Labels
---------------- ----------------- ------------------------------------
node-01           35.0.0.0:3022 teleport-version=v5.1.0

Verify your node name 93713410-a909-4af6-b48e-6d2d3d50b797.ip-172-31-44-55.us-east-2.compute.internal is listed. It’s a bit unusual to use the FQDN as you have in your command. It’s likely the node name is just the node’s hostname, or the node_name value defined in teleport.yaml, instead of the FQDN. Try performing tsh ssh centos@<node-name>.

There are two ways to join a node to a Teleport cluster:

  1. Join direct to Teleport auth server (port 3025)

Example using /etc/teleport.yaml:

auth_servers:
  - <teleport auth server>:3025

Example using teleport start:

teleport start --roles=node --auth-server=<teleport auth server>:3025

When you join a node to a Teleport auth server (using port 3025), then port 3022 must be open on the node to allow incoming connections from tsh ssh. This is because there is no reverse tunnel established between the node and the Teleport cluster.

  1. Join via a Teleport proxy (port 3080)

Example using /etc/teleport.yaml:

auth_servers:
  - <teleport proxy server>:3080

Example using teleport start:

teleport start --roles=node --auth-server=<teleport proxy server>:3080

When you join a node to a Teleport proxy server (using port 3080), a reverse tunnel is established between the node and the Teleport cluster. Port 3022 does therefore NOT need to be open as all connections to the node can be made using the reverse tunnel.

If you change your node to join via the proxy server rather than the auth server then things should work as you expect with no need to open port 3022.