Open Ports in Teleport Infrastructure

Lately, I’ve been trying out the Teleport service but couldn’t figure out some of my questions from the docs. I have locally set up a cluster with an auth service, proxy service and node service – each running in different containers.

From the ports overview table in the admin guide, it looks like there are many open ports needed. Now from a security perspective this is concerning. So to clarify I would like to ask a few questions.

1. Is it sufficient if only port 3080 is open to the outside/users? What about ports 3023 & 3024, are they only open towards the different nodes or also to the users? If latter is true, can they be closed?

2. Could teleport also be used if the Web Client is locked to the outside? So this would probably mean to close port 3080 which also includes the tsh tool. In this case the Web Client would only be accessible by the administrator from inside the cluster.

3. I assume port 3022 and 3025 are only available from within the proxy service?

Port 3080 hosts the web interface for Teleport and should be forwarded to the proxy server. This allows external access to the cluster via its web interface.

Port 3023 should be forwarded from the proxy server to the outside if you want tsh clients to be able to connect to the cluster. if you’re only looking to use the web interface for connections, it is OK to leave port 3023 closed.

Port 3024 hosts an SSH server for nodes (and other Teleport clusters) to connect back to in order to create a reverse SSH tunnel between the node (or cluster) and the Teleport proxy server. It is possible to multiplex this service over port 3080 if you desire, to reduce the number of open ports. You can set tunnel_listen_addr to 0.0.0.0:3080 in the Teleport config on the proxy server and then restart, if this is your desired goal.

Yes, you can close all the ports if you have another way to get into the cluster, like a VPN tunnel or similar. Teleport will still work.

Teleport’s port 3022 on nodes is the rough equivalent of SSH’s port 22 - it hosts an SSH service which clients using the Teleport cluster can connect to (if not using reverse tunnelling). As long as the proxy server is able to connect to this port on your nodes, the cluster should work fine. It doesn’t need to be opened to the outside world.

Port 3025 hosts the Teleport auth server API - this port only needs to be accessible for nodes to connect back to in order to register with the cluster.

I hope this clears things up a bit. Please feel free to reply with more questions and we’ll do our best to help!