Issue connecting to node behind NAT: no node reverse tunnel found #8684

ahelwer · 2021-10-21T15:30:54Z

ahelwer
Oct 21, 2021

Version
Teleport v7.3.0 git:v7.3.0-0-g04727ee47 go1.16.2
Cluster node: Ubuntu 20.04 on x86_64
NAT node: Linux raspberrypi 5.10.60-v7+ on armv7l

Problem
I have been trying without success to connect to a node behind NAT that was added to my teleport cluster. When I try to run tsh ssh ahelwer@raspberrypi, I get the following error:

ERROR: failed connecting to node raspberrypi. Teleport proxy failed to connect to "node" agent "raspberrypi.local:3022" over reverse tunnel:
no tunnel connection found: no node reverse tunnel for 8fe2c01c-b904-48bf-943f-157b4afed89e.hostname.com found
This usually means that the agent is offline or has disconnected. Check the agent logs and, if the issue persists, try restarting it or re-registering it with the cluster.

I have added & re-added the node trying various configurations but have not yet managed to get it to work.

Configuration
I have a single Ubuntu VM running on Azure which hosts both my auth server and proxy server. Both myself and another user can also tsh ssh into this VM without issues. Looking at the Azure network security group for this node, it has the following ports open to TCP traffic from any source:

80
443
3023
3024
3025
3080

I also have a domain with A records for both hostname.com and *.hostname.com that point to this VM's public IPv4 address, validated with the dig command. Here is the VM's config file:

VM config file

teleport:
  nodename: name
  data_dir: /var/lib/teleport
  log:
    output: /var/lib/teleport/teleport.log
    severity: DEBUG
    format:
      output: text
  ca_pin: []
auth_service:
  enabled: "yes"
  cluster_name: hostname.com
  proxy_protocol: on
  authentication:
    type: github
  listen_addr: 0.0.0.0:3025
ssh_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3022
  labels:
    env: admin
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
  - name: arch
    command: ['/bin/uname', '-p']
    period: 1h0m0s
  port_forwarding: true
proxy_service:
  enabled: "yes"
  proxy_protocol: on
  listen_addr: 0.0.0.0:3023
  tunnel_listen_addr: 0.0.0.0:3024
  web_listen_addr: 0.0.0.0:443
  public_addr: hostname.com:443
  https_keypairs: []
  acme:
    enabled: "yes"
    email:[email protected]
app_service:
  enabled: no
kubernetes_service:
  enabled: no
db_service:
  enabled: no

I also have a raspberry pi running on my home network behind NAT which I would like to be able to connect to from outside my home network, proxying into a reverse tunnel through the teleport proxy service running on the above VM. I tried adding the rpi using the directions here. I seemingly successfully added the node to the cluster (it appears when I run tsh ls and in the web UI) but still get the above connection issue. Here is the teleport config file on the rpi, where I have verified the teleport service is running with top:

rpi config file

teleport:
  nodename: raspberrypi
  data_dir: /var/lib/teleport
  auth_token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  ca_pin: "sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  advertise_ip: raspberrypi.local
  auth_servers:
    - hostname.com
  log:
    output: /var/lib/teleport/teleport.log
    severity: DEBUG
    format:
      output: text
auth_service:
  enabled: no
ssh_service:
  enabled: yes
  listen_addr: 0.0.0.0:3022
  labels:
    env: NAT
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
  - name: arch
    command: ['/bin/uname', '-p']
    period: 1h0m0s
  port_forwarding: true
proxy_service:
  enabled: no
app_service:
  enabled: no
kubernetes_service:
  enabled: no
db_service:
  enabled: no

Here is the log file on the rpi:

rpi log file in /var/lib/teleport/teleport.log

2021-10-21T18:00:38-04:00 DEBU [PROC:1] Adding service to supervisor. service:register.node service/supervisor.go:201
2021-10-21T18:00:38-04:00 DEBU [PROC:1] Adding service to supervisor. service:ssh.node service/supervisor.go:201
2021-10-21T18:00:38-04:00 DEBU [PROC:1] Adding service to supervisor. service:ssh.shutdown service/supervisor.go:201
2021-10-21T18:00:38-042021-10-21T18:00:38-04:00 DEBU [SQLITE] Connected to: file:/var/lib/teleport/cache/node/sqlite.db?_busy_timeout=10000&_sync=OFF, poll stream period: 100ms lite/lite.go:172
2021-10-21T18:00:38-04:00 DEBU [SQLITE] Synchronous: 0, busy timeout: 10000 lite/lite.go:217
2021-10-21T18:00:39-04:00 INFO [NODE:1:CA] Cache "node" first init succeeded. cache/cache.go:658
2021-10-21T18:00:39-04:00 DEBU [SSH:NODE] Supported ciphers: ["[email protected]" "[email protected]" "aes128-ctr" "aes192-ctr" "aes256-ctr"]. sshutils/server.go:229
2021-10-21T18:00:39-04:00 DEBU [SSH:NODE] Supported KEX algorithms: ["[email protected]" "ecdh-sha2-nistp256" "ecdh-sha2-nistp384" "ecdh-sha2-nistp521"]. sshutils/server.go:239
2021-10-21T18:00:39-04:00 DEBU [SSH:NODE] Supported MAC algorithms: ["[email protected]" "hmac-sha2-256"]. sshutils/server.go:249
2021-10-21T18:00:39-04:00 DEBU [NODE:BEAT] Starting Node heartbeat with announce period: 1m0s, keep-alive period 5m22.001033829s, poll period: 5s srv/heartbeat.go:143
2021-10-21T18:00:39-04:00 DEBU [SSH:NODE] Listening on [::]:3022. sshutils/server.go:382
th direct connection. auth-addrs:[hostname.com:3025] service/connect.go:822
2021-10-21T18:00:38-04:00 DEBU [PROC:1] Connected client: Identity(Node, cert(8fe2c01c-b904-48bf-943f-157b4afed89e.hostname.com issued by hostname.com:224488929839715472080914085805916322702),trust root(hostname.com:224488929839715472080914085805916322702)) service/connect.go:86
2021-10-21T18:00:38-04:00 DEBU [PROC:1] Connected server: Identity(Node, cert(8fe2c01c-b904-48bf-943f-157b4afed89e.hostname.com issued by hostname.com:224488929839715472080914085805916322702),trust root(hostname.com:224488929839715472080914085805916322702)) service/connect.go:87
2021-10-21T18:00:38-04:00 INFO [PROC:1] Node: features loaded from auth server: Kubernetes:true App:true DB:true service/connect.go:58
2021-10-21T18:00:38-04:00 DEBU [PROC:1] Broadcasting event. event:SSHIdentity service/supervisor.go:370
2021-10-21T18:00:38-04:00 DEBU [PROC:1] Service is completed and removed. service:register.node service/supervisor.go:239
2021-10-21T18:00:38-04:00 DEBU [NODE:1] Received event "SSHIdentity". service/service.go:1670
2021-10-21T18:00:38-04:00 DEBU [PROC:1] Creating sqlite backend for [node]. service/service.go:1517
2021-10-21T18:00:39-04:00 DEBU [NODE:1] Starting watch. resource-kind:lock retry:Linear(attempt=0, duration=0s) services/watcher.go:177
2021-10-21T18:00:39-04:00 INFO [AUDIT:1] Creating directory /var/lib/teleport/log. service/service.go:1976
2021-10-21T18:00:39-04:00 INFO [AUDIT:1] Creating directory /var/lib/teleport/log/upload. service/service.go:1976
2021-10-21T18:00:39-04:00 INFO [AUDIT:1] Creating directory /var/lib/teleport/log/upload/sessions. service/service.go:1976
2021-10-21T18:00:39-04:00 INFO [AUDIT:1] Creating directory /var/lib/teleport/log/upload/sessions/default. service/service.go:1976
2021-10-21T18:00:39-04:00 INFO [AUDIT:1] Creating directory /var/lib/teleport/log. service/service.go:1976
2021-10-21T18:00:39-04:00 INFO [AUDIT:1] Creating directory /var/lib/teleport/log/upload. service/service.go:1976
2021-10-21T18:00:39-04:00 INFO [AUDIT:1] Creating directory /var/lib/teleport/log/upload/streaming. service/service.go:1976
2021-10-21T18:00:39-04:00 INFO [AUDIT:1] Creating directory /var/lib/teleport/log/upload/streaming/default. service/service.go:1976
2021-10-21T18:00:39-04:00 DEBU [PROC:1] Adding service to supervisor. service:uploader.service service/supervisor.go:201
2021-10-21T18:00:39-04:00 DEBU [PROC:1] Adding service to supervisor. service:uploader.shutdown service/supervisor.go:201
2021-10-21T18:00:39-04:00 DEBU [PROC:1] Service has started. service:uploader.service service/supervisor.go:262
2021-10-21T18:00:39-04:00 DEBU [PROC:1] Adding service to supervisor. service:fileuploader.service service/supervisor.go:201
2021-10-21T18:00:39-04:00 DEBU [PROC:1] Service has started. service:uploader.shutdown service/supervisor.go:262
2021-10-21T18:00:39-04:00 DEBU [PROC:1] Adding service to supervisor. service:fileuploader.shutdown service/supervisor.go:201
2021-10-21T18:00:39-04:00 DEBU [PROC:1] Service has started. service:fileuploader.shutdown service/supervisor.go:262
2021-10-21T18:00:39-04:00 INFO [PROC:1] Service node is creating new listener on 0.0.0.0:3022. service/signals.go:213
2021-10-21T18:00:39-04:00 DEBU [PROC:1] Service has started. service:fileuploader.service service/supervisor.go:262
2021-10-21T18:00:39-04:00 INFO [NODE:1] Service 7.3.0:v7.3.0-0-g04727ee47 is starting on 0.0.0.0:3022 sqlite cache that will expire after connection to database is lost after 20h0m0s, will cache frequently accessed items for 2s. service/service.go:1849
2021-10-21T18:00:39-04:00 INFO [NODE:1] Service 7.3.0:v7.3.0-0-g04727ee47 is starting on 0.0.0.0:3022. utils/cli.go:282
2021-10-21T18:00:39-04:00 DEBU [PROC:1] Broadcasting event. event:NodeReady service/supervisor.go:370
2021-10-21T18:00:39-04:00 DEBU [PROC:1] Broadcasting mapped event. in:NodeReady out:EventMapping(in=[NodeReady], out=TeleportReady) service/supervisor.go:395
2021-10-21T18:00:39-04:00 INFO [PROC:1] The new service has started successfully. Starting syncing rotation status with period 10m0s. service/connect.go:445
2021-10-21T18:01:02-04:00 INFO [PROC:1] Got signal "interrupt", exiting immediately. service/signals.go:86
2021-10-21T18:01:02-04:00 DEBU [PROC:1] Broadcasting event. event:TeleportExit service/supervisor.go:370

Important note: I had to differ from the NAT instructions when running the command to add the rpi to the cluster, because when using hostname.com:3080 or teleport-proxy.hostname.com:3080 instead of just hostname.com I get the following error:

2021-10-21T11:24:49-04:00 INFO [PROC:1] Connecting to the cluster hostname.com with TLS client certificate. service/connect.go:132
2021-10-21T11:24:49-04:00 ERRO [PROC:1] Node failed to establish connection to cluster: Failed to connect to Auth Server directly or over tunnel, no methods remaining.. service/connect.go:67
(repeats)

If I start it with teleport-proxy.hostname.com as the auth-server it gets further but still errors out:

rpi log file in /var/lib/teleport/teleport.log

2021-10-22T09:44:15-04:00 [PROC:1] DEBU Adding service to supervisor. service:register.node service/supervisor.go:201
2021-10-22T09:44:15-04:00 [PROC:1] DEBU Adding service to supervisor. service:ssh.node service/supervisor.go:201
2021-10-22T09:44:15-04:00 [PROC:1] DEBU Adding service to supervisor. service:ssh.shutdown service/supervisor.go:201
2021-10-22T09:44:15-042021-10-22T09:44:15-04:00 DEBU Attempting GET teleport-proxy.example.com:3025/webapi/find webclient/webclient.go:62
2021-10-22T09:44:26-04:00 DEBU Attempting GET teleport-proxy.example.com:3025/webapi/find webclient/webclient.go:62
BU Service has started. service:ssh.node service/supervisor.go:262
2021-10-22T09:44:15-04:00 [PROC:1] DEBU No signal pipe to import, must be first Teleport process. service/service.go:818
2021-10-22T09:44:15-04:00 [PROC:1] DEBU Service has started. service:ssh.shutdown service/supervisor.go:262
2021-10-22T09:44:15-04:00 [PROC:1] DEBU Service has started. service:common.rotate service/supervisor.go:262
2021-10-22T09:44:15-04:00 [PROC:1] DEBU Connected state: never updated. service/connect.go:103
2021-10-22T09:44:15-04:00 [PROC:1] INFO Connecting to the cluster hostname.com with TLS client certificate. service/connect.go:132
2021-10-22T09:44:15-04:00 [PROC:1] DEBU Attempting to connect to Auth Server directly. auth-addrs:[teleport-proxy.example.com:3025] service/connect.go:819
2021-10-22T09:44:15-04:00 [PROC:1] DEBU Failed to connect to Auth Server directly. auth-addrs:[teleport-proxy.example.com:3025] service/connect.go:825
2021-10-22T09:44:15-04:00 [PROC:1] DEBU Attempting to discover reverse tunnel address. auth-addrs:[teleport-proxy.example.com:3025] service/connect.go:834
2021-10-22T09:44:16-04:00 [PROC:1] DEBU Failed to connect to Auth Server directly. auth-addrs:[teleport-proxy.example.com:3025] error:[
ERROR REPORT:
Original Error: *trace.ConnectionProblemError Get "https://teleport.cluster.local/v2/domain": dial tcp: lookup teleport-proxy.example.com on 75.75.75.75:53: no such host
Stack Trace:
/go/src/github.com/gravitational/teleport/lib/httplib/httplib.go:133 github.com/gravitational/teleport/lib/httplib.ConvertResponse
/go/src/github.com/gravitational/teleport/lib/auth/clt.go:307 github.com/gravitational/teleport/lib/auth.(*Client).Get
/go/src/github.com/gravitational/teleport/lib/auth/clt.go:398 github.com/gravitational/teleport/lib/auth.(*Client).GetDomainName
/go/src/github.com/gravitational/teleport/lib/auth/clt.go:1624 github.com/gravitational/teleport/lib/auth.(*Client).GetLocalClusterName
/go/src/github.com/gravitational/teleport/lib/service/connect.go:918 github.com/gravitational/teleport/lib/service.(*TeleportProcess).newClientDirect
/go/src/github.com/gravitational/teleport/lib/service/connect.go:820 github.com/gravitational/teleport/lib/service.(*TeleportProcess).newClient
/go/src/github.com/gravitational/teleport/lib/service/connect.go:133 github.com/gravitational/teleport/lib/service.(*TeleportProcess).connect
/go/src/github.com/gravitational/teleport/lib/service/connect.go:82 github.com/gravitational/teleport/lib/service.(*TeleportProcess).connectToAuthService
/go/src/github.com/gravitational/teleport/lib/service/connect.go:50 github.com/gravitational/teleport/lib/service.(*TeleportProcess).reconnectToAuthService
/go/src/github.com/gravitational/teleport/lib/service/service.go:1946 github.com/gravitational/teleport/lib/service.(*TeleportProcess).registerWithAuthServer.func1
/go/src/github.com/gravitational/teleport/lib/service/supervisor.go:494 github.com/gravitational/teleport/lib/service.(*LocalService).Serve
/go/src/github.com/gravitational/teleport/lib/service/supervisor.go:263 github.com/gravitational/teleport/lib/service.(*LocalSupervisor).serve.func1
/opt/go/src/runtime/asm_arm.s:841 runtime.goexit
User Message: Get "https://teleport.cluster.local/v2/domain": dial tcp: lookup teleport-proxy.example.com on 75.75.75.75:53: no such host] service/connect.go:837
2021-10-22T09:44:16-04:00 [PROC:1] DEBU Failed to discover reverse tunnel address. auth-addrs:[teleport-proxy.example.com:3025] error:[
ERROR REPORT:
Original Error: trace.aggregate Get "https://teleport-proxy.example.com:3025/webapi/find": dial tcp: lookup teleport-proxy.example.com on 75.75.75.75:53: no such host
Stack Trace:
/go/src/github.com/gravitational/teleport/lib/service/connect.go:872 github.com/gravitational/teleport/lib/service.(*TeleportProcess).findReverseTunnel
/go/src/github.com/gravitational/teleport/lib/service/connect.go:835 github.com/gravitational/teleport/lib/service.(*TeleportProcess).newClient
/go/src/github.com/gravitational/teleport/lib/service/connect.go:133 github.com/gravitational/teleport/lib/service.(*TeleportProcess).connect
/go/src/github.com/gravitational/teleport/lib/service/connect.go:82 github.com/gravitational/teleport/lib/service.(*TeleportProcess).connectToAuthService
/go/src/github.com/gravitational/teleport/lib/service/connect.go:50 github.com/gravitational/teleport/lib/service.(*TeleportProcess).reconnectToAuthService
/go/src/github.com/gravitational/teleport/lib/service/service.go:1946 github.com/gravitational/teleport/lib/service.(*TeleportProcess).registerWithAuthServer.func1
/go/src/github.com/gravitational/teleport/lib/service/supervisor.go:494 github.com/gravitational/teleport/lib/service.(*LocalService).Serve
/go/src/github.com/gravitational/teleport/lib/service/supervisor.go:263 github.com/gravitational/teleport/lib/service.(*LocalSupervisor).serve.func1
/opt/go/src/runtime/asm_arm.s:841 runtime.goexit
User Message: Get "https://teleport-proxy.example.com:3025/webapi/find": dial tcp: lookup teleport-proxy.example.com on 75.75.75.75:53: no such host] service/connect.go:838
2021-10-22T09:44:16-04:00 [PROC:1] ERRO Node failed to establish connection to cluster: Failed to connect to Auth Server directly or over tunnel, no methods remaining.. service/connect.go:67
2021-10-22T09:44:26-04:00 [PROC:1] DEBU Connected state: never updated. service/connect.go:103
2021-10-22T09:44:26-04:00 [PROC:1] INFO Connecting to the cluster hostname.com with TLS client certificate. service/connect.go:132
2021-10-22T09:44:26-04:00 [PROC:1] DEBU Attempting to connect to Auth Server directly. auth-addrs:[teleport-proxy.example.com:3025] service/connect.go:819
2021-10-22T09:44:26-04:00 [PROC:1] DEBU Failed to connect to Auth Server directly. auth-addrs:[teleport-proxy.example.com:3025] service/connect.go:825
2021-10-22T09:44:26-04:00 [PROC:1] DEBU Attempting to discover reverse tunnel address. auth-addrs:[teleport-proxy.example.com:3025] service/connect.go:834
2021-10-22T09:44:26-04:00 [PROC:1] DEBU Failed to connect to Auth Server directly. auth-addrs:[teleport-proxy.example.com:3025] error:[
ERROR REPORT:
Original Error: *trace.ConnectionProblemError Get "https://teleport.cluster.local/v2/domain": dial tcp: lookup teleport-proxy.example.com on 75.75.75.75:53: no such host
Stack Trace:
/go/src/github.com/gravitational/teleport/lib/httplib/httplib.go:133 github.com/gravitational/teleport/lib/httplib.ConvertResponse
/go/src/github.com/gravitational/teleport/lib/auth/clt.go:307 github.com/gravitational/teleport/lib/auth.(*Client).Get
/go/src/github.com/gravitational/teleport/lib/auth/clt.go:398 github.com/gravitational/teleport/lib/auth.(*Client).GetDomainName
/go/src/github.com/gravitational/teleport/lib/auth/clt.go:1624 github.com/gravitational/teleport/lib/auth.(*Client).GetLocalClusterName
/go/src/github.com/gravitational/teleport/lib/service/connect.go:918 github.com/gravitational/teleport/lib/service.(*TeleportProcess).newClientDirect
/go/src/github.com/gravitational/teleport/lib/service/connect.go:820 github.com/gravitational/teleport/lib/service.(*TeleportProcess).newClient
/go/src/github.com/gravitational/teleport/lib/service/connect.go:133 github.com/gravitational/teleport/lib/service.(*TeleportProcess).connect
/go/src/github.com/gravitational/teleport/lib/service/connect.go:82 github.com/gravitational/teleport/lib/service.(*TeleportProcess).connectToAuthService
/go/src/github.com/gravitational/teleport/lib/service/connect.go:50 github.com/gravitational/teleport/lib/service.(*TeleportProcess).reconnectToAuthService
/go/src/github.com/gravitational/teleport/lib/service/service.go:1946 github.com/gravitational/teleport/lib/service.(*TeleportProcess).registerWithAuthServer.func1
/go/src/github.com/gravitational/teleport/lib/service/supervisor.go:494 github.com/gravitational/teleport/lib/service.(*LocalService).Serve
/go/src/github.com/gravitational/teleport/lib/service/supervisor.go:263 github.com/gravitational/teleport/lib/service.(*LocalSupervisor).serve.func1
/opt/go/src/runtime/asm_arm.s:841 runtime.goexit
User Message: Get "https://teleport.cluster.local/v2/domain": dial tcp: lookup teleport-proxy.example.com on 75.75.75.75:53: no such host] service/connect.go:837
2021-10-22T09:44:26-04:00 [PROC:1] DEBU Failed to discover reverse tunnel address. auth-addrs:[teleport-proxy.example.com:3025] error:[
ERROR REPORT:
Original Error: trace.aggregate Get "https://teleport-proxy.example.com:3025/webapi/find": dial tcp: lookup teleport-proxy.example.com on 75.75.75.75:53: no such host
Stack Trace:
/go/src/github.com/gravitational/teleport/lib/service/connect.go:872 github.com/gravitational/teleport/lib/service.(*TeleportProcess).findReverseTunnel
/go/src/github.com/gravitational/teleport/lib/service/connect.go:835 github.com/gravitational/teleport/lib/service.(*TeleportProcess).newClient
/go/src/github.com/gravitational/teleport/lib/service/connect.go:133 github.com/gravitational/teleport/lib/service.(*TeleportProcess).connect
/go/src/github.com/gravitational/teleport/lib/service/connect.go:82 github.com/gravitational/teleport/lib/service.(*TeleportProcess).connectToAuthService
/go/src/github.com/gravitational/teleport/lib/service/connect.go:50 github.com/gravitational/teleport/lib/service.(*TeleportProcess).reconnectToAuthService
/go/src/github.com/gravitational/teleport/lib/service/service.go:1946 github.com/gravitational/teleport/lib/service.(*TeleportProcess).registerWithAuthServer.func1
/go/src/github.com/gravitational/teleport/lib/service/supervisor.go:494 github.com/gravitational/teleport/lib/service.(*LocalService).Serve
/go/src/github.com/gravitational/teleport/lib/service/supervisor.go:263 github.com/gravitational/teleport/lib/service.(*LocalSupervisor).serve.func1
/opt/go/src/runtime/asm_arm.s:841 runtime.goexit
User Message: Get "https://teleport-proxy.example.com:3025/webapi/find": dial tcp: lookup teleport-proxy.example.com on 75.75.75.75:53: no such host] service/connect.go:838
2021-10-22T09:44:26-04:00 [PROC:1] ERRO Node failed to establish connection to cluster: Failed to connect to Auth Server directly or over tunnel, no methods remaining.. service/connect.go:67

From the logs it actually looks like it tries to set up a reverse tunnel. The teleport-proxy prefix must be important for triggering this logic, but it still runs into trouble connecting to the auth server on teleport-proxy.hostname.com:3025.

From the rpi I can use telnet to verify I can connect to hostname.com and teleport-proxy.hostname.com ports 443, 3023, 3024, 3025, but not 3080 - I don't think anything is listening on that port on the VM. So it's possible my VM configuration is bad. Although the reference config docs indicate that when you're using letsencrypt, the proxy_service.web_listen_addr should be set to 0.0.0.0:443 instead of 0.0.0.0:3080, if I'm reading it right. I'm also not entirely sure I'm using the teleport.advertise_ip setting correctly on my rpi.

Any help or troubleshooting tips would be greatly appreciated!

Answered by webvictim

Oct 29, 2021

The key part here (as @AHARIC touched on) is that if you don't specify a port for your auth_servers configuration, Teleport assumes 3025 and will not use node tunnelling. It's only when joining to a proxy (via 3080/443) than node tunnelling is enabled.

View full answer

ahelwer · 2021-10-22T15:26:59Z

ahelwer
Oct 22, 2021
Author

I think the fundamental issue is that the cluster name has to be a subdomain of your domain, like teleport-proxy.example.com instead of just example.com. This will trigger appropriate behavior on the part of the nodes you add to the cluster. However, after switching my auth_service.cluster_name and proxy_service.public_addr to use the subdomain, I started getting errors upon login through the web UI about "example.com is not a subdomain of the FQDN" or something to that effect - I think this is because I switched to a subdomain without updating the letsencrypt certs, so I blew away the cluster and tried again. Now I am running into this error:

trace.BadParameterError acme can't get a cert for domain example.com, add it to the proxy_service.public_addr, or use one of the domains: teleport-proxy.example.com

which is similar to this issue: #7938

and I suspect I am just getting throttled by letsencrypt. So I will try again next week.

5 replies

deusxanima Oct 22, 2021
Collaborator

@ahelwer , when you connect just via hostname.com it will assume that the port is 3025 and connect via direct-dial to the auth server. The correct way to add it from behind NAT is to use IoT mode and connect via hostname.com:3080 as you attempted the first time. Note, however, that in addition to 3080 being reachable from the raspberrypi, you will also need to make sure that port 3024 is reachable on the proxy as well b/c this is the port that is used to establish the reverse tunnel connection with the IoT node.

Can you confirm that both 3080 and 3024 are reachable from the raspberrypi node with telnet hostname.com 3080/3024?

ahelwer Nov 5, 2021
Author

@AHARIC thank you for your reply. I have validated that I can connect to 3080 and 3024 via telnet from the rpi. I also upgraded to teleport 7.3.3. I am now running my auth/proxy server with the following configuration, so I access the cluster management webpage on https://teleport-proxy.hostname.com:3080:

Auth/proxy server config

teleport:
  nodename: avalanche
  data_dir: /var/lib/teleport
  log:
    #output: /var/lib/teleport/teleport.log
    output: stdout
    severity: DEBUG
    format:
      output: text
  ca_pin: []
  advertise_ip: 10.0.0.4
auth_service:
  enabled: "yes"
  cluster_name: teleport.hostname.com
  proxy_protocol: on
  authentication:
    type: local
    second_factor: off
  listen_addr: 0.0.0.0:3025
ssh_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3022
  labels:
    env: admin
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
  - name: arch
    command: ['/bin/uname', '-p']
    period: 1h0m0s
  port_forwarding: true
proxy_service:
  enabled: "yes"
  proxy_protocol: on
  listen_addr: 0.0.0.0:3023
  tunnel_listen_addr: 0.0.0.0:3024
  web_listen_addr: 0.0.0.0:3080
  public_addr: teleport-proxy.hostname.com:3080
  https_keypairs: []
  acme:
    enabled: "yes"
    email: [email protected]
app_service:
  enabled: "no"
kubernetes_service:
  enabled: "no"
db_service:
  enabled: "no"

I put the following config on the rpi, so it tries to connect to auth server https://teleport-proxy.hostname.com:3080:

rpi config

teleport:
  nodename: raspberrypi
  data_dir: /var/lib/teleport
  auth_token: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  ca_pin: "sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  advertise_ip: raspberrypi.local
  auth_servers:
    - teleport-proxy.hostname.com:3080
  log:
    #output: /var/lib/teleport/teleport.log
    output: stdout
    severity: DEBUG
    format:
      output: text
ssh_service:
  enabled: yes
  listen_addr: 0.0.0.0:3022
  labels:
    env: NAT
  commands:
  - name: hostname
    command: [hostname]
    period: 1m0s
  - name: arch
    command: ['/bin/uname', '-p']
    period: 1h0m0s
  port_forwarding: true
auth_service:
  enabled: no
proxy_service:
  enabled: no
app_service:
  enabled: no
kubernetes_service:
  enabled: no
db_service:
  enabled: no

however, trying to add the rpi to the cluster produces the following error:

rpi error output

2021-11-05T17:43:40-04:00 DEBU [PROC:1] Connected state: never updated. service/connect.go:103
2021-11-05T17:43:40-04:00 INFO [PROC:1] Connecting to the cluster hostname.com with TLS client certificate. service/connect.go:132
2021-11-05T17:43:40-04:00 DEBU [PROC:1] Attempting to connect to Auth Server directly. auth-addrs:[teleport-proxy.hostname.com:3080] service/connect.go:819
2021-11-05T17:43:40-04:00 DEBU [PROC:1] Failed to connect to Auth Server directly. auth-addrs:[teleport-proxy.hostname.com:3080] service/connect.go:825
2021-11-05T17:43:40-04:00 DEBU [PROC:1] Attempting to discover reverse tunnel address. auth-addrs:[teleport-proxy.hostname.com:3080] service/connect.go:834
2021-11-05T17:43:40-04:00 DEBU Attempting GET teleport-proxy.hostname.com:3080/webapi/find webclient/webclient.go:62
2021-11-05T17:43:40-04:00 DEBU [PROC:1] Attempting to connect to Auth Server through tunnel. proxy-addr:teleport-proxy.hostname.com:3024 service/connect.go:843
2021-11-05T17:43:40-04:00 [HTTP:PROX] DEBU No valid environment variables found. proxy/proxy.go:207
2021-11-05T17:43:40-04:00 [HTTP:PROX] DEBU No proxy set in environment, returning direct dialer. proxy/proxy.go:122
2021-11-05T17:43:40-04:00 [HTTP:PROX] DEBU No valid environment variables found. proxy/proxy.go:207
2021-11-05T17:43:40-04:00 [HTTP:PROX] DEBU No proxy set in environment, returning direct dialer. proxy/proxy.go:122
2021-11-05T17:43:40-04:00 DEBU No CA for host teleport-proxy.hostname.com:3024. sshutils/callback.go:83
2021-11-05T17:43:40-04:00 DEBU No CA for host teleport-proxy.hostname.com:3024. sshutils/callback.go:83
2021-11-05T17:43:40-04:00 WARN [PROC:1] Failed to close Auth Server tunnel client. error:[] service/connect.go:894
2021-11-05T17:43:40-04:00 DEBU [PROC:1] Failed to connect to Auth Server directly. auth-addrs:[teleport-proxy.hostname.com:3080] error:[
ERROR REPORT:
Original Error: *trace.ConnectionProblemError Get "https://teleport.cluster.local/v2/domain": remote error: tls: internal error
Stack Trace:
/go/src/github.com/gravitational/teleport/lib/httplib/httplib.go:133 github.com/gravitational/teleport/lib/httplib.ConvertResponse
/go/src/github.com/gravitational/teleport/lib/auth/clt.go:307 github.com/gravitational/teleport/lib/auth.(*Client).Get
/go/src/github.com/gravitational/teleport/lib/auth/clt.go:398 github.com/gravitational/teleport/lib/auth.(*Client).GetDomainName
/go/src/github.com/gravitational/teleport/lib/auth/clt.go:1624 github.com/gravitational/teleport/lib/auth.(*Client).GetLocalClusterName
/go/src/github.com/gravitational/teleport/lib/service/connect.go:918 github.com/gravitational/teleport/lib/service.(*TeleportProcess).newClientDirect
/go/src/github.com/gravitational/teleport/lib/service/connect.go:820 github.com/gravitational/teleport/lib/service.(*TeleportProcess).newClient
/go/src/github.com/gravitational/teleport/lib/service/connect.go:133 github.com/gravitational/teleport/lib/service.(*TeleportProcess).connect
/go/src/github.com/gravitational/teleport/lib/service/connect.go:82 github.com/gravitational/teleport/lib/service.(*TeleportProcess).connectToAuthService
/go/src/github.com/gravitational/teleport/lib/service/connect.go:50 github.com/gravitational/teleport/lib/service.(*TeleportProcess).reconnectToAuthService
/go/src/github.com/gravitational/teleport/lib/service/service.go:1932 github.com/gravitational/teleport/lib/service.(*TeleportProcess).registerWithAuthServer.func1
/go/src/github.com/gravitational/teleport/lib/service/supervisor.go:494 github.com/gravitational/teleport/lib/service.(*LocalService).Serve
/go/src/github.com/gravitational/teleport/lib/service/supervisor.go:263 github.com/gravitational/teleport/lib/service.(*LocalSupervisor).serve.func1
/opt/go/src/runtime/asm_arm.s:841 runtime.goexit
User Message: Get "https://teleport.cluster.local/v2/domain": remote error: tls: internal error] service/connect.go:850
2021-11-05T17:43:40-04:00 DEBU [PROC:1] Failed to connect to Auth Server through tunnel. error:[Get "https://teleport.cluster.local/v2/domain": ssh: handshake failed: ssh: no authorities for hostname: teleport-proxy.hostname.com:3024] proxy-addr:teleport-proxy.hostname.com:3024 service/connect.go:851
2021-11-05T17:43:40-04:00 ERRO [PROC:1] Node failed to establish connection to cluster: Failed to connect to Auth Server directly or over tunnel, no methods remaining.. service/connect.go:67

cc @webvictim

webvictim Nov 8, 2021
Collaborator

@ahelwer It looks like you already have a client certificate cached on the Pi (shown in the logs by: 2021-11-05T17:43:40-04:00 INFO [PROC:1] Connecting to the cluster hostname.com with TLS client certificate. service/connect.go:132)

Try stopping the Teleport process, removing /var/lib/teleport and restarting it again so it joins as a fresh connection.

ahelwer Nov 8, 2021
Author

@webvictim that worked! I can now tunnel into my rpi. Thanks for all the help!

webvictim Nov 9, 2021
Collaborator

No problem! Glad we got there in the end.

webvictim · 2021-10-29T19:39:55Z

webvictim
Oct 29, 2021
Collaborator

The key part here (as @AHARIC touched on) is that if you don't specify a port for your auth_servers configuration, Teleport assumes 3025 and will not use node tunnelling. It's only when joining to a proxy (via 3080/443) than node tunnelling is enabled.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Issue connecting to node behind NAT: no node reverse tunnel found #8684

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments 5 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Issue connecting to node behind NAT: no node reverse tunnel found #8684

ahelwer Oct 21, 2021

Replies: 2 comments · 5 replies

ahelwer Oct 22, 2021 Author

deusxanima Oct 22, 2021 Collaborator

ahelwer Nov 5, 2021 Author

webvictim Nov 8, 2021 Collaborator

ahelwer Nov 8, 2021 Author

webvictim Nov 9, 2021 Collaborator

webvictim Oct 29, 2021 Collaborator

ahelwer
Oct 21, 2021

Replies: 2 comments 5 replies

ahelwer
Oct 22, 2021
Author

deusxanima Oct 22, 2021
Collaborator

ahelwer Nov 5, 2021
Author

webvictim Nov 8, 2021
Collaborator

ahelwer Nov 8, 2021
Author

webvictim Nov 9, 2021
Collaborator

webvictim
Oct 29, 2021
Collaborator