# Teleport - Secure Port Forwarding Teleport is a secure port forwarding tool that allows you to forward ports between different instances with end-to-end encryption. ## How It Works ``` ┌─────────────────┐ Encrypted Tunnel ┌─────────────────┐ │ Client A │◄────── Port 9000 ──────►│ Teleport │ │ │ │ Server │ │ │ │ │ │ ┌───────────┐ │ │ ┌───────────┐ │ │ │teleport │ │ │ │teleport │ │ │ │client │ │ │ │server │ │ │ └───────────┘ │ │ └───────────┘ │───────────┐ └─────────────────┘ └─────────────────┘ │ │ │ │ │ Ports 8080,2222 │ Ports 80,22 │ │ (local) │ (targets) │ ▼ ▼ ▼ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │ User connects │ │ Remote │ │ Remote │ │ to localhost: │ │ Web Server │ │ SSH Server │ │ 8080, 2222 │ │ (192.168.1.100) │ │ (192.168.1.200) │ └─────────────────┘ └─────────────────┘ └─────────────────┘ Flow: User → Client:8080,2222 → Encrypted Tunnel (Port 9000) → Server:80,22 → Remote Services ``` **Note:** The different ports (8080/2222 vs 80/22) are shown for demonstration purposes only. Client and service ports can be identical - teleport will handle the port mapping transparently. ### Example Configuration **Server Configuration** (`server.yaml`): ```yaml instance_id: teleport-server-01 listen_address: :9000 remote_address: "" ports: - "tcp://192.168.1.100:80" - "tcp://192.168.1.200:22" encryption_key: your-secure-encryption-key-here keep_alive: true read_timeout: 30s write_timeout: 30s ``` **Client Configuration** (`client.yaml`): ```yaml instance_id: teleport-client-01 listen_address: "" remote_address: server.example.com:9000 ports: - "tcp://80:8080" - "tcp://22:2222" encryption_key: your-secure-encryption-key-here keep_alive: true read_timeout: 30s write_timeout: 30s ``` **Usage**: - User connects to `localhost:8080` → Traffic flows through encrypted tunnel on port 9000 → Server forwards to remote web server at `192.168.1.100:80` - User connects to `localhost:2222` → Traffic flows through same encrypted tunnel on port 9000 → Server forwards to remote SSH server at `192.168.1.200:22` Both services share the same encrypted tunnel connection! ## Features - **Secure Encryption**: All traffic is encrypted using AES-GCM encryption with PBKDF2 key derivation - **Port Forwarding**: Forward multiple ports with different protocols (TCP and UDP) - **Configuration-based**: Easy configuration via YAML files - **Bidirectional**: Full bidirectional port forwarding - **Keep-alive**: Connection keep-alive support - **Protocol Support**: Both TCP and UDP protocols supported - **Multi-Client Support**: Multiple clients can connect to one server using packet tagging - **UDP Packet Tagging**: UDP packets are tagged with client IDs for proper routing - **Built-in DNS Server**: Custom DNS server with configurable records and backup fallback - **Rate Limiting**: Configurable rate limiting with token bucket algorithm - **Connection Pooling**: Efficient connection management with pooling - **Replay Protection**: UDP packet replay attack protection with timestamp validation - **Advanced Logging**: Sanitized logging with configurable levels, formats, and file output - **Security Features**: Entropy validation, packet timestamp validation, and secure key generation ## Installation ```bash # Build the application go build -o teleport cmd/teleport/main.go # Or use the pre-built binaries from releases # Windows: teleport.exe (no console) or teleport-console.exe (with console) # Linux: teleport ``` ## Configuration Teleport uses YAML configuration files. You need separate configurations for server and client instances. ### Generate Example Configuration Generate example configuration files: ```bash # Generate server configuration (filename contains "server") ./teleport --generate-config --config server.yaml # Generate client configuration ./teleport --generate-config --config client.yaml # Generate default configuration (client) ./teleport --generate-config ``` ### Server Configuration (`server.yaml`) ```yaml instance_id: teleport-server-01 listen_address: :8080 remote_address: "" ports: - "tcp://localhost:80" encryption_key: your-secure-encryption-key-change-this-to-something-random keep_alive: true read_timeout: 30s write_timeout: 30s max_connections: 1000 rate_limit: enabled: true requests_per_second: 100 burst_size: 200 window_size: 1s dns_server: enabled: false listen_port: 5353 backup_server: 8.8.8.8:53 custom_records: [] ``` ### Client Configuration (`client.yaml`) ```yaml instance_id: teleport-client-01 listen_address: "" remote_address: localhost:8080 ports: - "tcp://80:8080" encryption_key: your-secure-encryption-key-change-this-to-something-random keep_alive: true read_timeout: 30s write_timeout: 30s max_connections: 100 rate_limit: enabled: true requests_per_second: 50 burst_size: 100 window_size: 1s dns_server: enabled: false listen_port: 5353 backup_server: 8.8.8.8:53 custom_records: - name: app.local type: A value: 127.0.0.1 ttl: 300 ``` ## Configuration Fields - `instance_id`: Unique identifier for this teleport instance - `listen_address`: Address to listen on (server mode) - format: `host:port` - `remote_address`: Address of remote teleport server (client mode) - format: `host:port` - `ports`: Array of port forwarding rules in URL-style format - **Server format**: `protocol://target:targetport` - forwards to remote target - **Client format**: `protocol://targetport:localport` - forwards to teleport server's targetport, listens on localport - Examples: - `"tcp://localhost:80"` (server) - listen on port 80, forward to localhost:80 - `"tcp://server-a:22"` (server) - listen on port 22, forward to server-a:22 - `"tcp://80:8080"` (client) - listen on port 8080, forward to teleport server's port 80 - `"udp://53:5353"` (client) - listen on port 5353, forward to teleport server's port 53 - `encryption_key`: Shared secret key for encryption (must be the same on both sides) - `keep_alive`: Enable TCP keep-alive - `read_timeout`: Read timeout duration - `write_timeout`: Write timeout duration - `max_connections`: Maximum concurrent connections (default: 1000 for server, 100 for client) - `rate_limit`: Rate limiting configuration - `enabled`: Enable rate limiting - `requests_per_second`: Maximum requests per second - `burst_size`: Maximum burst size - `window_size`: Time window for rate limiting - `dns_server`: DNS server configuration - `enabled`: Enable built-in DNS server - `listen_port`: Port for DNS server to listen on - `backup_server`: Backup DNS server for fallback (e.g., "8.8.8.8:53") - `custom_records`: Array of custom DNS records - `name`: Domain name (e.g., "example.com") - `type`: Record type ("A", "AAAA", "CNAME", "MX", "TXT", "SRV", "NS") - `value`: Record value (IP address, domain name, or text) - `ttl`: Time to live in seconds - `priority`: Priority for MX and SRV records (optional) - `weight`: Weight for SRV records (optional) - `port`: Port for SRV records (optional) ## Quick Start 1. **Generate a secure encryption key:** ```bash ./teleport --generate-key ``` 2. **Generate configuration files:** ```bash ./teleport --generate-config --config server.yaml ./teleport --generate-config --config client.yaml ``` 3. **Edit the configs** and replace the encryption key with the one you generated 4. **Start the server:** ```bash ./teleport --config server.yaml ``` 5. **Start the client:** ```bash ./teleport --config client.yaml ``` ## Usage ### Start Server ```bash ./teleport --config server.yaml ``` ### Start Client ```bash ./teleport --config client.yaml ``` ### Show Version ```bash ./teleport --version # or ./teleport -v ``` ### Generate Random Encryption Key ```bash ./teleport --generate-key # or ./teleport -k ``` This generates a cryptographically secure 256-bit encryption key that you can use in your configuration files. ### Logging Options ```bash # Set log level (debug, info, warn, error) ./teleport --config config.yaml --log-level debug # Set log format (text, json) ./teleport --config config.yaml --log-format json # Set log file ./teleport --config config.yaml --log-file /var/log/teleport.log ``` ### Port Format Teleport uses URL-style port mapping format for cleaner configuration: ```yaml ports: - "tcp://80:8080" # Listen on port 8080, forward to teleport server's port 80 - "udp://53:5353" # Listen on port 5353, forward to teleport server's port 53 - "tcp://22:2222" # Listen on port 2222, forward to teleport server's port 22 ``` **Format**: - **Server**: `"protocol://target:targetport"` - listen on targetport, forward to target:targetport - **Client**: `"protocol://targetport:localport"` - listen on localport, forward to teleport server's targetport **Examples:** ```yaml # Server configurations ports: - "tcp://localhost:80" # Listen on port 80, forward to localhost:80 - "tcp://server-a:22" # Listen on port 22, forward to server-a:22 - "udp://dns-server:53" # Listen on port 53, forward to dns-server:53 # Client configurations ports: - "tcp://80:8080" # Listen on port 8080, forward to teleport server's port 80 - "tcp://22:2222" # Listen on port 2222, forward to teleport server's port 22 - "udp://53:5353" # Listen on port 5353, forward to teleport server's port 53 ``` **Example: Remote SSH Access** To access SSH on Server A through teleport server on Server B: **Server B configuration:** ```yaml instance_id: teleport-server-b listen_address: :8080 remote_address: "" ports: - "tcp://server-a:22" # Listen on port 22, forward to server-a:22 encryption_key: your-shared-key ``` **Client C configuration:** ```yaml instance_id: teleport-client-c listen_address: "" remote_address: server-b:8080 ports: - "tcp://22:2222" # Listen on local port 2222, forward to teleport server's port 22 encryption_key: your-shared-key ``` Then connect from Client C: `ssh user@localhost -p 2222` ### Configuration-Based Mode Detection The mode (server or client) is automatically determined from the configuration: - **Server Mode**: When `listen_address` is set and `remote_address` is empty - **Client Mode**: When `remote_address` is set and `listen_address` is empty **Important**: The configuration must be clearly either a server or client - you cannot have both `listen_address` and `remote_address` set, and you must have at least one of them set. ### Configuration Validation The program validates your configuration and will show clear error messages if: - **Both addresses set**: You have both `listen_address` and `remote_address` configured - **Neither address set**: You have neither `listen_address` nor `remote_address` configured **Valid Server Configuration:** ```yaml listen_address: :8080 remote_address: "" ports: - "tcp://localhost:22" ``` **Valid Client Configuration:** ```yaml listen_address: "" remote_address: server:8080 ports: - "tcp://22:2222" ``` ## Security - All traffic is encrypted using AES-GCM encryption with PBKDF2 key derivation - The encryption key is derived from the provided key using PBKDF2 with 100,000 iterations - Each connection uses a unique nonce for encryption - Connection authentication is implicit through successful decryption - UDP packets include replay protection with timestamp validation - Encryption keys are validated for entropy and strength - Logging includes automatic sanitization of sensitive data - Rate limiting prevents abuse and DoS attacks ## Example Use Cases 1. **SSH Tunneling**: Forward SSH connections through a secure tunnel 2. **Database Access**: Securely access remote databases 3. **Web Services**: Forward HTTP/HTTPS traffic 4. **DNS Services**: Forward DNS queries (UDP port 53) 5. **NTP Services**: Forward time synchronization (UDP port 123) 6. **SNMP Monitoring**: Forward SNMP queries (UDP port 161) 7. **Custom Services**: Forward any TCP or UDP-based service 8. **Local DNS Resolution**: Serve custom DNS records for local development 9. **DNS Override**: Override specific domains with custom IP addresses 10. **Service Discovery**: Use SRV records for service discovery and load balancing ## Example Setup 1. **Server Side** (where services are running): - Generate: `./teleport -generate-config -config teleport-server.yaml` - Edit the configuration file with the services you want to expose - Run: `./teleport -config teleport-server.yaml` 2. **Client Side** (where you want to access services): - Generate: `./teleport -generate-config -config teleport-client.yaml` - Edit the configuration file with local ports and remote server address - Run: `./teleport -config teleport-client.yaml` - Connect to `localhost:local_port` to access the remote service ## Multi-Client Support Multiple clients can connect to the same server using packet tagging: 1. **Start Server**: `./teleport -config teleport-server.yaml` 2. **Start Client 1**: `./teleport -config teleport-client.yaml` 3. **Start Client 2**: `./teleport -config teleport-client2.yaml` Both clients can use the same local ports (e.g., 5353 for DNS) because: - Each client has a unique `instance_id` in their config - UDP packets are tagged with the client ID - Server routes responses back to the correct client - No port conflicts between multiple clients ## DNS Server Features The built-in DNS server provides: ### Custom DNS Records - **A Records**: Map domain names to IPv4 addresses - **AAAA Records**: Map domain names to IPv6 addresses - **CNAME Records**: Create domain aliases - **MX Records**: Mail server configuration - **TXT Records**: Text-based records - **SRV Records**: Service discovery records - **NS Records**: Name server records ### Example DNS Configuration ```yaml dns_server: enabled: true listen_port: 5353 backup_server: 8.8.8.8:53 custom_records: - name: api.local type: A value: 192.168.1.100 ttl: 300 - name: www.local type: CNAME value: api.local ttl: 300 - name: _http._tcp.api.local type: SRV value: api.local ttl: 300 priority: 10 weight: 5 port: 8080 - name: _mysql._tcp.db.local type: SRV value: db.local ttl: 300 priority: 10 weight: 1 port: 3306 ``` ### DNS Usage ```bash # Test custom DNS records nslookup api.local localhost -port=5353 nslookup www.local localhost -port=5353 # Test SRV records for service discovery nslookup -type=SRV _http._tcp.api.local localhost -port=5353 nslookup -type=SRV _mysql._tcp.db.local localhost -port=5353 # Fallback to backup server for unknown domains nslookup google.com localhost -port=5353 ``` ## Binary Names The application provides different binaries for different use cases: - **`teleport`**: Main binary (Windows: no console window, Linux: standard) - **`teleport-console`**: Console version (Windows: shows console window) ## Advanced Features ### Rate Limiting Teleport includes configurable rate limiting to prevent abuse: ```yaml rate_limit: enabled: true requests_per_second: 100 # Maximum requests per second burst_size: 200 # Maximum burst size window_size: 1s # Time window for rate limiting ``` ### Advanced Logging Teleport includes sophisticated logging with: - Configurable log levels (debug, info, warn, error) - Multiple output formats (text, JSON) - File and console output support - Automatic sanitization of sensitive data (keys, passwords, tokens) - Secure file permissions (owner read/write only) ### Connection Management - **Connection Pooling**: Efficient connection reuse for better performance - **Connection Limits**: Configurable maximum concurrent connections - **Health Checks**: Automatic detection and cleanup of dead connections - **Graceful Shutdown**: Proper cleanup of resources on exit ## Notes - The encryption key must be identical on both server and client - Use `./teleport --generate-key` to create a secure random encryption key - The server listens on the specified `listen_address` for incoming connections - The client connects to the remote server and forwards local connections - All port forwarding is bidirectional - Port format uses URL-style conventions: `"protocol://target:port"` - Configuration files use YAML format for better readability - The application automatically detects server vs client mode based on configuration - UDP packets include replay protection and timestamp validation - All sensitive data in logs is automatically sanitized - Rate limiting helps prevent abuse and DoS attacks - Connection pooling improves performance for high-traffic scenarios