Convert Figma logo to code with AI

gravitational logoteleport

The easiest, and most secure way to access and protect all of your infrastructure.

19,375
1,948
19,375
2,999
View on GitHub

Top Related Projects

hashicorp's avatar

boundary

3,963

Boundary enables identity-based access management for dynamic infrastructure.

pritunl's avatar

pritunl

4,904

Enterprise VPN server

apache's avatar

guacamole-server

3,662

Mirror of Apache Guacamole Server

cloudflare's avatar

cloudflared

11,952

Cloudflare Tunnel client (formerly Argo Tunnel)

Quick Overview

Teleport is an open-source, identity-aware access proxy for SSH, Kubernetes, web applications, and databases. It provides secure access to infrastructure across multi-cloud environments, replacing traditional VPNs and SSH key management. Teleport enables teams to implement security best practices like Zero Trust and BeyondCorp models.

Pros

  • Unified access for multiple protocols (SSH, Kubernetes, databases, web apps)
  • Strong security features including certificate-based authentication and audit logging
  • Seamless integration with existing infrastructure and identity providers
  • Easy to scale and manage across multi-cloud environments

Cons

  • Steeper learning curve compared to traditional SSH/VPN solutions
  • Requires changes to existing workflows and infrastructure setup
  • May be overkill for small teams or simple environments
  • Some advanced features are only available in the enterprise edition

Getting Started

To get started with Teleport, follow these steps:

  1. Install Teleport:
curl -O https://get.gravitational.com/teleport-v9.0.0-linux-amd64-bin.tar.gz
tar -xzf teleport-v9.0.0-linux-amd64-bin.tar.gz
cd teleport
sudo ./install
  1. Generate a minimal configuration file:
sudo teleport configure --acme --acme-email=your-email@example.com > teleport.yaml
  1. Start the Teleport service:
sudo teleport start --config teleport.yaml
  1. Create a user and generate credentials:
sudo tctl users add myuser --roles=editor,access
  1. Connect to Teleport using tsh:
tsh login --proxy=teleport.example.com --user=myuser

For more detailed instructions and advanced configurations, refer to the official Teleport documentation.

Competitor Comparisons

hashicorp logo

boundary

3,963

Boundary enables identity-based access management for dynamic infrastructure.

Pros of Boundary

  • More flexible identity-based access control with fine-grained permissions
  • Better integration with HashiCorp ecosystem (Vault, Terraform, etc.)
  • Simpler setup and configuration for small to medium-sized deployments

Cons of Boundary

  • Less mature and feature-rich compared to Teleport
  • Limited support for advanced authentication methods (e.g., hardware tokens)
  • Smaller community and ecosystem of third-party integrations

Code Comparison

Teleport configuration example:

teleport:
  nodename: example-node
  data_dir: /var/lib/teleport
  auth_token: secret-token
  auth_servers:
    - 10.1.0.5:3025

Boundary configuration example:

controller {
  name = "example-controller"
  database {
    url = "postgresql://boundary:boundary@localhost/boundary"
  }
  public_cluster_addr = "boundary.example.com"
}

Both projects aim to provide secure access to infrastructure, but they differ in their approach and feature sets. Teleport offers a more comprehensive solution with advanced features and broader protocol support, while Boundary focuses on simplicity and tight integration with the HashiCorp ecosystem. The choice between them depends on specific use cases and existing infrastructure.

pritunl logo

pritunl

4,904

Enterprise VPN server

Pros of Pritunl

  • Simpler setup and configuration process
  • More lightweight and resource-efficient
  • Better suited for small to medium-sized organizations

Cons of Pritunl

  • Limited advanced features compared to Teleport
  • Less comprehensive audit logging and compliance capabilities
  • Fewer integrations with third-party tools and services

Code Comparison

Pritunl (Python):

def start_server(server, delay=0):
    from pritunl import utils
    from pritunl import logger

    if delay:
        logger.info('Delaying server start', 'server',
            server_id=server.id,
            delay=delay,
        )
        time.sleep(delay)

Teleport (Go):

func (s *Server) Start() error {
    s.Lock()
    defer s.Unlock()

    if s.started {
        return trace.AlreadyExists("server is already started")
    }
    s.started = true
    return nil
}

Both projects use different programming languages, with Pritunl primarily using Python and Teleport using Go. Pritunl's code snippet shows a server start function with a delay option, while Teleport's code demonstrates a more straightforward server start method with error handling. Teleport's implementation appears more robust and thread-safe due to its use of locks and error checking.

apache logo

guacamole-server

3,662

Mirror of Apache Guacamole Server

Pros of Guacamole Server

  • Provides a clientless remote desktop gateway, accessible through a web browser
  • Supports multiple protocols (RDP, VNC, SSH) in a single solution
  • Highly extensible with a plugin architecture for adding new protocols

Cons of Guacamole Server

  • Requires more setup and configuration compared to Teleport
  • Less focus on security auditing and compliance features
  • Limited built-in support for modern authentication methods (e.g., SSO, MFA)

Code Comparison

Teleport (Go):

func (s *Server) Start() error {
    s.Lock()
    defer s.Unlock()
    if s.started {
        return trace.AlreadyExists("server is already started")
    }
    s.started = true
    return nil
}

Guacamole Server (C):

int guac_client_start(guac_client* client) {
    if (client->state != GUAC_CLIENT_WAITING)
        return 1;
    client->state = GUAC_CLIENT_RUNNING;
    return 0;
}

Both examples show server/client start functions, but Teleport uses Go with more robust error handling and locking, while Guacamole Server uses C with simpler state management.

cloudflare logo

cloudflared

11,952

Cloudflare Tunnel client (formerly Argo Tunnel)

Pros of cloudflared

  • Simpler setup and configuration for basic use cases
  • Tighter integration with Cloudflare's ecosystem and services
  • Lightweight and focused on tunneling functionality

Cons of cloudflared

  • Limited access control and authentication features compared to Teleport
  • Less comprehensive auditing and logging capabilities
  • Narrower scope of supported protocols and services

Code Comparison

Teleport configuration example:

teleport:
  nodename: example-node
  data_dir: /var/lib/teleport
  auth_token: secret-token
  auth_servers:
    - auth.example.com:3025

cloudflared configuration example:

tunnel: example-tunnel
credentials-file: /path/to/credentials.json
ingress:
  - hostname: example.com
    service: http://localhost:8000
  - service: http_status:404

Both projects aim to provide secure access to resources, but Teleport offers a more comprehensive suite of features for access management, auditing, and multi-protocol support. cloudflared, on the other hand, focuses on providing simple and efficient tunneling capabilities, particularly within the Cloudflare ecosystem.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Teleport provides connectivity, authentication, access controls and audit for infrastructure.

You might use Teleport to:

  • Set up single sign-on (SSO) for all of your cloud and on-prem infrastructure.
  • Protect access to servers, Kubernetes clusters, databases, Windows desktops, web applications, and cloud APIs without long-lived keys or passwords.
  • Establish secure tunnels to reach resources behind NATs and firewalls without VPNs or bastion hosts.
  • Record and audit activity across SSH, Kubernetes, database, RDP, and web sessions.
  • Apply consistent Role-Based and Attribute-Based Access Control (RBAC/ABAC) across users, machines, workloads, and resource types.
  • Enforce least privilege and Just-in-Time (JIT) access requests for elevated roles or sensitive systems.
  • Maintain a single identity and access layer for both human users and workloads.

Teleport works with SSH, Kubernetes, databases, RDP, cloud consoles, internal web services, Git repositories, and Model Context Protocol (MCP) servers.


More Information

Teleport Getting Started
Teleport Architecture
Reference Guides
FAQ

Table of Contents

  1. Introduction
  2. Why We Built Teleport
  3. Supporting & Contributing
  4. Installing & Running
  5. Docker
  6. Building Teleport
  7. License
  8. FAQ

Introduction

Teleport includes an identity-aware access proxy, a CA that issues short-lived certificates, a unified access control system, and a tunneling system to access resources behind the firewall.

Teleport is a single Go binary that integrates with multiple protocols and cloud services, including

You can set up Teleport as a Linux daemon or a Kubernetes deployment.

Teleport focuses on best practices for infrastructure security, including:

  • No shared secrets such as SSH keys or Kubernetes tokens; Teleport uses certificate-based auth with automatic expiration for all protocols.
  • Multi-factor authentication (MFA) for everything.
  • Single sign-on (SSO) for everything via GitHub Auth, OpenID Connect, or SAML with endpoints like Okta or Microsoft Entra ID.
  • Session sharing for collaborative troubleshooting for issues.
  • Infrastructure introspection to view the status of every SSH node, database instance, Kubernetes cluster, or internal web app through the Teleport CLI or Web UI.

Teleport uses Go crypto. It is fully compatible with OpenSSH, sshd servers, and ssh clients, Kubernetes clusters and more.

Project LinksDescription
Teleport WebsiteThe official website of the project.
DocumentationAdmin guide, user manual and more.
FeaturesExplore the complete list of Teleport capabilities.
BlogOur blog where we publish Teleport news and helpful articles.
ForumAsk us a setup question or post tutorials, feedback, or ideas.
Developer ToolsDozens of free browser-based tools for code processing, cryptography, data transformation, and more.
Teleport AcademyHow-to guides, best practices, and deep dives into topics like SSH, Kubernetes, MCP, and more.
SlackNeed help with your setup? Ping us in our Slack channel.
Cloud & Self-HostedTeleport Enterprise is a cloud-hosted option for teams that require easy and secure access to their computing environments.

Why We Built Teleport

While working together at Rackspace, the creators of Teleport noticed that most cloud users struggle with setting up and configuring infrastructure security. Many popular tools designed for this are complex to understand and expensive to maintain across modern, distributed computing infrastructure.

We decided to build a solution that's easy to use, understand, and scale. A real-time representation of all your servers in the same room as you, as if they were magically teleported. And thus, Teleport was born!

Today, Teleport is trusted by everyone from hobbyists to hyperscalers to simplify security across cloud CLIs and consoles, Kubernetes clusters, SSH servers, databases, internal web apps, and Model Context Protocol (MCP) used by AI agents.

Learn more about Teleport and our history

Supporting & Contributing

We aim to make Teleport easy to adopt and contribute to, starting with clear and comprehensive documentation.

If you have questions, are exploring ideas, or want to sanity-check something, please start with a GitHub Discussion. Discussions help us answer questions, explore use cases, and decide together whether something should become a bug report or feature request.

  • Start a conversation in Teleport Discussions
    This is the best place to ask questions, share ideas, and get help. Our engineers actively participate there, and discussions can be promoted to issues when there is a clear, actionable next step.

  • Issues are for confirmed bugs and well-defined feature requests
    If something has already been validated as a bug or an enhancement, feel free to open an issue. When in doubt, start a discussion and we will help guide it.

  • Enterprise and POC support
    If you are evaluating Teleport Enterprise or need more responsive support during a POC, we can set up a dedicated Slack channel. You can reach out to us through our website to get started.

Installing and Running

To set up a single-instance Teleport cluster, follow our getting started guide. You can then register your servers, Kubernetes clusters, and other infrastructure with your Teleport cluster.

You can also get started with Teleport Enterprise Cloud, a managed Teleport deployment that makes it easier to enable secure access to your infrastructure.

Sign up for a free trial of Teleport Enterprise Cloud, and follow this guide to register your first server.

Docker

Deploy Teleport

If you wish to deploy Teleport inside a Docker container see the installation guide.

For Local Testing and Development

To run a full test suite locally, see the test dependencies list

Building Teleport

The teleport repository contains the Teleport daemon binary (written in Go) and a web UI written in TypeScript.

If your intention is to build and deploy for use in a production infrastructure a released tag should be used. The default branch, master, is the current development branch for an upcoming major version. Get the latest release tags listed at https://goteleport.com/download/ and then use that tag in the git clone. For example git clone https://github.com/gravitational/teleport.git -b v18.5.0 gets release v18.5.0.

Dockerized Build

It is often easiest to build with Docker, which ensures that all required tooling is available for the build. To execute a dockerized build, ensure that docker is installed and running, and execute:

make -C build.assets build-binaries

This command will build Linux binaries matching the host architecture. It is not possible to cross-compile to a different target architecture.

Local Build

Dependencies

The following dependencies are required to build Teleport from source. For maximum compatibility, install the versions of these dependencies using the versions listed in build.assets/versions.mk:

  1. Go
  2. Rust
  3. Node.js
  4. libfido2
  5. pkg-config

For an example of dev environment setup on macOS, see these instructions.

Perform a build

Important

  • The Go compiler is somewhat sensitive to the amount of memory: you will need at least 1GB of virtual memory to compile Teleport. A 512MB instance without swap will not work.
  • This will build the latest version of Teleport.

Get the source

git clone https://github.com/gravitational/teleport.git
cd teleport

To perform a build

make full

tsh dynamically links against libfido2 by default, to support development environments, as long as the library itself can be found:

$ brew install libfido2 pkg-config  # Replace with your package manager of choice

$ make build/tsh
> libfido2 found, setting FIDO2=dynamic
> (...)

Release binaries are linked statically against libfido2. You may switch the linking mode using the FIDO2 variable:

make build/tsh FIDO2=dynamic # dynamic linking
make build/tsh FIDO2=static  # static linking, for an easy setup use `make enter`
                             # or `build.assets/macos/build-fido2-macos.sh`.
make build/tsh FIDO2=off     # doesn't link libfido2 in any way

tsh builds with Touch ID support require access to an Apple Developer account. If you are a Teleport maintainer, ask the team for access.

Build output and run locally

If the build succeeds, the installer will place the binaries in the build directory.

Before starting, create default data directories:

sudo mkdir -p -m0700 /var/lib/teleport
sudo chown $USER /var/lib/teleport

Running Teleport in a hot reload mode

To speed up your development process, you can run Teleport using CompileDaemon. This will build and run the Teleport binary, and then rebuild and restart it whenever any Go source files change.

  1. Install CompileDaemon:

    go install github.com/githubnemo/CompileDaemon@latest

    Note that we use go install instead of the suggested go get, because we don't want CompileDaemon to become a dependency of the project.

  2. Build and run the Teleport binary:

    make teleport-hot-reload

    By default, this runs a teleport start command. If you want to customize the command, for example by providing a custom config file location, you can use the TELEPORT_ARGS parameter:

    make teleport-hot-reload TELEPORT_ARGS='start --config=/path/to/config.yaml'

Note that you still need to run make grpc if you modify any Protocol Buffers files to regenerate the generated Go sources; regenerating these sources should in turn cause the CompileDaemon to rebuild and restart Teleport.

Web UI

The Teleport Web UI resides in the web directory.

Rebuilding Web UI for development

To rebuild the Teleport UI package, run the following command:

make docker-ui

Then you can replace Teleport Web UI files with the files from the newly-generated /dist folder.

To enable speedy iterations on the Web UI, you can run a local web-dev server.

You can also tell Teleport to load the Web UI assets from the source directory. To enable this behavior, set the environment variable DEBUG=1 and rebuild with the default target:

# Run Teleport as a single-node cluster in development mode:
DEBUG=1 ./build/teleport start -d

Keep the server running in this mode, and make your UI changes in /dist directory. For instructions about how to update the Web UI, read the web README.

Managing dependencies

All dependencies are managed using Go modules. Here are the instructions for some common tasks:

Add a new dependency

Latest version:

go get github.com/new/dependency

and update the source to use this dependency.

To get a specific version, use go get github.com/new/dependency@version instead.

Set dependency to a specific version

go get github.com/new/dependency@version

Update dependency to the latest version

go get -u github.com/new/dependency

Update all dependencies

go get -u all

Debugging dependencies

Why is a specific package imported?

go mod why $pkgname

Why is a specific module imported?

go mod why -m $modname

Why is a specific version of a module imported?

go mod graph | grep $modname

License

Teleport is distributed in multiple forms with different licensing implications.

The Teleport API module (all code in this repository under /api) is available under the Apache 2.0 license.

The remainder of the source code in this repository is available under the GNU Affero General Public License. Users compiling Teleport from source must comply with the terms of this license.

Teleport Community Edition builds distributed on http://goteleport.com/download are available under a modified Apache 2.0 license.

FAQ

Is Teleport production-ready?

Yes, Teleport is production-ready and used to protect and facilitate access to the most precious and mission-critical applications at many of today's leading companies. You can learn more about the companies using Teleport in production on our website.

Is Teleport secure?

Yes, Teleport has completed several security audits from nationally and internationally recognized technology security companies. We publicize audit results, our security philosophy, and related information on our trust page.

What resources does Teleport support?

Teleport secures access to a broad set of infrastructure resources, including Linux servers, Windows desktops, Kubernetes clusters, databases, internal web applications, cloud provider APIs and consoles (such as AWS, Azure, and GCP), and Model Context Protocol (MCP) servers used by AI agents.

How is Teleport deployed?

Teleport can be deployed to fit most environments, either as a self-hosted cluster on Linux or Kubernetes or using Teleport Enterprise Cloud. In all cases, Teleport agents run close to your resources and connect through an Auth Service and Proxy Service that enforces identity, access control, and audit.

Is Teleport an identity provider (IdP)?

Teleport uses existing IdPs (Okta, Google Workspace, Microsoft Entra ID, or GitHub) to issue short-lived certificates and apply access policies. Teleport can also be configured to act as a SAML IdP to authenticate users into applications when needed.

Does Teleport require credential handling or secrets management?

Teleport eliminates long-lived passwords, SSH keys, database credentials, credential rotations, and vault processes by issuing short-lived, auto-expiring mTLS and SSH certificates bound to human or non-human identity.

Is Teleport a Privileged Access Management (PAM) solution?

Teleport provides modern PAM software capabilities like strong authentication, session recording, policy-based access, and JIT elevation without secrets, credential rotation, or vault dependencies. This enables controlled, audited access to servers, Kubernetes, databases, cloud consoles, and other privileged environments using short-lived certificates and role-based policies.

Is Teleport a Just-in-Time (JIT) access solution?

Teleport enables JIT access through time-bound Access Requests. Users request the roles or resources they temporarily need, policies decide whether approval is required, and privileges automatically expire. This approach maintains least privilege while keeping access workflows efficient and predictable.

Does Teleport secure access to Kubernetes?

Teleport can proxy and secure Kubernetes access with identity-based authentication, role-based access controls, and detailed auditing of kubectl activity.

Does Teleport support SPIFFE?

Teleport supports SPIFFE-compatible identities for workloads, allowing it to participate in SPIFFE ecosystems and federation. Teleport issues short-lived SVIDs and can integrate with external PKI hierarchies.

Is Teleport an alternative for VPNs or bastion hosts?

Yes. Teleport is frequently used as an alternative to traditional VPNs and bastion hosts, enabling direct, identity-based access to resources instead of broad network access.

Does Teleport secure the Model Context Protocol (MCP) and AI agents?

Teleport secures MCP connections by placing identity-aware policy enforcement between MCP clients and servers. This ensures all tool invocations are authenticated, authorized, and audited without custom authorization code and that sensitive systems are protected from overly broad access.