Wouter0100
commented
9 months ago I've been thinking about this today, it might actually already be possible with Websocket support in Proxy Outpost. I'll try to get a POC up-and-running with a corresponding:
- CLI client for authenticating to Authentik and locally listening on the port;
- A TCP over Websockets server implementation to which the Proxy Outpost and the TCP targets will connect.
- A TCP target client that'll connect towards the server.
A brief diagram would be: CLI client => Proxy Outpost => TCP over Websockets server <= target.
This way you're able to host a target behind a NAT proxy as well, as it will initiate the connection through NAT to the TCP over Websockets servers - and then we'll reverse proxy the TCP connection back over it. Could be used for almost anything to penetrate NAT, especially useful for private networks. At some point we may even be able to combine the TCP over Websockets server into the Proxy Outpost itself.
I found a very basic Golang TCP over Websocket implementation that's very useful for this POC.
By relying on such a custom Golang app, instead of an ordernary VPN, we make it very easily deployable on any type of infrastructure - for example Kubernetes or docker, without NET_ADMIN cap. And it seems easier to me then deploying a full-blown VPN with NAT and so on.
Is your feature request related to a problem? Please describe. I run various services like MySQL, PostgreSQL, Redis, ElasticSearch and so on. Sometimes I'd love to expose those services to people who need access to it, but I rather not expose the service itself over the internet.
Describe the solution you'd like I'd love to be able to setup a TCP connection through an Authentik Outpost to my TCP-based services. The idea is that a local port is forwarded through Authentik to the service listening for TCP.
Describe alternatives you've considered Some alternatives do support this, for example:
Additional context I'm planning do to authentication through Secret Engines from Vault, for example - using the MySQL Secret Engine. Might be really awesome to eventually also integrate this into Authentik, but that's not part of this feature request.