goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.7k stars 917 forks source link

TCP support in the Proxy Outpost #7801

Open Wouter0100 opened 11 months ago

Wouter0100 commented 11 months ago

Is your feature request related to a problem? Please describe. I run various services like MySQL, PostgreSQL, Redis, ElasticSearch and so on. Sometimes I'd love to expose those services to people who need access to it, but I rather not expose the service itself over the internet.

Describe the solution you'd like I'd love to be able to setup a TCP connection through an Authentik Outpost to my TCP-based services. The idea is that a local port is forwarded through Authentik to the service listening for TCP.

Describe alternatives you've considered Some alternatives do support this, for example:

Additional context I'm planning do to authentication through Secret Engines from Vault, for example - using the MySQL Secret Engine. Might be really awesome to eventually also integrate this into Authentik, but that's not part of this feature request.

Wouter0100 commented 11 months ago

I've been thinking about this today, it might actually already be possible with Websocket support in Proxy Outpost. I'll try to get a POC up-and-running with a corresponding:

A brief diagram would be: CLI client => Proxy Outpost => TCP over Websockets server <= target.

This way you're able to host a target behind a NAT proxy as well, as it will initiate the connection through NAT to the TCP over Websockets servers - and then we'll reverse proxy the TCP connection back over it. Could be used for almost anything to penetrate NAT, especially useful for private networks. At some point we may even be able to combine the TCP over Websockets server into the Proxy Outpost itself.

I found a very basic Golang TCP over Websocket implementation that's very useful for this POC.

By relying on such a custom Golang app, instead of an ordernary VPN, we make it very easily deployable on any type of infrastructure - for example Kubernetes or docker, without NET_ADMIN cap. And it seems easier to me then deploying a full-blown VPN with NAT and so on.