cfn-vpn 0.3.0 → 0.4.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/Gemfile.lock +16 -18
- data/README.md +73 -10
- data/cfn-vpn.gemspec +1 -0
- data/lib/cfnvpn/certificates.rb +1 -0
- data/lib/cfnvpn/clientvpn.rb +1 -1
- data/lib/cfnvpn/init.rb +9 -1
- data/lib/cfnvpn/modify.rb +8 -1
- data/lib/cfnvpn/share.rb +1 -1
- data/lib/cfnvpn/templates/cfnvpn.cfhighlander.rb.tt +17 -11
- data/lib/cfnvpn/version.rb +1 -1
- metadata +16 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: fc2272c2d2579de34fa1ae63db688ae1ae2a91ea2345004e3dac0a1aa992bfa7
|
4
|
+
data.tar.gz: e570c13a3af81fc161bf01c18bbad24498bff8620527994a1b43846f9b25732d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 7a447e1385f39c171e7f5a16c5af5e913855d52fb1f1838220dd00e96c954cfd5258707c9dd389b256aaaf4a776fca5d9bf72cd39870b92cd0d02297ccc9568b
|
7
|
+
data.tar.gz: 52f82b3f55c856542e6c431613f64f6bae9d9b69378a84042c759da3cb620ee270f0cdd067b49e7564a1ebc490249896941db829a6836570af246c5a8278a911
|
data/Gemfile.lock
CHANGED
@@ -15,50 +15,48 @@ GEM
|
|
15
15
|
remote: https://rubygems.org/
|
16
16
|
specs:
|
17
17
|
aws-eventstream (1.0.3)
|
18
|
-
aws-partitions (1.
|
18
|
+
aws-partitions (1.253.0)
|
19
19
|
aws-sdk-acm (1.23.0)
|
20
20
|
aws-sdk-core (~> 3, >= 3.56.0)
|
21
21
|
aws-sigv4 (~> 1.1)
|
22
|
-
aws-sdk-cloudformation (1.
|
23
|
-
aws-sdk-core (~> 3, >= 3.
|
22
|
+
aws-sdk-cloudformation (1.29.0)
|
23
|
+
aws-sdk-core (~> 3, >= 3.71.0)
|
24
24
|
aws-sigv4 (~> 1.1)
|
25
|
-
aws-sdk-core (3.
|
25
|
+
aws-sdk-core (3.85.1)
|
26
26
|
aws-eventstream (~> 1.0, >= 1.0.2)
|
27
|
-
aws-partitions (~> 1.0)
|
27
|
+
aws-partitions (~> 1, >= 1.239.0)
|
28
28
|
aws-sigv4 (~> 1.1)
|
29
29
|
jmespath (~> 1.0)
|
30
|
-
aws-sdk-ec2 (1.
|
31
|
-
aws-sdk-core (~> 3, >= 3.
|
30
|
+
aws-sdk-ec2 (1.124.0)
|
31
|
+
aws-sdk-core (~> 3, >= 3.71.0)
|
32
32
|
aws-sigv4 (~> 1.1)
|
33
|
-
aws-sdk-kms (1.
|
34
|
-
aws-sdk-core (~> 3, >= 3.
|
33
|
+
aws-sdk-kms (1.27.0)
|
34
|
+
aws-sdk-core (~> 3, >= 3.71.0)
|
35
35
|
aws-sigv4 (~> 1.1)
|
36
|
-
aws-sdk-s3 (1.
|
37
|
-
aws-sdk-core (~> 3, >= 3.
|
36
|
+
aws-sdk-s3 (1.59.0)
|
37
|
+
aws-sdk-core (~> 3, >= 3.83.0)
|
38
38
|
aws-sdk-kms (~> 1)
|
39
39
|
aws-sigv4 (~> 1.1)
|
40
40
|
aws-sigv4 (1.1.0)
|
41
41
|
aws-eventstream (~> 1.0, >= 1.0.2)
|
42
|
-
cfhighlander (0.
|
42
|
+
cfhighlander (0.10.7)
|
43
43
|
aws-sdk-cloudformation (~> 1, < 2)
|
44
44
|
aws-sdk-core (~> 3, < 4)
|
45
45
|
aws-sdk-ec2 (~> 1, < 2)
|
46
46
|
aws-sdk-s3 (~> 1, < 2)
|
47
|
-
cfndsl (
|
47
|
+
cfndsl (= 0.17.2)
|
48
48
|
duplicate (~> 1.1)
|
49
49
|
git (~> 1.4, < 2)
|
50
50
|
highline (>= 1.7.10, < 1.8)
|
51
|
-
|
52
|
-
rubyzip (>= 1.2.1, < 2)
|
51
|
+
rubyzip (>= 2.0.0, < 3)
|
53
52
|
thor (~> 0.20, < 1)
|
54
|
-
cfndsl (0.17.
|
53
|
+
cfndsl (0.17.2)
|
55
54
|
duplicate (1.1.1)
|
56
55
|
git (1.5.0)
|
57
56
|
highline (1.7.10)
|
58
57
|
jmespath (1.4.0)
|
59
|
-
netaddr (1.5.1)
|
60
58
|
rake (10.5.0)
|
61
|
-
rubyzip (
|
59
|
+
rubyzip (2.0.0)
|
62
60
|
terminal-table (1.8.0)
|
63
61
|
unicode-display_width (~> 1.1, >= 1.1.1)
|
64
62
|
thor (0.20.3)
|
data/README.md
CHANGED
@@ -3,6 +3,11 @@
|
|
3
3
|
Manages the resources required to create a [client vpn](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html) in AWS.
|
4
4
|
Uses cloudformation to manage the state of the vpn resources.
|
5
5
|
|
6
|
+
## Platforms
|
7
|
+
|
8
|
+
- osx
|
9
|
+
- linux
|
10
|
+
|
6
11
|
## Installation
|
7
12
|
|
8
13
|
Install `cfn-vpn` gem
|
@@ -14,10 +19,49 @@ gem install cfn-vpn
|
|
14
19
|
Install [docker](https://docs.docker.com/install/)
|
15
20
|
|
16
21
|
Docker is required to generate the certificates required for the client vpn.
|
17
|
-
The gem uses [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa) project in [base2/aws-client-vpn](https://hub.docker.com/r/base2/aws-client-vpn)
|
22
|
+
The gem uses [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa) project in [base2/aws-client-vpn](https://hub.docker.com/r/base2/aws-client-vpn) docker image. [repo](https://github.com/base2Services/ciinabox-containers/tree/master/easy-rsa)
|
18
23
|
|
19
24
|
Setup your [AWS credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) by either setting a profile or exporting them as environment variables.
|
20
25
|
|
26
|
+
```bash
|
27
|
+
export AWS_ACCESS_KEY_ID="XXXXXXXXXXXXXXXXXXXXX"
|
28
|
+
export AWS_SECRET_ACCESS_KEY="XXXXXXXXXXXXXXXXXXXXX"
|
29
|
+
export AWS_SESSION_TOKEN="XXXXXXXXXXXXXXXXXXXXX"
|
30
|
+
```
|
31
|
+
|
32
|
+
Optionally export the AWS region if not providing `--region` flag
|
33
|
+
|
34
|
+
```bash
|
35
|
+
export AWS_REGION="us-east-1"
|
36
|
+
```
|
37
|
+
|
38
|
+
## Scenarios
|
39
|
+
|
40
|
+
For further AWS documentation please visit https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario.html
|
41
|
+
|
42
|
+
### SplitTunnel
|
43
|
+
|
44
|
+
Split tunnel when enabled will only push the routes defined on the client vpn. This is useful if you only want to push routes from your vpc through the vpn.
|
45
|
+
|
46
|
+
### Public subnet with Internet Access
|
47
|
+
|
48
|
+
This can be setup with default options selected. This will push all routes from through the vpn including all internet traffic. The ENI attached to the vpn client attaches a public IP which is used for natting between the vpn and the internet. This must be placed inside a public subnet with a internet gateway attached to the vpc.
|
49
|
+
Please read the AWS [documentation](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario-internet.html) for troubleshooting any networking issues
|
50
|
+
|
51
|
+
### Private subnet with Internet Access
|
52
|
+
|
53
|
+
This is the same as above but the vpn attached to a subnet in a private subnet with the public route being routed through a nat gateway. **NOTE** the dns on the vpn must be set to the dns server of the vpc you've attached the vpn to, the reserved IP address at the base of the VPC IPv4 network range plus two. For example if you VPC cidr is 10.0.0.0/16 then the dns server for that vpc is 10.0.0.2.
|
54
|
+
|
55
|
+
```bash
|
56
|
+
cfn-vpn init myvpn --bucket mybucket --server-cn myvpn.domain.tld --subnet-id subnet-123456ab --dns-servers 10.0.0.2
|
57
|
+
```
|
58
|
+
|
59
|
+
If you are experiencing issue connecting to the internet check to see if your local dns configurations are overriding the ones set by the vpn. You can test this by using `dig` to query a domain from the vpc dns server. For example:
|
60
|
+
|
61
|
+
```bash
|
62
|
+
dig @10.0.0.2 google.com
|
63
|
+
```
|
64
|
+
|
21
65
|
## Usage
|
22
66
|
|
23
67
|
```bash
|
@@ -50,8 +94,23 @@ This will create a new client vpn endpoint, associates it with a subnet and sets
|
|
50
94
|
During this process a new CA and certificate and keys are generated using [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa) and uploaded to ACM.
|
51
95
|
These keys are bundled in a tar and stored encrypted in your provided s3 bucket.
|
52
96
|
|
53
|
-
|
97
|
+
```bash
|
98
|
+
cfn-vpn init myvpn --bucket mybucket --server-cn myvpn.domain.tld --subnet-id subnet-123456ab
|
99
|
+
```
|
100
|
+
|
101
|
+
*Optional:*
|
54
102
|
|
103
|
+
```bash
|
104
|
+
[--cidr=CIDR] # cidr from which to assign client IP addresses
|
105
|
+
# Default: 10.250.0.0/16
|
106
|
+
[--dns-servers=DNS_SERVERS] # DNS Servers to push to clients.
|
107
|
+
[--split-tunnel], [--no-split-tunnel] # only push routes to the client on the vpn endpoint
|
108
|
+
[--internet-route], [--no-internet-route] # create a default route to the internet
|
109
|
+
# Default: true
|
110
|
+
[--protocol=PROTOCOL] # set the protocol for the vpn connections
|
111
|
+
# Default: udp
|
112
|
+
# Possible values: udp, tcp
|
113
|
+
```
|
55
114
|
|
56
115
|
### Create a new client
|
57
116
|
|
@@ -76,10 +135,6 @@ The config will be modified to include the local path of the client cert and key
|
|
76
135
|
|
77
136
|
`cfn-vpn config myvpn --client-cn user1 --bucket mybucket`
|
78
137
|
|
79
|
-
*Optional:*
|
80
|
-
|
81
|
-
`--ignore-routes` By deafult AWS Client VPN will push all routes from your local through the VPN connection. Select this flag to only push routes specified in the Client VPN route table.
|
82
|
-
|
83
138
|
|
84
139
|
### Modify the Client VPN config
|
85
140
|
|
@@ -87,11 +142,19 @@ This will modify some attributes of the client vpn endpoint.
|
|
87
142
|
|
88
143
|
`cfn-vpn config myvpn --dns-servers 8.8.8.8,8.8.4.4`
|
89
144
|
|
90
|
-
*
|
145
|
+
*Options:*
|
91
146
|
|
92
|
-
|
93
|
-
|
94
|
-
|
147
|
+
```bash
|
148
|
+
[--cidr=CIDR] # cidr from which to assign client IP addresses
|
149
|
+
# Default: 10.250.0.0/16
|
150
|
+
[--dns-servers=DNS_SERVERS] # DNS Servers to push to clients.
|
151
|
+
[--split-tunnel], [--no-split-tunnel] # only push routes to the client on the vpn endpoint
|
152
|
+
[--internet-route], [--no-internet-route] # create a default route to the internet
|
153
|
+
# Default: true
|
154
|
+
[--protocol=PROTOCOL] # set the protocol for the vpn connections
|
155
|
+
# Default: udp
|
156
|
+
# Possible values: udp, tcp
|
157
|
+
```
|
95
158
|
|
96
159
|
|
97
160
|
### Share client certificates with a user
|
data/cfn-vpn.gemspec
CHANGED
@@ -39,6 +39,7 @@ Gem::Specification.new do |spec|
|
|
39
39
|
spec.add_dependency "terminal-table", '~> 1', '<2'
|
40
40
|
spec.add_dependency 'cfhighlander', '~> 0.9', '<1'
|
41
41
|
spec.add_dependency 'cfndsl', '~> 0.17', '<1'
|
42
|
+
spec.add_dependency 'netaddr', '2.0.4'
|
42
43
|
spec.add_runtime_dependency 'aws-sdk-ec2', '~> 1.95', '<2'
|
43
44
|
spec.add_runtime_dependency 'aws-sdk-acm', '~> 1', '<2'
|
44
45
|
spec.add_runtime_dependency 'aws-sdk-s3', '~> 1', '<2'
|
data/lib/cfnvpn/certificates.rb
CHANGED
@@ -12,6 +12,7 @@ module CfnVpn
|
|
12
12
|
@config_dir = "#{build_dir}/config"
|
13
13
|
@cert_dir = "#{build_dir}/certificates"
|
14
14
|
@docker_cmd = %w(docker run -it --rm)
|
15
|
+
@docker_cmd << "--user #{Process.uid}:#{Process.gid}" if Process::UID.sid_available?
|
15
16
|
@easyrsa_image = "base2/aws-client-vpn"
|
16
17
|
FileUtils.mkdir_p(@cert_dir)
|
17
18
|
end
|
data/lib/cfnvpn/clientvpn.rb
CHANGED
@@ -143,7 +143,7 @@ module CfnVpn
|
|
143
143
|
routes = get_routes()
|
144
144
|
routes
|
145
145
|
.select { |r| r if r.destination_cidr != '0.0.0.0/0' }
|
146
|
-
.collect { |r| { route: r.destination_cidr.split('/').first, mask: NetAddr::
|
146
|
+
.collect { |r| { route: r.destination_cidr.split('/').first, mask: NetAddr::IPv4Net.parse(r.destination_cidr).netmask.extended }}
|
147
147
|
end
|
148
148
|
|
149
149
|
def valid_cidr?(cidr)
|
data/lib/cfnvpn/init.rb
CHANGED
@@ -25,6 +25,11 @@ module CfnVpn
|
|
25
25
|
class_option :subnet_id, required: true, desc: 'subnet id to associate your vpn with'
|
26
26
|
class_option :cidr, default: '10.250.0.0/16', desc: 'cidr from which to assign client IP addresses'
|
27
27
|
class_option :dns_servers, desc: 'DNS Servers to push to clients.'
|
28
|
+
|
29
|
+
class_option :split_tunnel, type: :boolean, default: false, desc: 'only push routes to the client on the vpn endpoint'
|
30
|
+
class_option :internet_route, type: :boolean, default: true, desc: 'create a default route to the internet'
|
31
|
+
class_option :protocol, type: :string, default: 'udp', enum: ['udp','tcp'], desc: 'set the protocol for the vpn connections'
|
32
|
+
|
28
33
|
|
29
34
|
def self.source_root
|
30
35
|
File.dirname(__FILE__)
|
@@ -47,7 +52,10 @@ module CfnVpn
|
|
47
52
|
@config['parameters']['AssociationSubnetId'] = @options['subnet_id']
|
48
53
|
@config['parameters']['ClientCidrBlock'] = @options['cidr']
|
49
54
|
@config['parameters']['DnsServers'] = @options['dns_servers']
|
50
|
-
@config['
|
55
|
+
@config['parameters']['SplitTunnel'] = @options['split_tunnel'].to_s
|
56
|
+
@config['parameters']['InternetRoute'] = @options['internet_route'].to_s
|
57
|
+
@config['parameters']['Protocol'] = @options['protocol']
|
58
|
+
@config['template_version'] = '0.2.0'
|
51
59
|
end
|
52
60
|
|
53
61
|
def stack_exist
|
data/lib/cfnvpn/modify.rb
CHANGED
@@ -22,6 +22,10 @@ module CfnVpn
|
|
22
22
|
class_option :cidr, desc: 'cidr from which to assign client IP addresses'
|
23
23
|
class_option :dns_servers, desc: 'DNS Servers to push to clients.'
|
24
24
|
|
25
|
+
class_option :split_tunnel, type: :boolean, default: false, desc: 'only push routes to the client on the vpn endpoint'
|
26
|
+
class_option :internet_route, type: :boolean, default: true, desc: 'create a default route to the internet'
|
27
|
+
class_option :protocol, type: :string, default: 'udp', enum: ['udp','tcp'], desc: 'set the protocol for the vpn connections'
|
28
|
+
|
25
29
|
def self.source_root
|
26
30
|
File.dirname(__FILE__)
|
27
31
|
end
|
@@ -42,7 +46,10 @@ module CfnVpn
|
|
42
46
|
@config['parameters']['AssociationSubnetId'] = @options['subnet_id']
|
43
47
|
@config['parameters']['ClientCidrBlock'] = @options['cidr']
|
44
48
|
@config['parameters']['DnsServers'] = @options['dns_servers']
|
45
|
-
@config['
|
49
|
+
@config['parameters']['SplitTunnel'] = @options['split_tunnel'].to_s
|
50
|
+
@config['parameters']['InternetRoute'] = @options['internet_route'].to_s
|
51
|
+
@config['parameters']['Protocol'] = @options['protocol']
|
52
|
+
@config['template_version'] = '0.2.0'
|
46
53
|
end
|
47
54
|
|
48
55
|
def stack_exist
|
data/lib/cfnvpn/share.rb
CHANGED
@@ -72,7 +72,7 @@ module CfnVpn
|
|
72
72
|
say "\nCertificate:"
|
73
73
|
say "\tcurl #{@certificate_url} > #{@options['client_cn']}.tar.gz", :cyan
|
74
74
|
say "\nConfig:\n"
|
75
|
-
say "\tcurl #{@
|
75
|
+
say "\tcurl #{@config_url} > #{@name}.config.ovpn", :cyan
|
76
76
|
say "\nExtract the certificates from the tar and place into a safe location."
|
77
77
|
say "\ttar xzfv #{@options['client_cn']}.tar.gz -C <path> --strip 2", :cyan
|
78
78
|
say "\nModify #{@name}.config.ovpn to include the full location of your extracted certificates"
|
@@ -1,21 +1,27 @@
|
|
1
1
|
CfhighlanderTemplate do
|
2
|
-
|
2
|
+
|
3
3
|
Parameters do
|
4
4
|
ComponentParam 'EnvironmentName'
|
5
5
|
ComponentParam 'AssociationSubnetId'
|
6
6
|
ComponentParam 'ClientCidrBlock'
|
7
|
-
ComponentParam 'ClientCertificateArn'
|
8
|
-
ComponentParam 'ServerCertificateArn'
|
9
7
|
ComponentParam 'DnsServers'
|
8
|
+
ComponentParam 'SplitTunnel'
|
9
|
+
ComponentParam 'InternetRoute'
|
10
|
+
ComponentParam 'Protocol'
|
11
|
+
ComponentParam 'ServerCertificateArn'
|
12
|
+
ComponentParam 'ClientCertificateArn'
|
10
13
|
end
|
11
|
-
|
14
|
+
|
12
15
|
Component template: 'client-vpn@<%= @config['template_version'] %>', name: 'vpn', render: Inline do
|
13
|
-
|
14
|
-
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
16
|
+
parameter name: 'EnvironmentName', value: Ref('EnvironmentName')
|
17
|
+
parameter name: 'AssociationSubnetId', value: Ref('AssociationSubnetId')
|
18
|
+
parameter name: 'ClientCidrBlock', value: Ref('ClientCidrBlock')
|
19
|
+
parameter name: 'DnsServers', value: Ref('DnsServers')
|
20
|
+
parameter name: 'SplitTunnel', value: Ref('SplitTunnel')
|
21
|
+
parameter name: 'InternetRoute', value: Ref('InternetRoute')
|
22
|
+
parameter name: 'Protocol', value: Ref('Protocol')
|
23
|
+
parameter name: 'ServerCertificateArn', value: Ref('ServerCertificateArn')
|
24
|
+
parameter name: 'ClientCertificateArn', value: Ref('ClientCertificateArn')
|
19
25
|
end
|
20
|
-
|
26
|
+
|
21
27
|
end
|
data/lib/cfnvpn/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-vpn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.4.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Guslington
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2019-
|
11
|
+
date: 2019-12-15 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: thor
|
@@ -84,6 +84,20 @@ dependencies:
|
|
84
84
|
- - "<"
|
85
85
|
- !ruby/object:Gem::Version
|
86
86
|
version: '1'
|
87
|
+
- !ruby/object:Gem::Dependency
|
88
|
+
name: netaddr
|
89
|
+
requirement: !ruby/object:Gem::Requirement
|
90
|
+
requirements:
|
91
|
+
- - '='
|
92
|
+
- !ruby/object:Gem::Version
|
93
|
+
version: 2.0.4
|
94
|
+
type: :runtime
|
95
|
+
prerelease: false
|
96
|
+
version_requirements: !ruby/object:Gem::Requirement
|
97
|
+
requirements:
|
98
|
+
- - '='
|
99
|
+
- !ruby/object:Gem::Version
|
100
|
+
version: 2.0.4
|
87
101
|
- !ruby/object:Gem::Dependency
|
88
102
|
name: aws-sdk-ec2
|
89
103
|
requirement: !ruby/object:Gem::Requirement
|