cfn-vpn 0.4.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fc2272c2d2579de34fa1ae63db688ae1ae2a91ea2345004e3dac0a1aa992bfa7
-  data.tar.gz: e570c13a3af81fc161bf01c18bbad24498bff8620527994a1b43846f9b25732d
+  metadata.gz: 15da75354bf027cc2140fab12465e6cb9ff6090cd26eb11495ba63546a476eb0
+  data.tar.gz: b6058447275663117acc7b473960cb28bc524886e5d9771f944b6e835dc8b04c
 SHA512:
-  metadata.gz: 7a447e1385f39c171e7f5a16c5af5e913855d52fb1f1838220dd00e96c954cfd5258707c9dd389b256aaaf4a776fca5d9bf72cd39870b92cd0d02297ccc9568b
-  data.tar.gz: 52f82b3f55c856542e6c431613f64f6bae9d9b69378a84042c759da3cb620ee270f0cdd067b49e7564a1ebc490249896941db829a6836570af246c5a8278a911
+  metadata.gz: e61cef4dfc247340ebc639871d053dac6319ce8d658afb5551f3fe1901b533860a43b44ac036e2721478db013e81e3c4aa182adb1bf87cc96c10206b9670b2f9
+  data.tar.gz: 75c182953a0538329d57d669c73e5d7943bea388072b0ce0a010ac2dd4ba86f484978fe51164ef6a43e36a3f0809a0999c0493bac792c530783ef4cadc69667f

data/.github/workflows/build-gem.yml

@@ -0,0 +1,25 @@
+name: test and build gem
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build:
+    name: test + build
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: set up ruby 2.6
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.6.x
+    - name: rspec
+      run: |
+        gem install rspec
+        rspec
+    - name: build gem
+      run: |
+        gem build cfn-vpn.gemspec

data/.github/workflows/release-gem.yml

@@ -0,0 +1,31 @@
+name: release gem
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  build:
+    name: Build + Publish Gem
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out the repo
+      uses: actions/checkout@v2
+    
+    - name: Set up Ruby 2.6
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.6.x
+
+    - name: Publish Gem to Github Packages Respository
+      run: |
+        mkdir -p $HOME/.gem
+        touch $HOME/.gem/credentials
+        chmod 0600 $HOME/.gem/credentials
+        printf -- "---\n:github: ${GEM_HOST_API_KEY}\n" > $HOME/.gem/credentials
+        gem build cfn-vpn.gemspec
+        gem push --KEY github --host https://rubygems.pkg.github.com/${OWNER} *.gem
+      env:
+        GEM_HOST_API_KEY: "Bearer ${{secrets.GITHUB_TOKEN}}"
+        OWNER: ${{ github.repository_owner }}

data/.github/workflows/release-image.yml

@@ -0,0 +1,33 @@
+name: release docker image
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  build:
+    name: Build + Publish Container Image
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out the repo
+      uses: actions/checkout@v2
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v1
+
+    - name: Login to  GitHub Container Repository
+      uses: docker/login-action@v1
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GHCR_PUSH_TOKEN }}
+
+    - name: Build and push Container Image to GitHub Container Repository
+      uses: docker/build-push-action@v2
+      with:
+        context: .
+        file: ./Dockerfile
+        push: true
+        tags: ghcr.io/base2services/cfnvpn:${{ github.event.release.tag_name }}
+        build-args: CFNVPN_VERSION=${{ github.event.release.tag_name }}

data/Dockerfile

@@ -0,0 +1,26 @@
+FROM ruby:2.7-alpine
+
+RUN apk add --no-cache easy-rsa git \
+    # Hack until easy-rsa 3.0.7 is released https://github.com/OpenVPN/easy-rsa/issues/261
+    && sed -i 's/^RANDFILE\s*=\s\$ENV.*/#&/' /usr/share/easy-rsa/openssl-easyrsa.cnf \
+    && ln -s /usr/share/easy-rsa/easyrsa  /usr/bin/
+
+ENV EASYRSA=/usr/share/easy-rsa
+ENV EASYRSA_BATCH=yes
+
+ARG CFNVPN_VERSION="0.5.0"
+
+COPY . /src
+
+WORKDIR /src
+
+RUN gem build cfn-vpn.gemspec \
+    && gem install cfn-vpn-${CFNVPN_VERSION}.gem \
+    && rm -rf /src
+    
+RUN addgroup -g 1000 cfnvpn && \
+    adduser -D -u 1000 -G cfnvpn cfnvpn
+
+USER cfnvpn
+
+RUN cfndsl -u 9.0.0

data/Gemfile.lock

@@ -1,66 +1,58 @@
 PATH
   remote: .
   specs:
-    cfn-vpn (0.2.0)
+    cfn-vpn (1.0.0)
       aws-sdk-acm (~> 1, < 2)
       aws-sdk-cloudformation (~> 1, < 2)
       aws-sdk-ec2 (~> 1.95, < 2)
       aws-sdk-s3 (~> 1, < 2)
-      cfhighlander (~> 0.9, < 1)
-      cfndsl (~> 0.17, < 1)
+      aws-sdk-ssm (~> 1, < 2)
+      cfndsl (~> 1, < 2)
+      netaddr (= 2.0.4)
       terminal-table (~> 1, < 2)
       thor (~> 0.20)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    aws-eventstream (1.0.3)
-    aws-partitions (1.253.0)
-    aws-sdk-acm (1.23.0)
-      aws-sdk-core (~> 3, >= 3.56.0)
+    aws-eventstream (1.1.0)
+    aws-partitions (1.390.0)
+    aws-sdk-acm (1.38.0)
+      aws-sdk-core (~> 3, >= 3.109.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-cloudformation (1.29.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
+    aws-sdk-cloudformation (1.44.0)
+      aws-sdk-core (~> 3, >= 3.109.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.85.1)
-      aws-eventstream (~> 1.0, >= 1.0.2)
+    aws-sdk-core (3.109.2)
+      aws-eventstream (~> 1, >= 1.0.2)
       aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-ec2 (1.124.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
+    aws-sdk-ec2 (1.208.0)
+      aws-sdk-core (~> 3, >= 3.109.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.27.0)
-      aws-sdk-core (~> 3, >= 3.71.0)
+    aws-sdk-kms (1.39.0)
+      aws-sdk-core (~> 3, >= 3.109.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.59.0)
-      aws-sdk-core (~> 3, >= 3.83.0)
+    aws-sdk-s3 (1.84.0)
+      aws-sdk-core (~> 3, >= 3.109.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.1)
-    aws-sigv4 (1.1.0)
-      aws-eventstream (~> 1.0, >= 1.0.2)
-    cfhighlander (0.10.7)
-      aws-sdk-cloudformation (~> 1, < 2)
-      aws-sdk-core (~> 3, < 4)
-      aws-sdk-ec2 (~> 1, < 2)
-      aws-sdk-s3 (~> 1, < 2)
-      cfndsl (= 0.17.2)
-      duplicate (~> 1.1)
-      git (~> 1.4, < 2)
-      highline (>= 1.7.10, < 1.8)
-      rubyzip (>= 2.0.0, < 3)
-      thor (~> 0.20, < 1)
-    cfndsl (0.17.2)
-    duplicate (1.1.1)
-    git (1.5.0)
-    highline (1.7.10)
+    aws-sdk-ssm (1.97.0)
+      aws-sdk-core (~> 3, >= 3.109.0)
+      aws-sigv4 (~> 1.1)
+    aws-sigv4 (1.2.2)
+      aws-eventstream (~> 1, >= 1.0.2)
+    cfndsl (1.2.0)
+      hana (~> 1.3)
+    hana (1.3.6)
     jmespath (1.4.0)
-    rake (10.5.0)
-    rubyzip (2.0.0)
+    netaddr (2.0.4)
+    rake (13.0.1)
     terminal-table (1.8.0)
       unicode-display_width (~> 1.1, >= 1.1.1)
     thor (0.20.3)
-    unicode-display_width (1.6.0)
+    unicode-display_width (1.7.0)
 
 PLATFORMS
   ruby
@@ -68,7 +60,7 @@ PLATFORMS
 DEPENDENCIES
   bundler (~> 2.0)
   cfn-vpn!
-  rake (~> 10.0)
+  rake (~> 13.0)
 
 BUNDLED WITH
    2.0.1

data/README.md

@@ -1,229 +1,6 @@
 # CfnVpn
 
-Manages the resources required to create a [client vpn](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html) in AWS.
-Uses cloudformation to manage the state of the vpn resources.
-
-## Platforms
-
-- osx
-- linux
-
-## Installation
-
-Install `cfn-vpn` gem
-
-```bash
-gem install cfn-vpn
-```
-
-Install [docker](https://docs.docker.com/install/)
-
-Docker is required to generate the certificates required for the client vpn.
-The gem uses [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa) project in [base2/aws-client-vpn](https://hub.docker.com/r/base2/aws-client-vpn) docker image. [repo](https://github.com/base2Services/ciinabox-containers/tree/master/easy-rsa)
-
-Setup your [AWS credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) by either setting a profile or exporting them as environment variables.
-
-```bash
-export AWS_ACCESS_KEY_ID="XXXXXXXXXXXXXXXXXXXXX"
-export AWS_SECRET_ACCESS_KEY="XXXXXXXXXXXXXXXXXXXXX"
-export AWS_SESSION_TOKEN="XXXXXXXXXXXXXXXXXXXXX"
-```
-
-Optionally export the AWS region if not providing `--region` flag
-
-```bash
-export AWS_REGION="us-east-1"
-```
-
-## Scenarios 
-
-For further AWS documentation please visit https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario.html
-
-### SplitTunnel
-
-Split tunnel when enabled will only push the routes defined on the client vpn. This is useful if you only want to push routes from your vpc through the vpn.
-
-### Public subnet with Internet Access
-
-This can be setup with default options selected. This will push all routes from through the vpn including all internet traffic. The ENI attached to the vpn client attaches a public IP which is used for natting between the vpn and the internet. This must be placed inside a public subnet with a internet gateway attached to the vpc.
-Please read the AWS [documentation](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario-internet.html) for troubleshooting any networking issues
-
-### Private subnet with Internet Access
-
-This is the same as above but the vpn attached to a subnet in a private subnet with the public route being routed through a nat gateway. **NOTE** the dns on the vpn must be set to the dns server of the vpc you've attached the vpn to, the reserved IP address at the base of the VPC IPv4 network range plus two. For example if you VPC cidr is 10.0.0.0/16 then the dns server for that vpc is 10.0.0.2.
-
-```bash
-cfn-vpn init myvpn --bucket mybucket --server-cn myvpn.domain.tld --subnet-id subnet-123456ab --dns-servers 10.0.0.2
-```
-
-If you are experiencing issue connecting to the internet check to see if your local dns configurations are overriding the ones set by the vpn. You can test this by using `dig` to query a domain from the vpc dns server. For example:
-
-```bash
-dig @10.0.0.2 google.com
-```
-
-## Usage
-
-```bash
-Commands:
-  cfn-vpn --version, -v                                                            # print the version
-  cfn-vpn client [name] --bucket=BUCKET --client-cn=CLIENT_CN                      # Create a new client certificate
-  cfn-vpn config [name] --bucket=BUCKET --client-cn=CLIENT_CN                      # Retrieve the config for the AWS Client VPN
-  cfn-vpn help [COMMAND]                                                           # Describe available commands or one specific command
-  cfn-vpn init [name] --bucket=BUCKET --server-cn=SERVER_CN --subnet-id=SUBNET_ID  # Create a AWS Client VPN
-  cfn-vpn modify [name]                                                            # Modify your AWS Client VPN
-  cfn-vpn revoke [name] --bucket=BUCKET --client-cn=CLIENT_CN                      # Revoke a client certificate
-  cfn-vpn routes [name]                                                            # List, add or delete client vpn routes
-  cfn-vpn sessions [name]                                                          # List and kill current vpn connections
-  cfn-vpn share [name] --bucket=BUCKET --client-cn=CLIENT_CN                       # Provide a user with a s3 signed download for certificates and config
-```
-
-Global options
-
-```bash
-p, [--profile=PROFILE]           # AWS Profile
-r, [--region=REGION]             # AWS Region
-                                 # Default: ENV['AWS_REGION']
-    [--verbose], [--no-verbose]  # set log level to debug
-```
-
-
-### Create a new AWS Client VPN
-
-This will create a new client vpn endpoint, associates it with a subnet and sets up a route to the internet.
-During this process a new CA and certificate and keys are generated using [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa) and uploaded to ACM.
-These keys are bundled in a tar and stored encrypted in your provided s3 bucket.
-
-```bash
-cfn-vpn init myvpn --bucket mybucket --server-cn myvpn.domain.tld --subnet-id subnet-123456ab
-```
-
-*Optional:*
-
-```bash
-[--cidr=CIDR]                              # cidr from which to assign client IP addresses
-                                           # Default: 10.250.0.0/16
-[--dns-servers=DNS_SERVERS]                # DNS Servers to push to clients.
-[--split-tunnel], [--no-split-tunnel]      # only push routes to the client on the vpn endpoint
-[--internet-route], [--no-internet-route]  # create a default route to the internet
-                                           # Default: true
-[--protocol=PROTOCOL]                      # set the protocol for the vpn connections
-                                           # Default: udp
-                                           # Possible values: udp, tcp
-```
-
-### Create a new client
-
-This will generate a new client certificate and key against the CA generated in the `init`.
-It will be bundled into a tar and stored encrypted in your provided s3 bucket.
-
-`cfn-vpn client myvpn --client-cn user1 --bucket mybucket`
-
-
-### Revoke a client
-
-This will revoke the client certificate and apply to the client VPN endpoint.
-Note this wont terminate the session but will stop the client from reconnecting using the certificate.
-
-`cfn-vpn revoke myvpn --client-cn user1 --bucket mybucket`
-
-
-### Download the config file
-
-This will download the client certificate bundle from s3 and the Client VPN config file from the endpoint.
-The config will be modified to include the local path of the client cert and key.
-
-`cfn-vpn config myvpn --client-cn user1 --bucket mybucket`
-
-
-### Modify the Client VPN config
-
-This will modify some attributes of the client vpn endpoint.
-
-`cfn-vpn config myvpn --dns-servers 8.8.8.8,8.8.4.4`
-
-*Options:*
-
-```bash
-[--cidr=CIDR]                              # cidr from which to assign client IP addresses
-                                           # Default: 10.250.0.0/16
-[--dns-servers=DNS_SERVERS]                # DNS Servers to push to clients.
-[--split-tunnel], [--no-split-tunnel]      # only push routes to the client on the vpn endpoint
-[--internet-route], [--no-internet-route]  # create a default route to the internet
-                                           # Default: true
-[--protocol=PROTOCOL]                      # set the protocol for the vpn connections
-                                           # Default: udp
-                                           # Possible values: udp, tcp
-```
-
-
-### Share client certificates with a user
-
-This will generate a presigned url for the client's certificate and config file to allow them to download them to their local computer.
-
-`cfn-vpn share myvpn --client-cn user1 --bucket mybucket`
-
-You can then share the output with your user
-
-```
-Download the certificates and config from the bellow presigned URLs which will expire in 1 hour.
-
-Certificate:
-<presigned url>
-
-Config:
-<presigned url>
-
-Extract the certificates from the tar and place into a safe location.
-	tar xzfv user1.tar.gz -C <path>
-
-Modify base2-ciinabox.config.ovpn to include the full location of your extracted certificates
-	echo "key /<path>/user1.key" >> myvpn.config.ovpn
-	echo "cert /<path>/user1.crt" >> myvpn.config.ovpn
-
-Open myvpn.config.ovpn with your favourite openvpn client.
-```
-
-
-### Show and Kill Current Connections
-
-This is show a table of current connections on the vpn. You can then kill sessions by using the connection id.
-
-```bash
-$ cfn-vpn sessions myvpn
-+-------------+---------------------+--------+-------------+-----------------------------------+---------------+--------------+
-| Common Name | Connected (UTC)     | Status | IP Address  | Connection ID                     | Ingress Bytes | Egress Bytes |
-+-------------+---------------------+--------+-------------+-----------------------------------+---------------+--------------+
-| user1       | 2019-06-28 04:58:19 | active | 10.250.0.98 | cvpn-connection-05bcc579cb3fdf9a3 | 3000          | 2679         |
-+-------------+---------------------+--------+-------------+-----------------------------------+---------------+--------------+
-```
-
-Specify the `--kill` flag with the connection id to kill the session.
-
-`cfn-vpn sessions myvpn --kill cvpn-connection-05bcc579cb3fdf9a3`
-
-
-### Show, Add and Remove Routes
-
-This will display the route table from the Client VPN.
-
-```bash
-+---------------+-----------------------+--------+-----------------+------+-----------+
-| Route         | Description           | Status | Target          | Type | Origin    |
-+---------------+-----------------------+--------+-----------------+------+-----------+
-| 10.0.0.0/16   | Default Route         | active | subnet-123456ab | Nat  | associate |
-| 0.0.0.0/0     | Route to the internet | active | subnet-123456ab | Nat  | add-route |
-+---------------+-----------------------+--------+-----------------+------+-----------+
-```
-
-to add a new route specify the `--add` flag with the cidr and a description with the `--desc` flag.
-
-`cfn-vpn routes myvpn --add 10.10.0.0/16 --desc "route to peered vpc"`
-
-to delete a route specify the `--del` flag with the cidr you want to delete.
-
-`cfn-vpn routes myvpn --del 10.10.0.0/16`
-
+Click [here](docs/README.md) to view the documentation and getting started guide.
 
 ## Contributing