cfn-vpn 0.5.1 → 1.3.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (46) hide show
  1. checksums.yaml +4 -4
  2. data/.github/workflows/build-gem.yml +25 -0
  3. data/.github/workflows/release-gem.yml +34 -0
  4. data/.github/workflows/release-image.yml +33 -0
  5. data/Gemfile.lock +33 -39
  6. data/README.md +1 -247
  7. data/cfn-vpn.gemspec +4 -4
  8. data/docs/README.md +44 -0
  9. data/docs/certificate-users.md +89 -0
  10. data/docs/getting-started.md +128 -0
  11. data/docs/modifying.md +67 -0
  12. data/docs/routes.md +98 -0
  13. data/docs/scheduling.md +32 -0
  14. data/docs/sessions.md +27 -0
  15. data/lib/cfnvpn.rb +31 -27
  16. data/lib/cfnvpn/{client.rb → actions/client.rb} +5 -6
  17. data/lib/cfnvpn/{embedded.rb → actions/embedded.rb} +15 -15
  18. data/lib/cfnvpn/actions/init.rb +144 -0
  19. data/lib/cfnvpn/actions/modify.rb +169 -0
  20. data/lib/cfnvpn/actions/params.rb +73 -0
  21. data/lib/cfnvpn/{revoke.rb → actions/revoke.rb} +6 -6
  22. data/lib/cfnvpn/actions/routes.rb +196 -0
  23. data/lib/cfnvpn/{sessions.rb → actions/sessions.rb} +5 -5
  24. data/lib/cfnvpn/{share.rb → actions/share.rb} +10 -10
  25. data/lib/cfnvpn/actions/subnets.rb +78 -0
  26. data/lib/cfnvpn/certificates.rb +5 -5
  27. data/lib/cfnvpn/clientvpn.rb +49 -65
  28. data/lib/cfnvpn/compiler.rb +23 -0
  29. data/lib/cfnvpn/config.rb +34 -78
  30. data/lib/cfnvpn/{cloudformation.rb → deployer.rb} +47 -19
  31. data/lib/cfnvpn/log.rb +26 -26
  32. data/lib/cfnvpn/s3.rb +34 -4
  33. data/lib/cfnvpn/s3_bucket.rb +48 -0
  34. data/lib/cfnvpn/string.rb +33 -0
  35. data/lib/cfnvpn/templates/helper.rb +14 -0
  36. data/lib/cfnvpn/templates/lambdas.rb +35 -0
  37. data/lib/cfnvpn/templates/lambdas/auto_route_populator/app.py +175 -0
  38. data/lib/cfnvpn/templates/lambdas/scheduler/app.py +36 -0
  39. data/lib/cfnvpn/templates/vpn.rb +449 -0
  40. data/lib/cfnvpn/version.rb +1 -1
  41. metadata +73 -23
  42. data/lib/cfnvpn/cfhighlander.rb +0 -49
  43. data/lib/cfnvpn/init.rb +0 -109
  44. data/lib/cfnvpn/modify.rb +0 -103
  45. data/lib/cfnvpn/routes.rb +0 -84
  46. data/lib/cfnvpn/templates/cfnvpn.cfhighlander.rb.tt +0 -27
data/cfn-vpn.gemspec CHANGED
@@ -17,8 +17,6 @@ Gem::Specification.new do |spec|
17
17
  # Prevent pushing this gem to RubyGems.org. To allow pushes either set the 'allowed_push_host'
18
18
  # to allow pushing to a single host or delete this section to allow pushing to any host.
19
19
  if spec.respond_to?(:metadata)
20
- spec.metadata["allowed_push_host"] = 'https://rubygems.org'
21
-
22
20
  spec.metadata["homepage_uri"] = spec.homepage
23
21
  spec.metadata["source_code_uri"] = "https://github.com/base2services/aws-client-vpn"
24
22
  else
@@ -37,13 +35,15 @@ Gem::Specification.new do |spec|
37
35
 
38
36
  spec.add_dependency "thor", "~> 0.20"
39
37
  spec.add_dependency "terminal-table", '~> 1', '<2'
40
- spec.add_dependency 'cfhighlander', '~> 0.9', '<1'
38
+ spec.add_dependency 'cfndsl', '~> 1', '<2'
41
39
  spec.add_dependency 'netaddr', '2.0.4'
40
+ spec.add_dependency 'rubyzip', '~> 2.3'
42
41
  spec.add_runtime_dependency 'aws-sdk-ec2', '~> 1.95', '<2'
43
42
  spec.add_runtime_dependency 'aws-sdk-acm', '~> 1', '<2'
44
43
  spec.add_runtime_dependency 'aws-sdk-s3', '~> 1', '<2'
45
44
  spec.add_runtime_dependency 'aws-sdk-cloudformation', '~> 1', '<2'
45
+ spec.add_runtime_dependency 'aws-sdk-ssm', '~> 1', '<2'
46
46
 
47
47
  spec.add_development_dependency "bundler", "~> 2.0"
48
- spec.add_development_dependency "rake", "~> 10.0"
48
+ spec.add_development_dependency "rake", "~> 13.0"
49
49
  end
data/docs/README.md ADDED
@@ -0,0 +1,44 @@
1
+ # CfnVpn for AWS Client-VPN
2
+
3
+ `cfn-vpn` is a wrapper around [AWS Client-VPN](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html) to improve the management experience of the VPN. The tool utilises Cloudformation to manage the AWS resources required by the Client-VPN and automates the certificate management process with the [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa) library.
4
+
5
+ ## VPN Scenarios
6
+
7
+ For further AWS documentation please visit https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario.html
8
+
9
+ ### Split Tunnel
10
+
11
+ Split tunnel when enabled will only push the routes defined on the client vpn. This is useful if you only want to push routes from your vpc through the vpn.
12
+
13
+ ### Public Subnet with Internet Access
14
+
15
+ This can be setup with default options selected. This will push all routes from through the vpn including all internet traffic. The ENI attached to the vpn client attaches a public IP which is used for natting between the vpn and the internet. This must be placed inside a public subnet with a internet gateway attached to the vpc.
16
+ Please read the AWS [documentation](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario-internet.html) for troubleshooting any networking issues
17
+
18
+ ### Private Subnet with Internet Access
19
+
20
+ This is the same as above but the vpn attached to a subnet in a private subnet with the public route being routed through a nat gateway. **NOTE** the dns on the vpn must be set to the dns server of the vpc you've attached the vpn to, the reserved IP address at the base of the VPC IPv4 network range plus two. For example if you VPC cidr is 10.0.0.0/16 then the dns server for that vpc is 10.0.0.2.
21
+
22
+ ```bash
23
+ cfn-vpn init myvpn --bucket mybucket --server-cn myvpn.domain.tld --subnet-id subnet-123456ab --dns-servers 10.0.0.2
24
+ ```
25
+
26
+ If you are experiencing issue connecting to the internet check to see if your local dns configurations are overriding the ones set by the vpn. You can test this by using `dig` to query a domain from the vpc dns server. For example:
27
+
28
+ ```bash
29
+ dig @10.0.0.2 google.com
30
+ ```
31
+
32
+ ## Authentication Types
33
+
34
+ `cfn-vpn` supports certificate, federated and active directory type authentication for AWS Client-VPN.
35
+ For further information on the authentication types please visit https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html
36
+
37
+ ## CfnVpn Documentation
38
+
39
+ 1. [Getting Started](getting-started.md)
40
+ 2. [Modifying The Client-VPN](modifying.md)
41
+ 3. [Managing Certificate Users](certificate-users.md)
42
+ 4. [Managing Routes](routes.md)
43
+ 5. [Stop and Start Client-VPN](scheduling.md)
44
+ 6. [Managing Sessions](sessions.md)
@@ -0,0 +1,89 @@
1
+ # Managing Certificate Authenticated Users
2
+
3
+ This section explains how to generate, revoke VPN clients and share config the config with the users
4
+
5
+ ## Create a new user
6
+
7
+ This will generate a new client certificate and key against the CA generated in the `init`.
8
+ It will be bundled into a tar and stored encrypted in your provided s3 bucket.
9
+
10
+ ```
11
+ cfn-vpn client myvpn --client-cn user1 --bucket mybucket
12
+ ```
13
+
14
+
15
+ ## Revoke a user
16
+
17
+ This will revoke the client certificate and apply to the client VPN endpoint.
18
+ Note this wont terminate the session but will stop the client from reconnecting using the certificate.
19
+
20
+ ```sh
21
+ cfn-vpn revoke myvpn --client-cn user1 --bucket mybucket
22
+ ```
23
+
24
+ ## Modify the Client VPN config
25
+
26
+ This will modify some attributes of the client vpn endpoint.
27
+
28
+ ```sh
29
+ cfn-vpn config myvpn --dns-servers 8.8.8.8 8.8.4.4
30
+ ```
31
+
32
+ *Options:*
33
+
34
+ ```bash
35
+ [--cidr=CIDR] # cidr from which to assign client IP addresses
36
+ # Default: 10.250.0.0/16
37
+ [--dns-servers=DNS_SERVERS] # DNS Servers to push to clients.
38
+ [--split-tunnel], [--no-split-tunnel] # only push routes to the client on the vpn endpoint
39
+ [--internet-route], [--no-internet-route] # create a default route to the internet
40
+ # Default: true
41
+ [--protocol=PROTOCOL] # set the protocol for the vpn connections
42
+ # Default: udp
43
+ # Possible values: udp, tcp
44
+ ```
45
+
46
+
47
+ ## Share client certificates with a user
48
+
49
+ The users vpn config and certificates can be passed to the user securely using S3 signed URLs to allow the user to directly download them.
50
+ There are 2 ways to generate the vpn config file, by having the certificates and config file separate or by embedding the certificates into the config file.
51
+
52
+
53
+ ### Certificate embedded into config
54
+
55
+ This will pull the clients certificate and key archives from S3 and embed them into the config file, upload it back to S3 and generate a presigned URL for the user.
56
+ This allows the you to download or share a single, ready to import config file into a OpenVPN client.
57
+
58
+ ```sh
59
+ cfn-vpn embedded myvpn --client-cn user1 --bucket mybucket
60
+ ```
61
+
62
+ ### Separate certificate and config
63
+
64
+ This will generate a presigned url for the client's certificate and config file to allow them to download them to their local computer.
65
+
66
+ ```sh
67
+ cfn-vpn share myvpn --client-cn user1 --bucket mybucket
68
+ ```
69
+
70
+ You can then share the output with your user
71
+
72
+ ```
73
+ Download the certificates and config from the bellow presigned URLs which will expire in 1 hour.
74
+
75
+ Certificate:
76
+ <presigned url>
77
+
78
+ Config:
79
+ <presigned url>
80
+
81
+ Extract the certificates from the tar and place into a safe location.
82
+ tar xzfv user1.tar.gz -C <path>
83
+
84
+ Modify base2-ciinabox.config.ovpn to include the full location of your extracted certificates
85
+ echo "key /<path>/user1.key" >> myvpn.config.ovpn
86
+ echo "cert /<path>/user1.crt" >> myvpn.config.ovpn
87
+
88
+ Open myvpn.config.ovpn with your favourite openvpn client.
89
+ ```
@@ -0,0 +1,128 @@
1
+ ## Getting Started with CfnVpn
2
+
3
+ ## Installation
4
+
5
+ Install `cfn-vpn` gem
6
+
7
+ ```bash
8
+ gem install cfn-vpn --source "https://rubygems.pkg.github.com/base2services"
9
+ ```
10
+
11
+ ## Setup Easy-RSA
12
+
13
+ **Option 1 - Docker**
14
+
15
+ Install [docker](https://docs.docker.com/install/)
16
+
17
+ Docker is required to generate the certificates required for the client vpn.
18
+ The gem uses [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa) project in [base2/aws-client-vpn](https://hub.docker.com/r/base2/aws-client-vpn) docker image. [repo](https://github.com/base2Services/ciinabox-containers/tree/master/easy-rsa)
19
+
20
+ **Option 2 - local**
21
+
22
+ If you would rather setup easy-rsa than install docker, you can use the `--easyrsa-local` flag when running the commands to use a local copy of easy-rsa, the binary just needs to be available in the `$PATH`. Install from [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa)
23
+
24
+
25
+ ## Setup Your AWS Credentials
26
+
27
+ Setup your [AWS credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) by either setting a profile or exporting them as environment variables.
28
+
29
+ ```bash
30
+ export AWS_ACCESS_KEY_ID="XXXXXXXXXXXXXXXXXXXXX"
31
+ export AWS_SECRET_ACCESS_KEY="XXXXXXXXXXXXXXXXXXXXX"
32
+ export AWS_SESSION_TOKEN="XXXXXXXXXXXXXXXXXXXXX"
33
+ ```
34
+
35
+ Optionally export the AWS region if not providing `--region` flag
36
+
37
+ ```bash
38
+ export AWS_REGION="us-east-1"
39
+ ```
40
+
41
+
42
+ ## Initializing CfnVpn
43
+
44
+ to launch a new CfnVpn stack run the `init` command along with the options.
45
+
46
+ ### Certificate Authenticated VPN
47
+
48
+ This is the default option when launching a ClientVPN using certificated based authentication. https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#mutual
49
+
50
+ The following command and required options will launch a new certificate based Client-VPN
51
+
52
+ ```sh
53
+ cfn-vpn init [name] --bucket [s3-bucket] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn]
54
+ ```
55
+
56
+
57
+ ### Federated SAML Authenticated VPN
58
+
59
+ This option is for when you want to manage users through an external directory provider like AWS SSO, OKTA or AzureAD. https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#federated-authentication
60
+
61
+ **Prerequisites:** Client-VPN requires a IAM SAML identity provider ARN, see the [AWS docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) to create one.
62
+
63
+ The following command and required option will launch a new federated based Client-VPN
64
+
65
+ ```sh
66
+ cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn]
67
+ ```
68
+
69
+ The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule.
70
+
71
+ ```sh
72
+ cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn] --default-groups [list of group ids]
73
+ ```
74
+
75
+ **AWS SSO**
76
+
77
+ If using AWS SSO as your SAML provider check this guide on how to set up SAML using AWS SSO https://codeburst.io/the-aws-client-vpn-federated-authentication-missing-example-655e0a1ff7f4
78
+
79
+
80
+ ### AWS Directory Services Authenticated VPN
81
+
82
+ This option integrates Microsoft Active Directory or Simple AD through AWS Directory Service with AWS Client VPN.
83
+
84
+ The following command and required option will launch a new directory service based Client-VPN
85
+
86
+ ```sh
87
+ cfn-vpn init simple-ad --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --directory-id [aws directirory serivce id]
88
+ ```
89
+
90
+ The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. The group Id is the Active Directory Group ID or SID.
91
+
92
+ ```sh
93
+ cfn-vpn init simple-ad --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --directory-id [aws directirory serivce id] --default-groups [list of group ids]
94
+ ```
95
+
96
+ See this guide for further help on setting up https://shogokobayashi.com/2019/05/18/aws-client-vpn-with-simplead/
97
+
98
+ ## Subnet Associations and Authorization
99
+
100
+ AWS ClientVPN requires one or more subnets to be associated with the vpn. These subnets setup the default routes and by default cfn-vpn creates a allow all auth for the default routes.
101
+ When using a federated ClientVPN you can modify the default auth to only allow specific groups by setting the groups in the `--default-groups` flag. This can also be modified later using the `modify` command.
102
+
103
+ ## Additional Initializing Options
104
+
105
+ ```
106
+ Options:
107
+ r, [--region=REGION] # AWS Region
108
+ # Default: ap-southeast-2
109
+ [--verbose], [--no-verbose] # set log level to debug
110
+ --server-cn=SERVER_CN # server certificate common name
111
+ [--client-cn=CLIENT_CN] # client certificate common name
112
+ [--easyrsa-local], [--no-easyrsa-local] # run the easyrsa executable from your local rather than from docker
113
+ [--bucket=BUCKET] # s3 bucket
114
+ --subnet-ids=one two three # subnet id to associate your vpn with
115
+ [--default-groups=one two three] # groups to allow through the subnet associations when using federated auth
116
+ [--cidr=CIDR] # cidr from which to assign client IP addresses
117
+ # Default: 10.250.0.0/16
118
+ [--dns-servers=one two three] # DNS Servers to push to clients.
119
+ [--split-tunnel], [--no-split-tunnel] # only push routes to the client on the vpn endpoint
120
+ # Default: true
121
+ [--internet-route=INTERNET_ROUTE] # [subnet-id] create a default route to the internet through a subnet
122
+ [--protocol=PROTOCOL] # set the protocol for the vpn connections
123
+ # Default: udp
124
+ # Possible values: udp, tcp
125
+ [--start=START] # cloudwatch event cron schedule in UTC to associate subnets to the client vpn
126
+ [--stop=STOP] # cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn
127
+ [--saml-arn=SAML_ARN] # IAM SAML idenditiy providor arn if using SAML federated authentication
128
+ ```
data/docs/modifying.md ADDED
@@ -0,0 +1,67 @@
1
+ # Modifying The Client-VPN
2
+
3
+ The Client-VPN properties such as the DNS servers and the associated subnets can be modified using the `modify` command
4
+
5
+
6
+ ## CfnVpn Configuration
7
+
8
+ By default `cfn-vpn` configuration is managed in a SSM parameter name `/cfnvpn/config/[name]`. This config can be dumped to a YAML file if you wish to manage through source control and use for updating `cfn-vpn` configuration.
9
+
10
+ to dump the config to a yaml file use the `params` command. this will create a file call `cfnvpn.[name].yaml` in your current directory
11
+
12
+ ```sh
13
+ cfn-vpn params [name] --dump
14
+ ```
15
+
16
+ the `params` command can also be used to view the current deployed config and diff the deployed config against your local yaml file
17
+
18
+ ### View
19
+
20
+ ```sh
21
+ cfn-vpn params [name]
22
+ ```
23
+
24
+ ### Diff
25
+
26
+ ```sh
27
+ cfn-vpn params [name] --diff-yaml cfnvpn.[name].yaml
28
+ ```
29
+
30
+ ## Modifying
31
+
32
+ ### With CLI Options
33
+
34
+ to modify the VPN properties run the modify command with the desired options
35
+
36
+ ```
37
+ cfn-vpn modify [name] --dns-servers 10.15.0.2
38
+ ```
39
+
40
+ a cloudformation changeset is created with the desired changes and approval is asked
41
+
42
+ ```
43
+ INFO: - Creating cloudformation changeset for stack [name]-cfnvpn in [region]
44
+
45
+ +-----------------------------------+---------------------------------------------+-------------+---------------------+
46
+ | Modify |
47
+ +-----------------------------------+---------------------------------------------+-------------+---------------------+
48
+ | Logical Resource Id | Resource Type | Replacement | Changes |
49
+ +-----------------------------------+---------------------------------------------+-------------+---------------------+
50
+ | CfnVpnConfig | AWS::SSM::Parameter | Conditional | Value |
51
+ | ClientVpnEndpoint | AWS::EC2::ClientVpnEndpoint | Conditional | DnsServers |
52
+ | ClientVpnTargetNetworkAssociation | AWS::EC2::ClientVpnTargetNetworkAssociation | Conditional | ClientVpnEndpointId |
53
+ | TargetNetworkAuthorizationRule | AWS::EC2::ClientVpnAuthorizationRule | Conditional | ClientVpnEndpointId |
54
+ +-----------------------------------+---------------------------------------------+-------------+---------------------+
55
+ INFO: - Cloudformation changeset changes:
56
+
57
+ Continue? y
58
+ INFO: - Waiting for changeset to UPDATE
59
+ INFO: - Changeset UPDATE complete
60
+ INFO: - Client VPN [endpoint-id] modified
61
+ ```
62
+
63
+ ### With YAML File
64
+
65
+ ```
66
+ cfn-vpn modify [name] --params-yaml cfnvpn.[name].yaml
67
+ ```
data/docs/routes.md ADDED
@@ -0,0 +1,98 @@
1
+ # Managing Client-VPN Routes
2
+
3
+ Management of the VPN routes can be altered using the `routes` command or by using the `modify` command along with the yaml config file.
4
+
5
+ **Note:** The default route via subnet association cannot be modified through this command. Use the `modify` command to alter the subnet associations.
6
+
7
+ CfnVpn can create static routes for CIDRs as well as dynamically lookup IPs for dns endpoints and continue to monitor and update the routes if the IPs change.
8
+
9
+ ```sh
10
+ cfn-vpn help routes
11
+ ```
12
+
13
+ ## Dynamic DNS Routes
14
+
15
+ Dynamic DNS routes takes a dns endpoint and will query the record every 5 minutes to see if the IPs have changed and update the routes.
16
+
17
+ ### Add New
18
+
19
+ to add a new route run the routes command along with the `--dns` option
20
+
21
+ ```sh
22
+ cfn-vpn routes [name] --dns example.com
23
+ ```
24
+
25
+ ### Delete
26
+
27
+ to delete a route run the routes command along with the `--dns` option of the route to delete and the delete option
28
+
29
+ ```sh
30
+ cfn-vpn routes [name] --dns example.com --delete
31
+ ```
32
+
33
+ ## Static CIDR Routes
34
+
35
+ ### Add New
36
+
37
+ to add a new route run the routes command along with the `--cidr` option
38
+
39
+ ```sh
40
+ cfn-vpn routes [name] --cidr 10.151.0.0/16
41
+ ```
42
+
43
+ ### Delete
44
+
45
+ to delete a route run the routes command along with the `--cidr` option of the route to delete and the delete option
46
+
47
+ ```sh
48
+ cfn-vpn routes [name] --cidr 10.151.0.0/16 --delete
49
+ ```
50
+
51
+ ## Manage Authorization Groups
52
+
53
+ When using federated or active directory authentication groups can be used to control access to certain routes. These can be managed on the routes by providing the `--groups [list of groups]` along with a space delimited list of groups to the `routes` command. This is available for both DNS and CIDR routes
54
+
55
+ To add groups to a new route or to override all groups on an exiting route use the `--groups` options
56
+
57
+ ```sh
58
+ cfn-vpn routes [name] [--cidr 10.151.0.0/16] [--dns example.com] --groups devs ops
59
+ ```
60
+
61
+ To add groups to an existing route use the `--add-groups` options
62
+
63
+ ```sh
64
+ cfn-vpn routes [name] [--cidr 10.151.0.0/16] [--dns example.com] --add-groups admin
65
+ ```
66
+
67
+ To delete groups from an existing route use the `--del-groups` options
68
+
69
+ ```sh
70
+ cfn-vpn routes [name] [--cidr 10.151.0.0/16] [--dns example.com] --del-groups dev
71
+ ```
72
+
73
+ ## Modify Command
74
+
75
+ add or modify the `routes:` key in your config yaml file
76
+
77
+ ```yaml
78
+ routes:
79
+ - cidr: 10.151.0.0/16
80
+ desc: route to dev peered vpc
81
+ groups:
82
+ - devs
83
+ - ops
84
+ - cidr: 10.152.0.0/16
85
+ desc: route to prod peered vpc
86
+ groups:
87
+ - ops
88
+ - dns: example.com
89
+ desc: my dev alb
90
+ groups:
91
+ - dev
92
+ ```
93
+
94
+ run the `modify` command and supply the yaml file to apply the changes
95
+
96
+ ```sh
97
+ cfn-vpn routes [name] --params-yaml cfnvpn.[name].yaml
98
+ ```