cfn-vpn 1.3.1 → 1.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/docs/getting-started.md +52 -26
- data/lib/cfnvpn/actions/init.rb +2 -0
- data/lib/cfnvpn/templates/vpn.rb +1 -1
- data/lib/cfnvpn/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c46ffdf0579ffd7c1fd42efadc969bbd095f9f789dfcb5b9e3e2aef7f85e959c
|
4
|
+
data.tar.gz: 7a6e1a34fa32b2246a8998e8645381635e8c5adf7a6bf978c241ea4d7e4ee217
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6aa8e34eab7fe87a36128e299a3603f6e2cad58bf55cc9a2ff4f3847306a0ce92ba20c6a9471f7356c43eee85ccd6a362bed7bf7feb14df2a97cb54cc0af546d
|
7
|
+
data.tar.gz: 5aefb22f6d9ea925877f0811897fdd3e4a47286769cb106e19a46df6ccd7d2ce29d30bdc93ea2c87c4fb686609a33c009186057b248af9b33645b15d72d8f22c
|
data/docs/getting-started.md
CHANGED
@@ -63,19 +63,38 @@ This option is for when you want to manage users through an external directory p
|
|
63
63
|
The following command and required option will launch a new federated based Client-VPN
|
64
64
|
|
65
65
|
```sh
|
66
|
-
cfn-vpn init [name] --server-cn [server certificate name]
|
66
|
+
cfn-vpn init [name] --server-cn [server certificate name] \
|
67
|
+
--subnet-ids [list of subets to associate with the vpn] \
|
68
|
+
--saml-arn [identity providor arn]
|
67
69
|
```
|
68
70
|
|
69
71
|
The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule.
|
70
72
|
|
73
|
+
```diff
|
74
|
+
! Group id's must be used if creating authorisation rules.
|
75
|
+
! Each SAML providor will have different group id's and means of retrieving them.
|
76
|
+
```
|
77
|
+
|
71
78
|
```sh
|
72
|
-
cfn-vpn init [name] --server-cn [server certificate name]
|
79
|
+
cfn-vpn init [name] --server-cn [server certificate name] \
|
80
|
+
--subnet-ids [list of subnet to associate with the vpn] \
|
81
|
+
--saml-arn [identity provider arn] \
|
82
|
+
--default-groups [list of group ids]
|
73
83
|
```
|
74
84
|
|
75
85
|
**AWS SSO**
|
76
86
|
|
77
87
|
If using AWS SSO as your SAML provider check this guide on how to set up SAML using AWS SSO https://codeburst.io/the-aws-client-vpn-federated-authentication-missing-example-655e0a1ff7f4
|
78
88
|
|
89
|
+
If you want to leverage the Self Service Portal you need to add the specify the `--saml-self-service-arn [self service identity provider arn]` You can follow the example here https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/ on how to setup the self sign-on sso application
|
90
|
+
|
91
|
+
```sh
|
92
|
+
cfn-vpn init [name] --server-cn [server certificate name] \
|
93
|
+
--subnet-ids [list of subnet to associate with the vpn] \
|
94
|
+
--saml-arn [identity provider arn] \
|
95
|
+
--saml-self-service-arn [self service identity provider arn] \
|
96
|
+
--default-groups [list of group ids]
|
97
|
+
```
|
79
98
|
|
80
99
|
### AWS Directory Services Authenticated VPN
|
81
100
|
|
@@ -84,13 +103,18 @@ This option integrates Microsoft Active Directory or Simple AD through AWS Direc
|
|
84
103
|
The following command and required option will launch a new directory service based Client-VPN
|
85
104
|
|
86
105
|
```sh
|
87
|
-
cfn-vpn init simple-ad --server-cn [server certificate name]
|
106
|
+
cfn-vpn init simple-ad --server-cn [server certificate name] \
|
107
|
+
--subnet-ids [list of subets to associate with the vpn] \
|
108
|
+
--directory-id [aws directirory serivce id]
|
88
109
|
```
|
89
110
|
|
90
111
|
The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. The group Id is the Active Directory Group ID or SID.
|
91
112
|
|
92
113
|
```sh
|
93
|
-
cfn-vpn init simple-ad --server-cn [server certificate name]
|
114
|
+
cfn-vpn init simple-ad --server-cn [server certificate name] \
|
115
|
+
--subnet-ids [list of subets to associate with the vpn] \
|
116
|
+
--directory-id [aws directirory serivce id] \
|
117
|
+
--default-groups [list of group ids]
|
94
118
|
```
|
95
119
|
|
96
120
|
See this guide for further help on setting up https://shogokobayashi.com/2019/05/18/aws-client-vpn-with-simplead/
|
@@ -104,25 +128,27 @@ When using a federated ClientVPN you can modify the default auth to only allow s
|
|
104
128
|
|
105
129
|
```
|
106
130
|
Options:
|
107
|
-
r, [--region=REGION]
|
108
|
-
|
109
|
-
[--verbose], [--no-verbose]
|
110
|
-
--server-cn=SERVER_CN
|
111
|
-
[--client-cn=CLIENT_CN]
|
112
|
-
[--easyrsa-local], [--no-easyrsa-local]
|
113
|
-
[--bucket=BUCKET]
|
114
|
-
--subnet-ids=one two three
|
115
|
-
[--default-groups=one two three]
|
116
|
-
[--cidr=CIDR]
|
117
|
-
|
118
|
-
[--dns-servers=one two three]
|
119
|
-
[--split-tunnel], [--no-split-tunnel]
|
120
|
-
|
121
|
-
[--internet-route=INTERNET_ROUTE]
|
122
|
-
[--protocol=PROTOCOL]
|
123
|
-
|
124
|
-
|
125
|
-
[--start=START]
|
126
|
-
[--stop=STOP]
|
127
|
-
[--saml-arn=SAML_ARN]
|
128
|
-
|
131
|
+
r, [--region=REGION] # AWS Region
|
132
|
+
# Default: ap-southeast-2
|
133
|
+
[--verbose], [--no-verbose] # set log level to debug
|
134
|
+
--server-cn=SERVER_CN # server certificate common name
|
135
|
+
[--client-cn=CLIENT_CN] # client certificate common name
|
136
|
+
[--easyrsa-local], [--no-easyrsa-local] # run the easyrsa executable from your local rather than from docker
|
137
|
+
[--bucket=BUCKET] # s3 bucket, if not set one will be generated for you
|
138
|
+
--subnet-ids=one two three # subnet id to associate your vpn with
|
139
|
+
[--default-groups=one two three] # groups to allow through the subnet associations when using federated auth
|
140
|
+
[--cidr=CIDR] # cidr from which to assign client IP addresses
|
141
|
+
# Default: 10.250.0.0/16
|
142
|
+
[--dns-servers=one two three] # DNS Servers to push to clients.
|
143
|
+
[--split-tunnel], [--no-split-tunnel] # only push routes to the client on the vpn endpoint
|
144
|
+
# Default: true
|
145
|
+
[--internet-route=INTERNET_ROUTE] # [subnet-id] create a default route to the internet through a subnet
|
146
|
+
[--protocol=PROTOCOL] # set the protocol for the vpn connections
|
147
|
+
# Default: udp
|
148
|
+
# Possible values: udp, tcp
|
149
|
+
[--start=START] # cloudwatch event cron schedule in UTC to associate subnets to the client vpn
|
150
|
+
[--stop=STOP] # cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn
|
151
|
+
[--saml-arn=SAML_ARN] # IAM SAML idenditiy providor arn if using SAML federated authentication
|
152
|
+
[--saml-self-service-arn=SAML_SELF_SERVICE_ARN] # IAM SAML idenditiy providor arn for the self service portal
|
153
|
+
[--directory-id=DIRECTORY_ID] # AWS Directory Service directory id if using Active Directory authentication
|
154
|
+
```
|
data/lib/cfnvpn/actions/init.rb
CHANGED
@@ -36,6 +36,7 @@ module CfnVpn::Actions
|
|
36
36
|
class_option :stop, type: :string, desc: 'cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn'
|
37
37
|
|
38
38
|
class_option :saml_arn, desc: 'IAM SAML idenditiy providor arn if using SAML federated authentication'
|
39
|
+
class_option :saml_self_service_arn, desc: 'IAM SAML idenditiy providor arn for the self service portal'
|
39
40
|
class_option :directory_id, desc: 'AWS Directory Service directory id if using Active Directory authentication'
|
40
41
|
|
41
42
|
def self.source_root
|
@@ -64,6 +65,7 @@ module CfnVpn::Actions
|
|
64
65
|
start: @options['start'],
|
65
66
|
stop: @options['stop'],
|
66
67
|
saml_arn: @options['saml_arn'],
|
68
|
+
saml_self_service_arn: @options['saml_self_service_arn'],
|
67
69
|
directory_id: @options['directory_id'],
|
68
70
|
routes: []
|
69
71
|
}
|
data/lib/cfnvpn/templates/vpn.rb
CHANGED
@@ -33,7 +33,7 @@ module CfnVpn
|
|
33
33
|
{
|
34
34
|
FederatedAuthentication: {
|
35
35
|
SAMLProviderArn: config[:saml_arn],
|
36
|
-
SelfServiceSAMLProviderArn: config[:saml_arn]
|
36
|
+
SelfServiceSAMLProviderArn: config[:saml_self_service_arn].nil? ? config[:saml_arn] : config[:saml_self_service_arn]
|
37
37
|
},
|
38
38
|
Type: 'federated-authentication'
|
39
39
|
}
|
data/lib/cfnvpn/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-vpn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.3.
|
4
|
+
version: 1.3.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Guslington
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-11-04 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: thor
|