cfn-vpn 1.3.1 → 1.3.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/docs/getting-started.md +52 -26
- data/lib/cfnvpn/actions/init.rb +2 -0
- data/lib/cfnvpn/templates/vpn.rb +1 -1
- data/lib/cfnvpn/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c46ffdf0579ffd7c1fd42efadc969bbd095f9f789dfcb5b9e3e2aef7f85e959c
|
4
|
+
data.tar.gz: 7a6e1a34fa32b2246a8998e8645381635e8c5adf7a6bf978c241ea4d7e4ee217
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 6aa8e34eab7fe87a36128e299a3603f6e2cad58bf55cc9a2ff4f3847306a0ce92ba20c6a9471f7356c43eee85ccd6a362bed7bf7feb14df2a97cb54cc0af546d
|
7
|
+
data.tar.gz: 5aefb22f6d9ea925877f0811897fdd3e4a47286769cb106e19a46df6ccd7d2ce29d30bdc93ea2c87c4fb686609a33c009186057b248af9b33645b15d72d8f22c
|
data/docs/getting-started.md
CHANGED
@@ -63,19 +63,38 @@ This option is for when you want to manage users through an external directory p
|
|
63
63
|
The following command and required option will launch a new federated based Client-VPN
|
64
64
|
|
65
65
|
```sh
|
66
|
-
cfn-vpn init [name] --server-cn [server certificate name]
|
66
|
+
cfn-vpn init [name] --server-cn [server certificate name] \
|
67
|
+
--subnet-ids [list of subets to associate with the vpn] \
|
68
|
+
--saml-arn [identity providor arn]
|
67
69
|
```
|
68
70
|
|
69
71
|
The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule.
|
70
72
|
|
73
|
+
```diff
|
74
|
+
! Group id's must be used if creating authorisation rules.
|
75
|
+
! Each SAML providor will have different group id's and means of retrieving them.
|
76
|
+
```
|
77
|
+
|
71
78
|
```sh
|
72
|
-
cfn-vpn init [name] --server-cn [server certificate name]
|
79
|
+
cfn-vpn init [name] --server-cn [server certificate name] \
|
80
|
+
--subnet-ids [list of subnet to associate with the vpn] \
|
81
|
+
--saml-arn [identity provider arn] \
|
82
|
+
--default-groups [list of group ids]
|
73
83
|
```
|
74
84
|
|
75
85
|
**AWS SSO**
|
76
86
|
|
77
87
|
If using AWS SSO as your SAML provider check this guide on how to set up SAML using AWS SSO https://codeburst.io/the-aws-client-vpn-federated-authentication-missing-example-655e0a1ff7f4
|
78
88
|
|
89
|
+
If you want to leverage the Self Service Portal you need to add the specify the `--saml-self-service-arn [self service identity provider arn]` You can follow the example here https://aws.amazon.com/blogs/security/authenticate-aws-client-vpn-users-with-aws-single-sign-on/ on how to setup the self sign-on sso application
|
90
|
+
|
91
|
+
```sh
|
92
|
+
cfn-vpn init [name] --server-cn [server certificate name] \
|
93
|
+
--subnet-ids [list of subnet to associate with the vpn] \
|
94
|
+
--saml-arn [identity provider arn] \
|
95
|
+
--saml-self-service-arn [self service identity provider arn] \
|
96
|
+
--default-groups [list of group ids]
|
97
|
+
```
|
79
98
|
|
80
99
|
### AWS Directory Services Authenticated VPN
|
81
100
|
|
@@ -84,13 +103,18 @@ This option integrates Microsoft Active Directory or Simple AD through AWS Direc
|
|
84
103
|
The following command and required option will launch a new directory service based Client-VPN
|
85
104
|
|
86
105
|
```sh
|
87
|
-
cfn-vpn init simple-ad --server-cn [server certificate name]
|
106
|
+
cfn-vpn init simple-ad --server-cn [server certificate name] \
|
107
|
+
--subnet-ids [list of subets to associate with the vpn] \
|
108
|
+
--directory-id [aws directirory serivce id]
|
88
109
|
```
|
89
110
|
|
90
111
|
The default authorization rule for the associated subnets allows all. You can optionally change this by using the `--default-groups` flag to set groups on the default authorization rule. The group Id is the Active Directory Group ID or SID.
|
91
112
|
|
92
113
|
```sh
|
93
|
-
cfn-vpn init simple-ad --server-cn [server certificate name]
|
114
|
+
cfn-vpn init simple-ad --server-cn [server certificate name] \
|
115
|
+
--subnet-ids [list of subets to associate with the vpn] \
|
116
|
+
--directory-id [aws directirory serivce id] \
|
117
|
+
--default-groups [list of group ids]
|
94
118
|
```
|
95
119
|
|
96
120
|
See this guide for further help on setting up https://shogokobayashi.com/2019/05/18/aws-client-vpn-with-simplead/
|
@@ -104,25 +128,27 @@ When using a federated ClientVPN you can modify the default auth to only allow s
|
|
104
128
|
|
105
129
|
```
|
106
130
|
Options:
|
107
|
-
r, [--region=REGION]
|
108
|
-
|
109
|
-
[--verbose], [--no-verbose]
|
110
|
-
--server-cn=SERVER_CN
|
111
|
-
[--client-cn=CLIENT_CN]
|
112
|
-
[--easyrsa-local], [--no-easyrsa-local]
|
113
|
-
[--bucket=BUCKET]
|
114
|
-
--subnet-ids=one two three
|
115
|
-
[--default-groups=one two three]
|
116
|
-
[--cidr=CIDR]
|
117
|
-
|
118
|
-
[--dns-servers=one two three]
|
119
|
-
[--split-tunnel], [--no-split-tunnel]
|
120
|
-
|
121
|
-
[--internet-route=INTERNET_ROUTE]
|
122
|
-
[--protocol=PROTOCOL]
|
123
|
-
|
124
|
-
|
125
|
-
[--start=START]
|
126
|
-
[--stop=STOP]
|
127
|
-
[--saml-arn=SAML_ARN]
|
128
|
-
|
131
|
+
r, [--region=REGION] # AWS Region
|
132
|
+
# Default: ap-southeast-2
|
133
|
+
[--verbose], [--no-verbose] # set log level to debug
|
134
|
+
--server-cn=SERVER_CN # server certificate common name
|
135
|
+
[--client-cn=CLIENT_CN] # client certificate common name
|
136
|
+
[--easyrsa-local], [--no-easyrsa-local] # run the easyrsa executable from your local rather than from docker
|
137
|
+
[--bucket=BUCKET] # s3 bucket, if not set one will be generated for you
|
138
|
+
--subnet-ids=one two three # subnet id to associate your vpn with
|
139
|
+
[--default-groups=one two three] # groups to allow through the subnet associations when using federated auth
|
140
|
+
[--cidr=CIDR] # cidr from which to assign client IP addresses
|
141
|
+
# Default: 10.250.0.0/16
|
142
|
+
[--dns-servers=one two three] # DNS Servers to push to clients.
|
143
|
+
[--split-tunnel], [--no-split-tunnel] # only push routes to the client on the vpn endpoint
|
144
|
+
# Default: true
|
145
|
+
[--internet-route=INTERNET_ROUTE] # [subnet-id] create a default route to the internet through a subnet
|
146
|
+
[--protocol=PROTOCOL] # set the protocol for the vpn connections
|
147
|
+
# Default: udp
|
148
|
+
# Possible values: udp, tcp
|
149
|
+
[--start=START] # cloudwatch event cron schedule in UTC to associate subnets to the client vpn
|
150
|
+
[--stop=STOP] # cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn
|
151
|
+
[--saml-arn=SAML_ARN] # IAM SAML idenditiy providor arn if using SAML federated authentication
|
152
|
+
[--saml-self-service-arn=SAML_SELF_SERVICE_ARN] # IAM SAML idenditiy providor arn for the self service portal
|
153
|
+
[--directory-id=DIRECTORY_ID] # AWS Directory Service directory id if using Active Directory authentication
|
154
|
+
```
|
data/lib/cfnvpn/actions/init.rb
CHANGED
@@ -36,6 +36,7 @@ module CfnVpn::Actions
|
|
36
36
|
class_option :stop, type: :string, desc: 'cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn'
|
37
37
|
|
38
38
|
class_option :saml_arn, desc: 'IAM SAML idenditiy providor arn if using SAML federated authentication'
|
39
|
+
class_option :saml_self_service_arn, desc: 'IAM SAML idenditiy providor arn for the self service portal'
|
39
40
|
class_option :directory_id, desc: 'AWS Directory Service directory id if using Active Directory authentication'
|
40
41
|
|
41
42
|
def self.source_root
|
@@ -64,6 +65,7 @@ module CfnVpn::Actions
|
|
64
65
|
start: @options['start'],
|
65
66
|
stop: @options['stop'],
|
66
67
|
saml_arn: @options['saml_arn'],
|
68
|
+
saml_self_service_arn: @options['saml_self_service_arn'],
|
67
69
|
directory_id: @options['directory_id'],
|
68
70
|
routes: []
|
69
71
|
}
|
data/lib/cfnvpn/templates/vpn.rb
CHANGED
@@ -33,7 +33,7 @@ module CfnVpn
|
|
33
33
|
{
|
34
34
|
FederatedAuthentication: {
|
35
35
|
SAMLProviderArn: config[:saml_arn],
|
36
|
-
SelfServiceSAMLProviderArn: config[:saml_arn]
|
36
|
+
SelfServiceSAMLProviderArn: config[:saml_self_service_arn].nil? ? config[:saml_arn] : config[:saml_self_service_arn]
|
37
37
|
},
|
38
38
|
Type: 'federated-authentication'
|
39
39
|
}
|
data/lib/cfnvpn/version.rb
CHANGED
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: cfn-vpn
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.3.
|
4
|
+
version: 1.3.3
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Guslington
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-11-04 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: thor
|