RubyGems - cfn-vpn - Versions diffs - 0.2.0 → 0.3.0 - Mend

cfn-vpn 0.2.0 → 0.3.0

Files changed (18) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 14100a22fc434fa08bc329c9b37b3fd8c72a8b03825c0ae2ebbb8b008229711b
-  data.tar.gz: 72a211b53647c788bc149bca7c5c30d1f7ad6939f7c26573da4d483068fe2008
+  metadata.gz: eb761d025f597c4de716819ae68760c9852186b37505dc565f26c60fa4679788
+  data.tar.gz: 8347f65e8c83d6a4b579b2f5a3e5209e0c24e7e59971be79afcc75adf4ebc2ae
 SHA512:
-  metadata.gz: 23f99dfeda3e9508f75b3fd8af5aa2a16f9062d96ba4a6a1c12b8cde8517c42c9a76e8b99e20c790972529870c588ef9c966b23d30b7f587697c2315355eabe2
-  data.tar.gz: 86b27e631221e973769d2b61f98637a90e63b4c9fd4a463a540b0ee843c412bd66f3953fdb52cf96d488b4cf2c4ec60478936d978e606e1dd23413c3cc0a8f90
+  metadata.gz: 0e8bf02b14cde539575af2a00306aee0a582e0907db6b103520d001b02aab3daf5f4a331fc5fe4363829ef764771b210eacd4e72f526d16901d6cfe64a3c7607
+  data.tar.gz: 1cf6528468ccd43734549ef00f35238b76ae190691aceddc2e29aed5984cb98ea06e2a5ae66b46e19cad1048a107f1293a9aa877e9f624a15d8ec5cb07d012ad

data/Gemfile.lock CHANGED Viewed

@@ -1,20 +1,21 @@
 PATH
   remote: .
   specs:
-    cfn-vpn (0.1.0)
+    cfn-vpn (0.2.0)
       aws-sdk-acm (~> 1, < 2)
       aws-sdk-cloudformation (~> 1, < 2)
       aws-sdk-ec2 (~> 1.95, < 2)
-      aws-sdk-ssm (~> 1, < 2)
+      aws-sdk-s3 (~> 1, < 2)
       cfhighlander (~> 0.9, < 1)
       cfndsl (~> 0.17, < 1)
+      terminal-table (~> 1, < 2)
       thor (~> 0.20)
 GEM
   remote: https://rubygems.org/
   specs:
     aws-eventstream (1.0.3)
-    aws-partitions (1.176.0)
+    aws-partitions (1.180.0)
     aws-sdk-acm (1.23.0)
       aws-sdk-core (~> 3, >= 3.56.0)
       aws-sigv4 (~> 1.1)
@@ -26,7 +27,7 @@ GEM
       aws-partitions (~> 1.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-ec2 (1.95.0)
+    aws-sdk-ec2 (1.96.0)
       aws-sdk-core (~> 3, >= 3.56.0)
       aws-sigv4 (~> 1.1)
     aws-sdk-kms (1.22.0)
@@ -36,9 +37,6 @@ GEM
       aws-sdk-core (~> 3, >= 3.56.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.1)
-    aws-sdk-ssm (1.50.0)
-      aws-sdk-core (~> 3, >= 3.56.0)
-      aws-sigv4 (~> 1.1)
     aws-sigv4 (1.1.0)
       aws-eventstream (~> 1.0, >= 1.0.2)
     cfhighlander (0.9.0)
@@ -61,7 +59,10 @@ GEM
     netaddr (1.5.1)
     rake (10.5.0)
     rubyzip (1.2.3)
+    terminal-table (1.8.0)
+      unicode-display_width (~> 1.1, >= 1.1.1)
     thor (0.20.3)
+    unicode-display_width (1.6.0)
 PLATFORMS
   ruby

data/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # CfnVpn
-Manages the resources required to create a client vpn in AWS.
+Manages the resources required to create a [client vpn](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html) in AWS.
 Uses cloudformation to manage the state of the vpn resources.
 ## Installation
@@ -16,55 +16,152 @@ Install [docker](https://docs.docker.com/install/)
 Docker is required to generate the certificates required for the client vpn.
 The gem uses [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa) project in [base2/aws-client-vpn](https://hub.docker.com/r/base2/aws-client-vpn) dokcer image.
+Setup your [AWS credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) by either setting a profile or exporting them as environment variables.
 ## Usage
-### help
+```bash
+Commands:
+  cfn-vpn --version, -v                                                            # print the version
+  cfn-vpn client [name] --bucket=BUCKET --client-cn=CLIENT_CN                      # Create a new client certificate
+  cfn-vpn config [name] --bucket=BUCKET --client-cn=CLIENT_CN                      # Retrieve the config for the AWS Client VPN
+  cfn-vpn help [COMMAND]                                                           # Describe available commands or one specific command
+  cfn-vpn init [name] --bucket=BUCKET --server-cn=SERVER_CN --subnet-id=SUBNET_ID  # Create a AWS Client VPN
+  cfn-vpn modify [name]                                                            # Modify your AWS Client VPN
+  cfn-vpn revoke [name] --bucket=BUCKET --client-cn=CLIENT_CN                      # Revoke a client certificate
+  cfn-vpn routes [name]                                                            # List, add or delete client vpn routes
+  cfn-vpn sessions [name]                                                          # List and kill current vpn connections
+  cfn-vpn share [name] --bucket=BUCKET --client-cn=CLIENT_CN                       # Provide a user with a s3 signed download for certificates and config
+```
-Displays all possible commands
+Global options
 ```bash
-Commands:
-  cfn-vpn --version, -v                                            # print the version
-  cfn-vpn help [COMMAND]                                           # Describe available commands or one specific command
-  cfn-vpn init [name] --server-cn=SERVER_CN --subnet-id=SUBNET_ID  # Ciinabox configuration initialization
+p, [--profile=PROFILE]           # AWS Profile
+r, [--region=REGION]             # AWS Region
+                                 # Default: ENV['AWS_REGION']
+    [--verbose], [--no-verbose]  # set log level to debug
 ```
-### init
-Initialises a new client vpn and creates all required resources to get it running.
+### Create a new AWS Client VPN
-```bash
-Usage:
-  cfn-vpn init [name] --server-cn=SERVER_CN --subnet-id=SUBNET_ID
-Options:
-  p, [--profile=PROFILE]       # AWS Profile
-  r, [--region=REGION]         # AWS Region
-      --server-cn=SERVER_CN    # server certificate common name
-      [--client-cn=CLIENT_CN]  # client certificate common name
-      --subnet-id=SUBNET_ID    # subnet id to associate your vpn with
-      [--cidr=CIDR]            # cidr from which to assign client IP addresses
-                               # Default: 10.250.0.0/16
-Ciinabox configuration initialization
+This will create a new client vpn endpoint, associates it with a subnet and sets up a route to the internet.
+During this process a new CA and certificate and keys are generated using [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa) and uploaded to ACM.
+These keys are bundled in a tar and stored encrypted in your provided s3 bucket.
+`cfn-vpn init myvpn --bucket mybucket --server-cn myvpn.domain.tld --subnet-id subnet-123456ab`
+### Create a new client
+This will generate a new client certificate and key against the CA generated in the `init`.
+It will be bundled into a tar and stored encrypted in your provided s3 bucket.
+`cfn-vpn client myvpn --client-cn user1 --bucket mybucket`
+### Revoke a client
+This will revoke the client certificate and apply to the client VPN endpoint.
+Note this wont terminate the session but will stop the client from reconnecting using the certificate.
+`cfn-vpn revoke myvpn --client-cn user1 --bucket mybucket`
+### Download the config file
+This will download the client certificate bundle from s3 and the Client VPN config file from the endpoint.
+The config will be modified to include the local path of the client cert and key.
+`cfn-vpn config myvpn --client-cn user1 --bucket mybucket`
+*Optional:*
+`--ignore-routes` By deafult AWS Client VPN will push all routes from your local through the VPN connection. Select this flag to only push routes specified in the Client VPN route table.
+### Modify the Client VPN config
+This will modify some attributes of the client vpn endpoint.
+`cfn-vpn config myvpn --dns-servers 8.8.8.8,8.8.4.4`
+*Optional:*
+`--dns-servers` Change the DNS servers pushed by the VPN.
+`--subnet-id` Change the associated subnet.
+`--cidr` Change the Client CIDR range.
+### Share client certificates with a user
+This will generate a presigned url for the client's certificate and config file to allow them to download them to their local computer.
+`cfn-vpn share myvpn --client-cn user1 --bucket mybucket`
+You can then share the output with your user
+```
+Download the certificates and config from the bellow presigned URLs which will expire in 1 hour.
+Certificate:
+<presigned url>
+Config:
+<presigned url>
+Extract the certificates from the tar and place into a safe location.
+	tar xzfv user1.tar.gz -C <path>
+Modify base2-ciinabox.config.ovpn to include the full location of your extracted certificates
+	echo "key /<path>/user1.key" >> myvpn.config.ovpn
+	echo "cert /<path>/user1.crt" >> myvpn.config.ovpn
+Open myvpn.config.ovpn with your favourite openvpn client.
 ```
-### config
-Downloads the opvn config file for the client vpn
+### Show and Kill Current Connections
+This is show a table of current connections on the vpn. You can then kill sessions by using the connection id.
 ```bash
-Usage:
-  cfn-vpn config [name]
+$ cfn-vpn sessions myvpn
++-------------+---------------------+--------+-------------+-----------------------------------+---------------+--------------+
+| Common Name | Connected (UTC)     | Status | IP Address  | Connection ID                     | Ingress Bytes | Egress Bytes |
++-------------+---------------------+--------+-------------+-----------------------------------+---------------+--------------+
+| user1       | 2019-06-28 04:58:19 | active | 10.250.0.98 | cvpn-connection-05bcc579cb3fdf9a3 | 3000          | 2679         |
++-------------+---------------------+--------+-------------+-----------------------------------+---------------+--------------+
+```
+Specify the `--kill` flag with the connection id to kill the session.
+`cfn-vpn sessions myvpn --kill cvpn-connection-05bcc579cb3fdf9a3`
+### Show, Add and Remove Routes
-Options:
-  [--profile=PROFILE]  # AWS Profile
-  [--region=REGION]    # AWS Region
-                       # Default: ap-southeast-2
+This will display the route table from the Client VPN.
-Ciinabox configuration initialization
+```bash
++---------------+-----------------------+--------+-----------------+------+-----------+
+| Route         | Description           | Status | Target          | Type | Origin    |
++---------------+-----------------------+--------+-----------------+------+-----------+
+| 10.0.0.0/16   | Default Route         | active | subnet-123456ab | Nat  | associate |
+| 0.0.0.0/0     | Route to the internet | active | subnet-123456ab | Nat  | add-route |
++---------------+-----------------------+--------+-----------------+------+-----------+
 ```
+to add a new route specify the `--add` flag with the cidr and a description with the `--desc` flag.
+`cfn-vpn routes myvpn --add 10.10.0.0/16 --desc "route to peered vpc"`
+to delete a route specify the `--del` flag with the cidr you want to delete.
+`cfn-vpn routes myvpn --del 10.10.0.0/16`
 ## Contributing
 Bug reports and pull requests are welcome on GitHub at https://github.com/base2services/aws-client-vpn.

data/cfn-vpn.gemspec CHANGED Viewed

@@ -36,11 +36,12 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
   spec.add_dependency "thor", "~> 0.20"
+  spec.add_dependency "terminal-table", '~> 1', '<2'
   spec.add_dependency 'cfhighlander', '~> 0.9', '<1'
   spec.add_dependency 'cfndsl', '~> 0.17', '<1'
   spec.add_runtime_dependency 'aws-sdk-ec2', '~> 1.95', '<2'
   spec.add_runtime_dependency 'aws-sdk-acm', '~> 1', '<2'
-  spec.add_runtime_dependency 'aws-sdk-ssm', '~> 1', '<2'
+  spec.add_runtime_dependency 'aws-sdk-s3', '~> 1', '<2'
   spec.add_runtime_dependency 'aws-sdk-cloudformation', '~> 1', '<2'
   spec.add_development_dependency "bundler", "~> 2.0"

data/lib/cfnvpn.rb CHANGED Viewed

@@ -3,6 +3,11 @@ require 'cfnvpn/version'
 require 'cfnvpn/init'
 require 'cfnvpn/modify'
 require 'cfnvpn/config'
+require 'cfnvpn/client'
+require 'cfnvpn/revoke'
+require 'cfnvpn/sessions'
+require 'cfnvpn/routes'
+require 'cfnvpn/share'
 module CfnVpn
   class Cli < Thor
@@ -13,7 +18,6 @@ module CfnVpn
       puts CfnVpn::VERSION
     end
-    # Initializes ciinabox configuration
     register CfnVpn::Init, 'init', 'init [name]', 'Create a AWS Client VPN'
     tasks["init"].options = CfnVpn::Init.class_options
@@ -23,8 +27,20 @@ module CfnVpn
     register CfnVpn::Config, 'config', 'config [name]', 'Retrieve the config for the AWS Client VPN'
     tasks["config"].options = CfnVpn::Config.class_options
-  end
+    register CfnVpn::Client, 'client', 'client [name]', 'Create a new client certificate'
+    tasks["client"].options = CfnVpn::Client.class_options
+    register CfnVpn::Revoke, 'revoke', 'revoke [name]', 'Revoke a client certificate'
+    tasks["revoke"].options = CfnVpn::Revoke.class_options
+    register CfnVpn::Sessions, 'sessions', 'sessions [name]', 'List and kill current vpn connections'
+    tasks["sessions"].options = CfnVpn::Sessions.class_options
-  # Aws.config[:retry_limit] = if ENV.key? 'CFNVPN_AWS_RETRY_LIMIT' then (ENV['CFNVPN_AWS_RETRY_LIMIT'].to_i) else 10 end
+    register CfnVpn::Routes, 'routes', 'routes [name]', 'List, add or delete client vpn routes'
+    tasks["routes"].options = CfnVpn::Routes.class_options
+    register CfnVpn::Share, 'share', 'share [name]', 'Provide a user with a s3 signed download for certificates and config'
+    tasks["share"].options = CfnVpn::Share.class_options
+  end
 end

data/lib/cfnvpn/certificates.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 require 'fileutils'
 require 'cfnvpn/acm'
-require 'cfnvpn/ssm'
+require 'cfnvpn/s3'
 require 'cfnvpn/log'
 module CfnVpn
@@ -11,16 +11,34 @@ module CfnVpn
       @cfnvpn_name = cfnvpn_name
       @config_dir = "#{build_dir}/config"
       @cert_dir = "#{build_dir}/certificates"
+      @docker_cmd = %w(docker run -it --rm)
+      @easyrsa_image = "base2/aws-client-vpn"
       FileUtils.mkdir_p(@cert_dir)
     end
-    def generate(server_cn,client_cn)
-      cmd = ["docker", "run", "-it", "--rm"]
-      cmd << "-e EASYRSA_REQ_CN=#{server_cn}"
-      cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
-      cmd << "-v #{@cert_dir}:/easy-rsa/output"
-      cmd << "base2/aws-client-vpn:3.0.5"
-      return `#{cmd.join(' ')}`
+    def generate_ca(server_cn,client_cn)
+      @docker_cmd << "-e EASYRSA_REQ_CN=#{server_cn}"
+      @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+      @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+      @docker_cmd << @easyrsa_image
+      @docker_cmd << "sh -c 'create-ca'"
+      return `#{@docker_cmd.join(' ')}`
+    end
+    def generate_client(client_cn)
+      @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+      @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+      @docker_cmd << @easyrsa_image
+      @docker_cmd << "sh -c 'create-client'"
+      return `#{@docker_cmd.join(' ')}`
+    end
+    def revoke_client(client_cn)
+      @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+      @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+      @docker_cmd << @easyrsa_image
+      @docker_cmd << "sh -c 'revoke-client'"
+      return `#{@docker_cmd.join(' ')}`
     end
     def upload_certificates(region,cert,type,cn=nil)
@@ -32,23 +50,20 @@ module CfnVpn
       return arn
     end
-    def store_certificate(region,cert)
-      ssm = CfnVpn::SSM.new(@cfnvpn_name, region, @cert_dir)
-      ssm.put_parameter(cert)
+    def store_certificate(bucket,bundle)
+      s3 = CfnVpn::S3.new(@region,bucket,@name)
+      s3.store_object("#{@cert_dir}/#{bundle}")
+    end
+    def retrieve_certificate(bucket,bundle)
+      s3 = CfnVpn::S3.new(@region,bucket,@name)
+      s3.get_object("#{@cert_dir}/#{bundle}")
     end
-    def write_certificate(cert_body,name,force)
-      file = "#{@config_dir}/#{name}"
-      if File.file?(file)
-        if force
-          Log.logger.warn "overriding existing #{name}"
-          File.write(file, cert_body)
-        else
-          Log.logger.info "#{name} already exists"
-        end
-      else
-        File.write(file, cert_body)
-      end
+    def extract_certificate(client_cn)
+      tar = "#{@config_dir}/#{client_cn}.tar.gz"
+      `tar xzfv #{tar} -C #{@config_dir} --strip 2`
+      File.delete(tar) if File.exist?(tar)
     end
   end

data/lib/cfnvpn/client.rb ADDED Viewed

@@ -0,0 +1,42 @@
+require 'thor'
+require 'cfnvpn/log'
+require 'cfnvpn/s3'
+module CfnVpn
+  class Client < Thor::Group
+    include Thor::Actions
+    include CfnVpn::Log
+    argument :name
+    class_option :profile, aliases: :p, desc: 'AWS Profile'
+    class_option :region, aliases: :r, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+    class_option :bucket, desc: 's3 bucket', required: true
+    class_option :client_cn, desc: 'client certificate common name', required: true
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+    def set_loglevel
+      Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+    def set_directory
+      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @cert_dir = "#{@build_dir}/certificates"
+    end
+    def create_certificate
+      s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
+      s3.get_object("#{@cert_dir}/ca.tar.gz")
+      Log.logger.info "Generating new client certificate #{@options['client_cn']} using openvpn easy-rsa"
+      cert = CfnVpn::Certificates.new(@build_dir,@name)
+      Log.logger.debug cert.generate_client(@options['client_cn'])
+      s3.store_object("#{@cert_dir}/#{@options['client_cn']}.tar.gz")
+    end
+  end
+end

data/lib/cfnvpn/clientvpn.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 require 'aws-sdk-ec2'
 require 'cfnvpn/log'
+require 'netaddr'
 module CfnVpn
   class ClientVpn
@@ -18,13 +19,17 @@ module CfnVpn
         Log.logger.error "unable to find endpoint with tag Key: cfnvpn:name with Value: #{@name}"
         raise "Unable to find client vpn"
       end
-      resp.client_vpn_endpoints.first
+      return resp.client_vpn_endpoints.first
     end
     def get_endpoint_id()
       return get_endpoint().client_vpn_endpoint_id
     end
+    def get_dns_servers()
+      return get_endpoint().dns_servers
+    end
     def get_config(endpoint_id)
       resp = @client.export_client_vpn_client_configuration({
         client_vpn_endpoint_id: endpoint_id
@@ -32,5 +37,118 @@ module CfnVpn
       return resp.client_configuration
     end
+    def get_rekove_list(endpoint_id)
+      resp = @client.export_client_vpn_client_certificate_revocation_list({
+        client_vpn_endpoint_id: endpoint_id
+      })
+      return resp.certificate_revocation_list
+    end
+    def put_revoke_list(endpoint_id,revoke_list)
+      list = File.read(revoke_list)
+      @client.import_client_vpn_client_certificate_revocation_list({
+        client_vpn_endpoint_id: endpoint_id,
+        certificate_revocation_list: list
+      })
+    end
+    def get_sessions(endpoint_id)
+      params = {
+        client_vpn_endpoint_id: endpoint_id,
+        max_results: 20
+      }
+      resp = @client.describe_client_vpn_connections(params)
+      return resp.connections
+    end
+    def kill_session(endpoint_id, connection_id)
+      @client.terminate_client_vpn_connections({
+        client_vpn_endpoint_id: endpoint_id,
+        connection_id: connection_id
+      })
+    end
+    def get_target_networks(endpoint_id)
+      resp = @client.describe_client_vpn_target_networks({
+        client_vpn_endpoint_id: endpoint_id
+      })
+      return resp.client_vpn_target_networks.first
+    end
+    def add_route(cidr,description)
+      endpoint_id = get_endpoint_id()
+      subnet_id = get_target_networks(endpoint_id).target_network_id
+      @client.create_client_vpn_route({
+        client_vpn_endpoint_id: endpoint_id,
+        destination_cidr_block: cidr,
+        target_vpc_subnet_id: subnet_id,
+        description: description
+      })
+      resp = @client.authorize_client_vpn_ingress({
+        client_vpn_endpoint_id: endpoint_id,
+        target_network_cidr: cidr,
+        authorize_all_groups: true,
+        description: description
+      })
+      return resp.status
+    end
+    def del_route(cidr)
+      endpoint_id = get_endpoint_id()
+      subnet_id = get_target_networks(endpoint_id).target_network_id
+      revoke = @client.revoke_client_vpn_ingress({
+        revoke_all_groups: true,
+        client_vpn_endpoint_id: endpoint_id,
+        target_network_cidr: cidr
+      })
+      route = @client.delete_client_vpn_route({
+        client_vpn_endpoint_id: endpoint_id,
+        target_vpc_subnet_id: subnet_id,
+        destination_cidr_block: cidr
+      })
+      return route.status, revoke.status
+    end
+    def get_routes()
+      endpoint_id = get_endpoint_id()
+      resp = @client.describe_client_vpn_routes({
+        client_vpn_endpoint_id: endpoint_id,
+        max_results: 20
+      })
+      return resp.routes
+    end
+    def route_exists?(cidr)
+      routes = get_routes()
+      resp = routes.select { |route| route if route.destination_cidr == cidr }
+      return resp.any?
+    end
+    def get_routes()
+      endpoint_id = get_endpoint_id()
+      resp = @client.describe_client_vpn_routes({
+        client_vpn_endpoint_id: endpoint_id,
+        max_results: 20
+      })
+      return resp.routes
+    end
+    def get_route_with_mask()
+      routes = get_routes()
+      routes
+        .select { |r| r if r.destination_cidr != '0.0.0.0/0' }
+        .collect { |r| { route: r.destination_cidr.split('/').first, mask: NetAddr::CIDR.create(r.destination_cidr).wildcard_mask }}
+    end
+    def valid_cidr?(cidr)
+      return !(cidr =~ /^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$/).nil?
+    end
   end
 end

data/lib/cfnvpn/config.rb CHANGED Viewed

@@ -1,5 +1,4 @@
 require 'cfnvpn/clientvpn'
-require 'cfnvpn/ssm'
 require 'cfnvpn/log'
 module CfnVpn
@@ -12,9 +11,10 @@ module CfnVpn
     class_option :profile, desc: 'AWS Profile'
     class_option :region, default: ENV['AWS_REGION'], desc: 'AWS Region'
     class_option :verbose, desc: 'set log level to debug', type: :boolean
+    class_option :bucket, required: true, desc: 's3 bucket'
+    class_option :client_cn, required: true, desc: "client certificates to download"
-    class_option :key_path, required: true, desc: 'full file path to the client vpn key'
-    class_option :crt_path, required: true, desc: 'full file path to the client vpn certificate'
+    class_option :ignore_routes, alias: :i, type: :boolean, desc: "Ignore client VPN pushed routes and set routes in config file"
     def self.source_root
       File.dirname(__FILE__)
@@ -25,8 +25,8 @@ module CfnVpn
     end
     def create_config_directory
-      @home_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
-      @config_dir = "#{@home_dir}/config"
+      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @config_dir = "#{@build_dir}/config"
       Log.logger.debug("Creating config directory #{@config_dir}")
       FileUtils.mkdir_p(@config_dir)
     end
@@ -38,11 +38,44 @@ module CfnVpn
       @config = vpn.get_config(@endpoint_id)
     end
+    def download_certificates
+      download = true
+      if File.exists?("#{@config_dir}/#{@options['client_cn']}.crt")
+        download = yes? "Certificates for #{@options['client_cn']} already exist in #{@config_dir}. Do you want to download again? ", :green
+      end
+      if download
+        Log.logger.info "Downloading certificates for #{@options['client_cn']} to #{@config_dir}"
+        s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
+        s3.get_object("#{@config_dir}/#{@options['client_cn']}.tar.gz")
+        cert = CfnVpn::Certificates.new(@build_dir,@name)
+        Log.logger.debug cert.extract_certificate(@options['client_cn'])
+      end
+    end
     def alter_config
       string = (0...8).map { (65 + rand(26)).chr.downcase }.join
       @config.sub!(@endpoint_id, "#{string}.#{@endpoint_id}")
-      @config.concat("\n\ncert #{@options['crt_path']}")
-      @config.concat("\nkey #{@options['key_path']}\n")
+      @config.concat("\n\ncert #{@config_dir}/#{@options['client_cn']}.crt")
+      @config.concat("\nkey #{@config_dir}/#{@options['client_cn']}.key\n")
+    end
+    def add_routes
+      if @options['ignore_routes']
+        Log.logger.debug "Ignoring routes pushed by the client vpn"
+        @config.concat("\nroute-nopull\n")
+        vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+        routes = vpn.get_route_with_mask
+        Log.logger.debug "Found routes #{routes}"
+        routes.each do |r|
+          @config.concat("route #{r[:route]} #{r[:mask]}\n")
+        end
+        dns_servers = vpn.get_dns_servers()
+        if dns_servers.any?
+          Log.logger.debug "Found DNS servers #{dns_servers.join(' ')}"
+          @config.concat("dhcp-option DNS #{dns_servers.first}\n")
+        end
+      end
     end
     def write_config

data/lib/cfnvpn/init.rb CHANGED Viewed

@@ -20,6 +20,7 @@ module CfnVpn
     class_option :server_cn, required: true, desc: 'server certificate common name'
     class_option :client_cn, desc: 'client certificate common name'
+    class_option :bucket, required: true, desc: 's3 bucket'
     class_option :subnet_id, required: true, desc: 'subnet id to associate your vpn with'
     class_option :cidr, default: '10.250.0.0/16', desc: 'cidr from which to assign client IP addresses'
@@ -61,14 +62,16 @@ module CfnVpn
     def generate_server_certificates
       Log.logger.info "Generating certificates using openvpn easy-rsa"
       cert = CfnVpn::Certificates.new(@build_dir,@name)
-      @client_cn = @options['client_cn'] ? @options['client_cn'] : "#{@name}.#{@options['server_cn']}"
-      Log.logger.debug cert.generate(@options['server_cn'],@client_cn)
+      @client_cn = @options['client_cn'] ? @options['client_cn'] : "client-vpn.#{@options['server_cn']}"
+      Log.logger.debug cert.generate_ca(@options['server_cn'],@client_cn)
     end
     def upload_certificates
       cert = CfnVpn::Certificates.new(@build_dir,@name)
       @config['parameters']['ServerCertificateArn'] = cert.upload_certificates(@options['region'],'server','server',@options['server_cn'])
       @config['parameters']['ClientCertificateArn'] = cert.upload_certificates(@options['region'],@client_cn,'client')
+      s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
+      s3.store_object("#{@build_dir}/certificates/ca.tar.gz")
     end
     def deploy_vpn

data/lib/cfnvpn/revoke.rb ADDED Viewed

@@ -0,0 +1,49 @@
+require 'thor'
+require 'cfnvpn/log'
+require 'cfnvpn/s3'
+module CfnVpn
+  class Revoke < Thor::Group
+    include Thor::Actions
+    include CfnVpn::Log
+    argument :name
+    class_option :profile, aliases: :p, desc: 'AWS Profile'
+    class_option :region, aliases: :r, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+    class_option :bucket, desc: 's3 bucket', required: true
+    class_option :client_cn, desc: 'client certificate common name', required: true
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+    def set_loglevel
+      Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+    def set_directory
+      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @cert_dir = "#{@build_dir}/certificates"
+    end
+    def revoke_certificate
+      cert = CfnVpn::Certificates.new(@build_dir,@name)
+      s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
+      s3.get_object("#{@cert_dir}/ca.tar.gz")
+      s3.get_object("#{@cert_dir}/#{@options['client_cn']}.tar.gz")
+      Log.logger.info "Generating new client certificate #{@options['client_cn']} using openvpn easy-rsa"
+      Log.logger.debug cert.revoke_client(@options['client_cn'])
+    end
+    def apply_rekocation_list
+      vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      endpoint_id = vpn.get_endpoint_id()
+      vpn.put_revoke_list(endpoint_id,"#{@cert_dir}/crl.pem")
+      Log.logger.info("revoked client #{@options['client_cn']} from #{endpoint_id}")
+    end
+  end
+end

data/lib/cfnvpn/routes.rb ADDED Viewed

@@ -0,0 +1,83 @@
+require 'thor'
+require 'cfnvpn/log'
+require 'cfnvpn/s3'
+module CfnVpn
+  class Routes < Thor::Group
+    include Thor::Actions
+    include CfnVpn::Log
+    argument :name
+    class_option :profile, aliases: :p, desc: 'AWS Profile'
+    class_option :region, aliases: :r, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+    class_option :add, desc: 'add cidr to route through the client vpn'
+    class_option :del, desc: 'delete cidr route from the client vpn'
+    class_option :desc, desc: 'description of the route'
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+    def set_loglevel
+      Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+    def set_directory
+      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+    end
+    def add_route
+      if !@options['add'].nil?
+        if @options['desc'].nil?
+          Log.logger.error "--desc option must be provided if adding a new route"
+          exit 1
+        end
+        vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+        if vpn.route_exists?(@options['add'])
+          Log.logger.error "route #{@options['add']} already exists in the client vpn"
+          exit 1
+        end
+        Log.logger.info "Adding new route for #{@options['add']}"
+        vpn.add_route(@options['add'],@options['desc'])
+      end
+    end
+    def del_route
+      if !@options['del'].nil?
+        vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+        if !vpn.route_exists?(@options['del'])
+          Log.logger.error "route #{@options['del']} doesn't exist in the client vpn"
+          exit 1
+        end
+        delete = yes? "Delete route #{@options['del']}?", :yellow
+        if delete
+          Log.logger.info "Deleting route for #{@options['del']}"
+          vpn.del_route(@options['del'])
+        end
+      end
+    end
+    def get_routes
+      vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      @routes = vpn.get_routes()
+    end
+    def display_routes
+      rows = @routes.collect do |s|
+        [ s.destination_cidr, s.description, s.status.code, s.target_subnet, s.type, s.origin ]
+      end
+      table = Terminal::Table.new(
+        :headings => ['Route', 'Description', 'Status', 'Target', 'Type', 'Origin'],
+        :rows => rows)
+      puts table
+    end
+  end
+end

data/lib/cfnvpn/s3.rb ADDED Viewed

@@ -0,0 +1,57 @@
+require 'aws-sdk-s3'
+require 'fileutils'
+module CfnVpn
+  class S3
+    def initialize(region, bucket, name)
+      @client = Aws::S3::Client.new(region: region)
+      @bucket = bucket
+      @name = name
+      @path = "cfnvpn/certificates/#{@name}"
+    end
+    def store_object(file)
+      body = File.open(file, 'rb').read
+      file_name = file.split('/').last
+      Log.logger.debug("uploading #{file} to s3://#{@bucket}/#{@path}/#{file_name}")
+      @client.put_object({
+        body: body,
+        bucket: @bucket,
+        key: "#{@path}/#{file_name}",
+        server_side_encryption: "AES256",
+        tagging: "cfnvpn:name=#{@name}"
+      })
+    end
+    def get_object(file)
+      file_name = file.split('/').last
+      Log.logger.debug("downloading s3://#{@bucket}/#{@path}/#{file_name} to #{file}")
+      @client.get_object(
+        response_target: file,
+        bucket: @bucket,
+        key: "#{@path}/#{file_name}")
+    end
+    def store_config(config)
+      Log.logger.debug("uploading config to s3://#{@bucket}/#{@path}/#{@name}.config.ovpn")
+      @client.put_object({
+        body: config,
+        bucket: @bucket,
+        key: "#{@path}/#{@name}.config.ovpn",
+        tagging: "cfnvpn:name=#{@name}"
+      })
+    end
+    def get_url(file)
+      presigner = Aws::S3::Presigner.new(client: @client)
+      params = {
+        bucket: @bucket,
+        key: "#{@path}/#{file}",
+        expires_in: 3600
+      }
+      presigner.presigned_url(:get_object, params)
+    end
+  end
+end

data/lib/cfnvpn/sessions.rb ADDED Viewed

@@ -0,0 +1,64 @@
+require 'thor'
+require 'terminal-table'
+require 'cfnvpn/log'
+require 'cfnvpn/clientvpn'
+module CfnVpn
+  class Sessions < Thor::Group
+    include Thor::Actions
+    include CfnVpn::Log
+    argument :name
+    class_option :profile, aliases: :p, desc: 'AWS Profile'
+    class_option :region, aliases: :r, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+    class_option :kill, desc: 'connection id to kill the connection'
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+    def set_loglevel
+      Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+    def set_directory
+      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+    end
+    def get_endpoint
+      @vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      @endpoint_id = @vpn.get_endpoint_id()
+    end
+    def kill_session
+      if !@options['kill'].nil?
+        sessions = @vpn.get_sessions(@endpoint_id)
+        session = sessions.select { |s| s if s.connection_id  == @options['kill'] }.first
+        if session.any? && session.status.code == "active"
+          terminate = yes? "Terminate connection #{@options['kill']} for #{session.common_name}?", :yellow
+          if terminate
+            Log.logger.info "Terminating connection #{@options['kill']} for #{session.common_name}"
+            @vpn.kill_session(@endpoint_id,@options['kill'])
+          end
+        else
+          Log.logger.error "Connection id #{@options['kill']} doesn't exist or is not active"
+        end
+      end
+    end
+    def display_sessions
+      sessions = @vpn.get_sessions(@endpoint_id)
+      rows = sessions.collect do |s|
+        [ s.common_name, s.connection_established_time, s.status.code, s.client_ip, s.connection_id, s.ingress_bytes, s.egress_bytes ]
+      end
+      table = Terminal::Table.new(
+        :headings => ['Common Name', 'Connected (UTC)', 'Status', 'IP Address', 'Connection ID', 'Ingress Bytes', 'Egress Bytes'],
+        :rows => rows)
+      puts table
+    end
+  end
+end

data/lib/cfnvpn/share.rb ADDED Viewed

@@ -0,0 +1,85 @@
+require 'cfnvpn/log'
+require 'cfnvpn/s3'
+module CfnVpn
+  class Share < Thor::Group
+    include Thor::Actions
+    include CfnVpn::Log
+    argument :name
+    class_option :profile, desc: 'AWS Profile'
+    class_option :region, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+    class_option :bucket, required: true, desc: 's3 bucket'
+    class_option :client_cn, required: true, desc: "client certificates to download"
+    class_option :ignore_routes, alias: :i, type: :boolean, desc: "Ignore client VPN pushed routes and set routes in config file"
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+    def set_loglevel
+      Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+    def copy_config_to_s3
+      vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      @endpoint_id = vpn.get_endpoint_id()
+      Log.logger.debug "downloading client config for #{@endpoint_id}"
+      @config = vpn.get_config(@endpoint_id)
+      string = (0...8).map { (65 + rand(26)).chr.downcase }.join
+      @config.sub!(@endpoint_id, "#{string}.#{@endpoint_id}")
+    end
+    def add_routes
+      if @options['ignore_routes']
+        Log.logger.debug "Ignoring routes pushed by the client vpn"
+        @config.concat("\nroute-nopull\n")
+        vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+        routes = vpn.get_route_with_mask
+        Log.logger.debug "Found routes #{routes}"
+        routes.each do |r|
+          @config.concat("route #{r[:route]} #{r[:mask]}\n")
+        end
+        dns_servers = vpn.get_dns_servers()
+        if dns_servers.any?
+          Log.logger.debug "Found DNS servers #{dns_servers.join(' ')}"
+          @config.concat("dhcp-option DNS #{dns_servers.first}\n")
+        end
+      end
+    end
+    def upload_config
+      @s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
+      @s3.store_config(@config)
+    end
+    def get_certificate_url
+      @certificate_url = @s3.get_url("#{@options['client_cn']}.tar.gz")
+      Log.logger.debug "Certificate presigned url: #{@certificate_url}"
+    end
+    def get_config_url
+      @config_url = @s3.get_url("#{@name}.config.ovpn")
+      Log.logger.debug "Config presigned url: #{@config_url}"
+    end
+    def display_instructions
+      Log.logger.info "Share the bellow instruction with the user..."
+      say "\nDownload the certificates and config from the bellow presigned URLs which will expire in 1 hour."
+      say "\nCertificate:"
+      say "\tcurl #{@certificate_url} > #{@options['client_cn']}.tar.gz", :cyan
+      say "\nConfig:\n"
+      say "\tcurl #{@certificate_url} > #{@name}.config.ovpn", :cyan
+      say "\nExtract the certificates from the tar and place into a safe location."
+      say "\ttar xzfv #{@options['client_cn']}.tar.gz -C <path> --strip 2", :cyan
+      say "\nModify #{@name}.config.ovpn to include the full location of your extracted certificates"
+      say "\techo \"key /<path>/#{@options['client_cn']}.key\" >> #{@name}.config.ovpn", :cyan
+      say "\techo \"cert /<path>/#{@options['client_cn']}.crt\" >> #{@name}.config.ovpn", :cyan
+      say "\nOpen #{@name}.config.ovpn with your favourite openvpn client."
+    end
+  end
+end

data/lib/cfnvpn/version.rb CHANGED Viewed

@@ -1,4 +1,4 @@
 module CfnVpn
-  VERSION = "0.2.0".freeze
+  VERSION = "0.3.0".freeze
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-vpn
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Guslington
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-06-27 00:00:00.000000000 Z
+date: 2019-06-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -24,6 +24,26 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.20'
+- !ruby/object:Gem::Dependency
+  name: terminal-table
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: cfhighlander
   requirement: !ruby/object:Gem::Requirement
@@ -105,7 +125,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2'
 - !ruby/object:Gem::Dependency
-  name: aws-sdk-ssm
+  name: aws-sdk-s3
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -193,13 +213,18 @@ files:
 - lib/cfnvpn/acm.rb
 - lib/cfnvpn/certificates.rb
 - lib/cfnvpn/cfhighlander.rb
+- lib/cfnvpn/client.rb
 - lib/cfnvpn/clientvpn.rb
 - lib/cfnvpn/cloudformation.rb
 - lib/cfnvpn/config.rb
 - lib/cfnvpn/init.rb
 - lib/cfnvpn/log.rb
 - lib/cfnvpn/modify.rb
-- lib/cfnvpn/ssm.rb
+- lib/cfnvpn/revoke.rb
+- lib/cfnvpn/routes.rb
+- lib/cfnvpn/s3.rb
+- lib/cfnvpn/sessions.rb
+- lib/cfnvpn/share.rb
 - lib/cfnvpn/templates/cfnvpn.cfhighlander.rb.tt
 - lib/cfnvpn/version.rb
 homepage: https://github.com/base2services/aws-client-vpn

data/lib/cfnvpn/ssm.rb DELETED Viewed

@@ -1,50 +0,0 @@
-require 'aws-sdk-ssm'
-require 'fileutils'
-require 'cfnvpn/log'
-module CfnVpn
-  class SSM
-    include CfnVpn::Log
-    def initialize(name,region,cert_dir)
-      @name = name
-      @cert_dir = cert_dir
-      @path_prefix = "/cfnvpn/#{@name}"
-      @client = Aws::SSM::Client.new(region: region)
-    end
-    def get_parameter(cert)
-      begin
-        resp = @client.get_parameter({
-          name: "#{@path_prefix}/#{cert}",
-          with_decryption: true
-        })
-      rescue Aws::SSM::Errors::ParameterNotFound
-        Log.logger.debug("Parameter #{@path_prefix}/#{cert} not found")
-        return false
-      end
-      Log.logger.debug("found parameter #{@path_prefix}/#{cert}")
-      return resp.parameter.value
-    end
-    def put_parameter(cert)
-      certificate = File.read("#{@cert_dir}/#{cert}")
-      Log.logger.debug("Reading certificate #{@cert_dir}/#{cert}")
-      ext = cert.split('.').last
-      @client.put_parameter({
-        name: "#{@path_prefix}/#{@name}.#{ext}",
-        description: "cfn-vpn #{@name} #{cert}",
-        value: certificate,
-        type: "SecureString",
-        overwrite: false,
-        tags: [
-          { key: "cfnvpn:name", value: @name },
-          { key: "cfnvpn:certificate", value: cert }
-        ],
-        tier: "Advanced",
-      })
-      Log.logger.info("Stored #{cert} in ssm parameter #{@path_prefix}/#{@name}.#{ext}")
-    end
-  end
-end