RubyGems - cfn-vpn - Versions diffs - 0.2.0 → 0.3.0 - Mend

cfn-vpn 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 14100a22fc434fa08bc329c9b37b3fd8c72a8b03825c0ae2ebbb8b008229711b
-  data.tar.gz: 72a211b53647c788bc149bca7c5c30d1f7ad6939f7c26573da4d483068fe2008
+  metadata.gz: eb761d025f597c4de716819ae68760c9852186b37505dc565f26c60fa4679788
+  data.tar.gz: 8347f65e8c83d6a4b579b2f5a3e5209e0c24e7e59971be79afcc75adf4ebc2ae
 SHA512:
-  metadata.gz: 23f99dfeda3e9508f75b3fd8af5aa2a16f9062d96ba4a6a1c12b8cde8517c42c9a76e8b99e20c790972529870c588ef9c966b23d30b7f587697c2315355eabe2
-  data.tar.gz: 86b27e631221e973769d2b61f98637a90e63b4c9fd4a463a540b0ee843c412bd66f3953fdb52cf96d488b4cf2c4ec60478936d978e606e1dd23413c3cc0a8f90
+  metadata.gz: 0e8bf02b14cde539575af2a00306aee0a582e0907db6b103520d001b02aab3daf5f4a331fc5fe4363829ef764771b210eacd4e72f526d16901d6cfe64a3c7607
+  data.tar.gz: 1cf6528468ccd43734549ef00f35238b76ae190691aceddc2e29aed5984cb98ea06e2a5ae66b46e19cad1048a107f1293a9aa877e9f624a15d8ec5cb07d012ad

data/Gemfile.lock CHANGED Viewed

@@ -1,20 +1,21 @@
 PATH
   remote: .
   specs:
-    cfn-vpn (0.1.0)
+    cfn-vpn (0.2.0)
       aws-sdk-acm (~> 1, < 2)
       aws-sdk-cloudformation (~> 1, < 2)
       aws-sdk-ec2 (~> 1.95, < 2)
-      aws-sdk-ssm (~> 1, < 2)
+      aws-sdk-s3 (~> 1, < 2)
       cfhighlander (~> 0.9, < 1)
       cfndsl (~> 0.17, < 1)
+      terminal-table (~> 1, < 2)
       thor (~> 0.20)
 GEM
   remote: https://rubygems.org/
   specs:
     aws-eventstream (1.0.3)
-    aws-partitions (1.176.0)
+    aws-partitions (1.180.0)
     aws-sdk-acm (1.23.0)
       aws-sdk-core (~> 3, >= 3.56.0)
       aws-sigv4 (~> 1.1)
@@ -26,7 +27,7 @@ GEM
       aws-partitions (~> 1.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-ec2 (1.95.0)
+    aws-sdk-ec2 (1.96.0)
       aws-sdk-core (~> 3, >= 3.56.0)
       aws-sigv4 (~> 1.1)
     aws-sdk-kms (1.22.0)
@@ -36,9 +37,6 @@ GEM
       aws-sdk-core (~> 3, >= 3.56.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.1)
-    aws-sdk-ssm (1.50.0)
-      aws-sdk-core (~> 3, >= 3.56.0)
-      aws-sigv4 (~> 1.1)
     aws-sigv4 (1.1.0)
       aws-eventstream (~> 1.0, >= 1.0.2)
     cfhighlander (0.9.0)
@@ -61,7 +59,10 @@ GEM
     netaddr (1.5.1)
     rake (10.5.0)
     rubyzip (1.2.3)
+    terminal-table (1.8.0)
+      unicode-display_width (~> 1.1, >= 1.1.1)
     thor (0.20.3)
+    unicode-display_width (1.6.0)
 PLATFORMS
   ruby

data/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # CfnVpn
-Manages the resources required to create a client vpn in AWS.
+Manages the resources required to create a [client vpn](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html) in AWS.
 Uses cloudformation to manage the state of the vpn resources.
 ## Installation
@@ -16,55 +16,152 @@ Install [docker](https://docs.docker.com/install/)
 Docker is required to generate the certificates required for the client vpn.
 The gem uses [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa) project in [base2/aws-client-vpn](https://hub.docker.com/r/base2/aws-client-vpn) dokcer image.
+Setup your [AWS credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) by either setting a profile or exporting them as environment variables.
 ## Usage
-### help
+```bash
+Commands:
+  cfn-vpn --version, -v                                                            # print the version
+  cfn-vpn client [name] --bucket=BUCKET --client-cn=CLIENT_CN                      # Create a new client certificate
+  cfn-vpn config [name] --bucket=BUCKET --client-cn=CLIENT_CN                      # Retrieve the config for the AWS Client VPN
+  cfn-vpn help [COMMAND]                                                           # Describe available commands or one specific command
+  cfn-vpn init [name] --bucket=BUCKET --server-cn=SERVER_CN --subnet-id=SUBNET_ID  # Create a AWS Client VPN
+  cfn-vpn modify [name]                                                            # Modify your AWS Client VPN
+  cfn-vpn revoke [name] --bucket=BUCKET --client-cn=CLIENT_CN                      # Revoke a client certificate
+  cfn-vpn routes [name]                                                            # List, add or delete client vpn routes
+  cfn-vpn sessions [name]                                                          # List and kill current vpn connections
+  cfn-vpn share [name] --bucket=BUCKET --client-cn=CLIENT_CN                       # Provide a user with a s3 signed download for certificates and config
+```
-Displays all possible commands
+Global options
 ```bash
-Commands:
-  cfn-vpn --version, -v                                            # print the version
-  cfn-vpn help [COMMAND]                                           # Describe available commands or one specific command
-  cfn-vpn init [name] --server-cn=SERVER_CN --subnet-id=SUBNET_ID  # Ciinabox configuration initialization
+p, [--profile=PROFILE]           # AWS Profile
+r, [--region=REGION]             # AWS Region
+                                 # Default: ENV['AWS_REGION']
+    [--verbose], [--no-verbose]  # set log level to debug
 ```
-### init
-Initialises a new client vpn and creates all required resources to get it running.
+### Create a new AWS Client VPN
-```bash
-Usage:
-  cfn-vpn init [name] --server-cn=SERVER_CN --subnet-id=SUBNET_ID
-Options:
-  p, [--profile=PROFILE]       # AWS Profile
-  r, [--region=REGION]         # AWS Region
-      --server-cn=SERVER_CN    # server certificate common name
-      [--client-cn=CLIENT_CN]  # client certificate common name
-      --subnet-id=SUBNET_ID    # subnet id to associate your vpn with
-      [--cidr=CIDR]            # cidr from which to assign client IP addresses
-                               # Default: 10.250.0.0/16
-Ciinabox configuration initialization
+This will create a new client vpn endpoint, associates it with a subnet and sets up a route to the internet.
+During this process a new CA and certificate and keys are generated using [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa) and uploaded to ACM.
+These keys are bundled in a tar and stored encrypted in your provided s3 bucket.
+`cfn-vpn init myvpn --bucket mybucket --server-cn myvpn.domain.tld --subnet-id subnet-123456ab`
+### Create a new client
+This will generate a new client certificate and key against the CA generated in the `init`.
+It will be bundled into a tar and stored encrypted in your provided s3 bucket.
+`cfn-vpn client myvpn --client-cn user1 --bucket mybucket`
+### Revoke a client
+This will revoke the client certificate and apply to the client VPN endpoint.
+Note this wont terminate the session but will stop the client from reconnecting using the certificate.
+`cfn-vpn revoke myvpn --client-cn user1 --bucket mybucket`
+### Download the config file
+This will download the client certificate bundle from s3 and the Client VPN config file from the endpoint.
+The config will be modified to include the local path of the client cert and key.
+`cfn-vpn config myvpn --client-cn user1 --bucket mybucket`
+*Optional:*
+`--ignore-routes` By deafult AWS Client VPN will push all routes from your local through the VPN connection. Select this flag to only push routes specified in the Client VPN route table.
+### Modify the Client VPN config
+This will modify some attributes of the client vpn endpoint.
+`cfn-vpn config myvpn --dns-servers 8.8.8.8,8.8.4.4`
+*Optional:*
+`--dns-servers` Change the DNS servers pushed by the VPN.
+`--subnet-id` Change the associated subnet.
+`--cidr` Change the Client CIDR range.
+### Share client certificates with a user
+This will generate a presigned url for the client's certificate and config file to allow them to download them to their local computer.
+`cfn-vpn share myvpn --client-cn user1 --bucket mybucket`
+You can then share the output with your user
+```
+Download the certificates and config from the bellow presigned URLs which will expire in 1 hour.
+Certificate:
+<presigned url>
+Config:
+<presigned url>
+Extract the certificates from the tar and place into a safe location.
+	tar xzfv user1.tar.gz -C <path>
+Modify base2-ciinabox.config.ovpn to include the full location of your extracted certificates
+	echo "key /<path>/user1.key" >> myvpn.config.ovpn
+	echo "cert /<path>/user1.crt" >> myvpn.config.ovpn
+Open myvpn.config.ovpn with your favourite openvpn client.
 ```
-### config
-Downloads the opvn config file for the client vpn
+### Show and Kill Current Connections
+This is show a table of current connections on the vpn. You can then kill sessions by using the connection id.
 ```bash
-Usage:
-  cfn-vpn config [name]
+$ cfn-vpn sessions myvpn
++-------------+---------------------+--------+-------------+-----------------------------------+---------------+--------------+
+| Common Name | Connected (UTC)     | Status | IP Address  | Connection ID                     | Ingress Bytes | Egress Bytes |
++-------------+---------------------+--------+-------------+-----------------------------------+---------------+--------------+
+| user1       | 2019-06-28 04:58:19 | active | 10.250.0.98 | cvpn-connection-05bcc579cb3fdf9a3 | 3000          | 2679         |
++-------------+---------------------+--------+-------------+-----------------------------------+---------------+--------------+
+```
+Specify the `--kill` flag with the connection id to kill the session.
+`cfn-vpn sessions myvpn --kill cvpn-connection-05bcc579cb3fdf9a3`
+### Show, Add and Remove Routes
-Options:
-  [--profile=PROFILE]  # AWS Profile
-  [--region=REGION]    # AWS Region
-                       # Default: ap-southeast-2
+This will display the route table from the Client VPN.
-Ciinabox configuration initialization
+```bash
++---------------+-----------------------+--------+-----------------+------+-----------+
+| Route         | Description           | Status | Target          | Type | Origin    |
++---------------+-----------------------+--------+-----------------+------+-----------+
+| 10.0.0.0/16   | Default Route         | active | subnet-123456ab | Nat  | associate |
+| 0.0.0.0/0     | Route to the internet | active | subnet-123456ab | Nat  | add-route |
++---------------+-----------------------+--------+-----------------+------+-----------+
 ```
+to add a new route specify the `--add` flag with the cidr and a description with the `--desc` flag.
+`cfn-vpn routes myvpn --add 10.10.0.0/16 --desc "route to peered vpc"`
+to delete a route specify the `--del` flag with the cidr you want to delete.
+`cfn-vpn routes myvpn --del 10.10.0.0/16`
 ## Contributing
 Bug reports and pull requests are welcome on GitHub at https://github.com/base2services/aws-client-vpn.

data/cfn-vpn.gemspec CHANGED Viewed

@@ -36,11 +36,12 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
   spec.add_dependency "thor", "~> 0.20"
+  spec.add_dependency "terminal-table", '~> 1', '<2'
   spec.add_dependency 'cfhighlander', '~> 0.9', '<1'
   spec.add_dependency 'cfndsl', '~> 0.17', '<1'
   spec.add_runtime_dependency 'aws-sdk-ec2', '~> 1.95', '<2'
   spec.add_runtime_dependency 'aws-sdk-acm', '~> 1', '<2'
-  spec.add_runtime_dependency 'aws-sdk-ssm', '~> 1', '<2'
+  spec.add_runtime_dependency 'aws-sdk-s3', '~> 1', '<2'
   spec.add_runtime_dependency 'aws-sdk-cloudformation', '~> 1', '<2'
   spec.add_development_dependency "bundler", "~> 2.0"

data/lib/cfnvpn.rb CHANGED Viewed

@@ -3,6 +3,11 @@ require 'cfnvpn/version'
 require 'cfnvpn/init'
 require 'cfnvpn/modify'
 require 'cfnvpn/config'
+require 'cfnvpn/client'
+require 'cfnvpn/revoke'
+require 'cfnvpn/sessions'
+require 'cfnvpn/routes'
+require 'cfnvpn/share'
 module CfnVpn
   class Cli < Thor
@@ -13,7 +18,6 @@ module CfnVpn
       puts CfnVpn::VERSION
     end
-    # Initializes ciinabox configuration
     register CfnVpn::Init, 'init', 'init [name]', 'Create a AWS Client VPN'
     tasks["init"].options = CfnVpn::Init.class_options
@@ -23,8 +27,20 @@ module CfnVpn
     register CfnVpn::Config, 'config', 'config [name]', 'Retrieve the config for the AWS Client VPN'
     tasks["config"].options = CfnVpn::Config.class_options
-  end
+    register CfnVpn::Client, 'client', 'client [name]', 'Create a new client certificate'
+    tasks["client"].options = CfnVpn::Client.class_options
+    register CfnVpn::Revoke, 'revoke', 'revoke [name]', 'Revoke a client certificate'
+    tasks["revoke"].options = CfnVpn::Revoke.class_options
+    register CfnVpn::Sessions, 'sessions', 'sessions [name]', 'List and kill current vpn connections'
+    tasks["sessions"].options = CfnVpn::Sessions.class_options
-  # Aws.config[:retry_limit] = if ENV.key? 'CFNVPN_AWS_RETRY_LIMIT' then (ENV['CFNVPN_AWS_RETRY_LIMIT'].to_i) else 10 end
+    register CfnVpn::Routes, 'routes', 'routes [name]', 'List, add or delete client vpn routes'
+    tasks["routes"].options = CfnVpn::Routes.class_options
+    register CfnVpn::Share, 'share', 'share [name]', 'Provide a user with a s3 signed download for certificates and config'
+    tasks["share"].options = CfnVpn::Share.class_options
+  end
 end

data/lib/cfnvpn/certificates.rb CHANGED Viewed

@@ -1,6 +1,6 @@
 require 'fileutils'
 require 'cfnvpn/acm'
-require 'cfnvpn/ssm'
+require 'cfnvpn/s3'
 require 'cfnvpn/log'
 module CfnVpn
@@ -11,16 +11,34 @@ module CfnVpn
       @cfnvpn_name = cfnvpn_name
       @config_dir = "#{build_dir}/config"
       @cert_dir = "#{build_dir}/certificates"
+      @docker_cmd = %w(docker run -it --rm)
+      @easyrsa_image = "base2/aws-client-vpn"
       FileUtils.mkdir_p(@cert_dir)
     end
-    def generate(server_cn,client_cn)
-      cmd = ["docker", "run", "-it", "--rm"]
-      cmd << "-e EASYRSA_REQ_CN=#{server_cn}"
-      cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
-      cmd << "-v #{@cert_dir}:/easy-rsa/output"
-      cmd << "base2/aws-client-vpn:3.0.5"
-      return `#{cmd.join(' ')}`
+    def generate_ca(server_cn,client_cn)
+      @docker_cmd << "-e EASYRSA_REQ_CN=#{server_cn}"
+      @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+      @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+      @docker_cmd << @easyrsa_image
+      @docker_cmd << "sh -c 'create-ca'"
+      return `#{@docker_cmd.join(' ')}`
+    end
+    def generate_client(client_cn)
+      @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+      @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+      @docker_cmd << @easyrsa_image
+      @docker_cmd << "sh -c 'create-client'"
+      return `#{@docker_cmd.join(' ')}`
+    end
+    def revoke_client(client_cn)
+      @docker_cmd << "-e EASYRSA_CLIENT_CN=#{client_cn}"
+      @docker_cmd << "-v #{@cert_dir}:/easy-rsa/output"
+      @docker_cmd << @easyrsa_image
+      @docker_cmd << "sh -c 'revoke-client'"
+      return `#{@docker_cmd.join(' ')}`
     end
     def upload_certificates(region,cert,type,cn=nil)
@@ -32,23 +50,20 @@ module CfnVpn
       return arn
     end
-    def store_certificate(region,cert)
-      ssm = CfnVpn::SSM.new(@cfnvpn_name, region, @cert_dir)
-      ssm.put_parameter(cert)
+    def store_certificate(bucket,bundle)
+      s3 = CfnVpn::S3.new(@region,bucket,@name)
+      s3.store_object("#{@cert_dir}/#{bundle}")
+    end
+    def retrieve_certificate(bucket,bundle)
+      s3 = CfnVpn::S3.new(@region,bucket,@name)
+      s3.get_object("#{@cert_dir}/#{bundle}")
     end
-    def write_certificate(cert_body,name,force)
-      file = "#{@config_dir}/#{name}"
-      if File.file?(file)
-        if force
-          Log.logger.warn "overriding existing #{name}"
-          File.write(file, cert_body)
-        else
-          Log.logger.info "#{name} already exists"
-        end
-      else
-        File.write(file, cert_body)
-      end
+    def extract_certificate(client_cn)
+      tar = "#{@config_dir}/#{client_cn}.tar.gz"
+      `tar xzfv #{tar} -C #{@config_dir} --strip 2`
+      File.delete(tar) if File.exist?(tar)
     end
   end

data/lib/cfnvpn/client.rb ADDED Viewed

@@ -0,0 +1,42 @@
+require 'thor'
+require 'cfnvpn/log'
+require 'cfnvpn/s3'
+module CfnVpn
+  class Client < Thor::Group
+    include Thor::Actions
+    include CfnVpn::Log
+    argument :name
+    class_option :profile, aliases: :p, desc: 'AWS Profile'
+    class_option :region, aliases: :r, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+    class_option :bucket, desc: 's3 bucket', required: true
+    class_option :client_cn, desc: 'client certificate common name', required: true
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+    def set_loglevel
+      Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+    def set_directory
+      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @cert_dir = "#{@build_dir}/certificates"
+    end
+    def create_certificate
+      s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
+      s3.get_object("#{@cert_dir}/ca.tar.gz")
+      Log.logger.info "Generating new client certificate #{@options['client_cn']} using openvpn easy-rsa"
+      cert = CfnVpn::Certificates.new(@build_dir,@name)
+      Log.logger.debug cert.generate_client(@options['client_cn'])
+      s3.store_object("#{@cert_dir}/#{@options['client_cn']}.tar.gz")
+    end
+  end
+end

data/lib/cfnvpn/clientvpn.rb CHANGED Viewed

@@ -1,5 +1,6 @@
 require 'aws-sdk-ec2'
 require 'cfnvpn/log'
+require 'netaddr'
 module CfnVpn
   class ClientVpn
@@ -18,13 +19,17 @@ module CfnVpn
         Log.logger.error "unable to find endpoint with tag Key: cfnvpn:name with Value: #{@name}"
         raise "Unable to find client vpn"
       end
-      resp.client_vpn_endpoints.first
+      return resp.client_vpn_endpoints.first
     end
     def get_endpoint_id()
       return get_endpoint().client_vpn_endpoint_id
     end
+    def get_dns_servers()
+      return get_endpoint().dns_servers
+    end
     def get_config(endpoint_id)
       resp = @client.export_client_vpn_client_configuration({
         client_vpn_endpoint_id: endpoint_id
@@ -32,5 +37,118 @@ module CfnVpn
       return resp.client_configuration
     end
+    def get_rekove_list(endpoint_id)
+      resp = @client.export_client_vpn_client_certificate_revocation_list({
+        client_vpn_endpoint_id: endpoint_id
+      })
+      return resp.certificate_revocation_list
+    end
+    def put_revoke_list(endpoint_id,revoke_list)
+      list = File.read(revoke_list)
+      @client.import_client_vpn_client_certificate_revocation_list({
+        client_vpn_endpoint_id: endpoint_id,
+        certificate_revocation_list: list
+      })
+    end
+    def get_sessions(endpoint_id)
+      params = {
+        client_vpn_endpoint_id: endpoint_id,
+        max_results: 20
+      }
+      resp = @client.describe_client_vpn_connections(params)
+      return resp.connections
+    end
+    def kill_session(endpoint_id, connection_id)
+      @client.terminate_client_vpn_connections({
+        client_vpn_endpoint_id: endpoint_id,
+        connection_id: connection_id
+      })
+    end
+    def get_target_networks(endpoint_id)
+      resp = @client.describe_client_vpn_target_networks({
+        client_vpn_endpoint_id: endpoint_id
+      })
+      return resp.client_vpn_target_networks.first
+    end
+    def add_route(cidr,description)
+      endpoint_id = get_endpoint_id()
+      subnet_id = get_target_networks(endpoint_id).target_network_id
+      @client.create_client_vpn_route({
+        client_vpn_endpoint_id: endpoint_id,
+        destination_cidr_block: cidr,
+        target_vpc_subnet_id: subnet_id,
+        description: description
+      })
+      resp = @client.authorize_client_vpn_ingress({
+        client_vpn_endpoint_id: endpoint_id,
+        target_network_cidr: cidr,
+        authorize_all_groups: true,
+        description: description
+      })
+      return resp.status
+    end
+    def del_route(cidr)
+      endpoint_id = get_endpoint_id()
+      subnet_id = get_target_networks(endpoint_id).target_network_id
+      revoke = @client.revoke_client_vpn_ingress({
+        revoke_all_groups: true,
+        client_vpn_endpoint_id: endpoint_id,
+        target_network_cidr: cidr
+      })
+      route = @client.delete_client_vpn_route({
+        client_vpn_endpoint_id: endpoint_id,
+        target_vpc_subnet_id: subnet_id,
+        destination_cidr_block: cidr
+      })
+      return route.status, revoke.status
+    end
+    def get_routes()
+      endpoint_id = get_endpoint_id()
+      resp = @client.describe_client_vpn_routes({
+        client_vpn_endpoint_id: endpoint_id,
+        max_results: 20
+      })
+      return resp.routes
+    end
+    def route_exists?(cidr)
+      routes = get_routes()
+      resp = routes.select { |route| route if route.destination_cidr == cidr }
+      return resp.any?
+    end
+    def get_routes()
+      endpoint_id = get_endpoint_id()
+      resp = @client.describe_client_vpn_routes({
+        client_vpn_endpoint_id: endpoint_id,
+        max_results: 20
+      })
+      return resp.routes
+    end
+    def get_route_with_mask()
+      routes = get_routes()
+      routes
+        .select { |r| r if r.destination_cidr != '0.0.0.0/0' }
+        .collect { |r| { route: r.destination_cidr.split('/').first, mask: NetAddr::CIDR.create(r.destination_cidr).wildcard_mask }}
+    end
+    def valid_cidr?(cidr)
+      return !(cidr =~ /^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))?$/).nil?
+    end
   end
 end

data/lib/cfnvpn/config.rb CHANGED Viewed

@@ -1,5 +1,4 @@
 require 'cfnvpn/clientvpn'
-require 'cfnvpn/ssm'
 require 'cfnvpn/log'
 module CfnVpn
@@ -12,9 +11,10 @@ module CfnVpn
     class_option :profile, desc: 'AWS Profile'
     class_option :region, default: ENV['AWS_REGION'], desc: 'AWS Region'
     class_option :verbose, desc: 'set log level to debug', type: :boolean
+    class_option :bucket, required: true, desc: 's3 bucket'
+    class_option :client_cn, required: true, desc: "client certificates to download"
-    class_option :key_path, required: true, desc: 'full file path to the client vpn key'
-    class_option :crt_path, required: true, desc: 'full file path to the client vpn certificate'
+    class_option :ignore_routes, alias: :i, type: :boolean, desc: "Ignore client VPN pushed routes and set routes in config file"
     def self.source_root
       File.dirname(__FILE__)
@@ -25,8 +25,8 @@ module CfnVpn
     end
     def create_config_directory
-      @home_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
-      @config_dir = "#{@home_dir}/config"
+      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @config_dir = "#{@build_dir}/config"
       Log.logger.debug("Creating config directory #{@config_dir}")
       FileUtils.mkdir_p(@config_dir)
     end
@@ -38,11 +38,44 @@ module CfnVpn
       @config = vpn.get_config(@endpoint_id)
     end
+    def download_certificates
+      download = true
+      if File.exists?("#{@config_dir}/#{@options['client_cn']}.crt")
+        download = yes? "Certificates for #{@options['client_cn']} already exist in #{@config_dir}. Do you want to download again? ", :green
+      end
+      if download
+        Log.logger.info "Downloading certificates for #{@options['client_cn']} to #{@config_dir}"
+        s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
+        s3.get_object("#{@config_dir}/#{@options['client_cn']}.tar.gz")
+        cert = CfnVpn::Certificates.new(@build_dir,@name)
+        Log.logger.debug cert.extract_certificate(@options['client_cn'])
+      end
+    end
     def alter_config
       string = (0...8).map { (65 + rand(26)).chr.downcase }.join
       @config.sub!(@endpoint_id, "#{string}.#{@endpoint_id}")
-      @config.concat("\n\ncert #{@options['crt_path']}")
-      @config.concat("\nkey #{@options['key_path']}\n")
+      @config.concat("\n\ncert #{@config_dir}/#{@options['client_cn']}.crt")
+      @config.concat("\nkey #{@config_dir}/#{@options['client_cn']}.key\n")
+    end
+    def add_routes
+      if @options['ignore_routes']
+        Log.logger.debug "Ignoring routes pushed by the client vpn"
+        @config.concat("\nroute-nopull\n")
+        vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+        routes = vpn.get_route_with_mask
+        Log.logger.debug "Found routes #{routes}"
+        routes.each do |r|
+          @config.concat("route #{r[:route]} #{r[:mask]}\n")
+        end
+        dns_servers = vpn.get_dns_servers()
+        if dns_servers.any?
+          Log.logger.debug "Found DNS servers #{dns_servers.join(' ')}"
+          @config.concat("dhcp-option DNS #{dns_servers.first}\n")
+        end
+      end
     end
     def write_config

data/lib/cfnvpn/init.rb CHANGED Viewed

@@ -20,6 +20,7 @@ module CfnVpn
     class_option :server_cn, required: true, desc: 'server certificate common name'
     class_option :client_cn, desc: 'client certificate common name'
+    class_option :bucket, required: true, desc: 's3 bucket'
     class_option :subnet_id, required: true, desc: 'subnet id to associate your vpn with'
     class_option :cidr, default: '10.250.0.0/16', desc: 'cidr from which to assign client IP addresses'
@@ -61,14 +62,16 @@ module CfnVpn
     def generate_server_certificates
       Log.logger.info "Generating certificates using openvpn easy-rsa"
       cert = CfnVpn::Certificates.new(@build_dir,@name)
-      @client_cn = @options['client_cn'] ? @options['client_cn'] : "#{@name}.#{@options['server_cn']}"
-      Log.logger.debug cert.generate(@options['server_cn'],@client_cn)
+      @client_cn = @options['client_cn'] ? @options['client_cn'] : "client-vpn.#{@options['server_cn']}"
+      Log.logger.debug cert.generate_ca(@options['server_cn'],@client_cn)
     end
     def upload_certificates
       cert = CfnVpn::Certificates.new(@build_dir,@name)
       @config['parameters']['ServerCertificateArn'] = cert.upload_certificates(@options['region'],'server','server',@options['server_cn'])
       @config['parameters']['ClientCertificateArn'] = cert.upload_certificates(@options['region'],@client_cn,'client')
+      s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
+      s3.store_object("#{@build_dir}/certificates/ca.tar.gz")
     end
     def deploy_vpn

data/lib/cfnvpn/revoke.rb ADDED Viewed

@@ -0,0 +1,49 @@
+require 'thor'
+require 'cfnvpn/log'
+require 'cfnvpn/s3'
+module CfnVpn
+  class Revoke < Thor::Group
+    include Thor::Actions
+    include CfnVpn::Log
+    argument :name
+    class_option :profile, aliases: :p, desc: 'AWS Profile'
+    class_option :region, aliases: :r, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+    class_option :bucket, desc: 's3 bucket', required: true
+    class_option :client_cn, desc: 'client certificate common name', required: true
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+    def set_loglevel
+      Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+    def set_directory
+      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+      @cert_dir = "#{@build_dir}/certificates"
+    end
+    def revoke_certificate
+      cert = CfnVpn::Certificates.new(@build_dir,@name)
+      s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
+      s3.get_object("#{@cert_dir}/ca.tar.gz")
+      s3.get_object("#{@cert_dir}/#{@options['client_cn']}.tar.gz")
+      Log.logger.info "Generating new client certificate #{@options['client_cn']} using openvpn easy-rsa"
+      Log.logger.debug cert.revoke_client(@options['client_cn'])
+    end
+    def apply_rekocation_list
+      vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      endpoint_id = vpn.get_endpoint_id()
+      vpn.put_revoke_list(endpoint_id,"#{@cert_dir}/crl.pem")
+      Log.logger.info("revoked client #{@options['client_cn']} from #{endpoint_id}")
+    end
+  end
+end

data/lib/cfnvpn/routes.rb ADDED Viewed

@@ -0,0 +1,83 @@
+require 'thor'
+require 'cfnvpn/log'
+require 'cfnvpn/s3'
+module CfnVpn
+  class Routes < Thor::Group
+    include Thor::Actions
+    include CfnVpn::Log
+    argument :name
+    class_option :profile, aliases: :p, desc: 'AWS Profile'
+    class_option :region, aliases: :r, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+    class_option :add, desc: 'add cidr to route through the client vpn'
+    class_option :del, desc: 'delete cidr route from the client vpn'
+    class_option :desc, desc: 'description of the route'
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+    def set_loglevel
+      Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+    def set_directory
+      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+    end
+    def add_route
+      if !@options['add'].nil?
+        if @options['desc'].nil?
+          Log.logger.error "--desc option must be provided if adding a new route"
+          exit 1
+        end
+        vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+        if vpn.route_exists?(@options['add'])
+          Log.logger.error "route #{@options['add']} already exists in the client vpn"
+          exit 1
+        end
+        Log.logger.info "Adding new route for #{@options['add']}"
+        vpn.add_route(@options['add'],@options['desc'])
+      end
+    end
+    def del_route
+      if !@options['del'].nil?
+        vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+        if !vpn.route_exists?(@options['del'])
+          Log.logger.error "route #{@options['del']} doesn't exist in the client vpn"
+          exit 1
+        end
+        delete = yes? "Delete route #{@options['del']}?", :yellow
+        if delete
+          Log.logger.info "Deleting route for #{@options['del']}"
+          vpn.del_route(@options['del'])
+        end
+      end
+    end
+    def get_routes
+      vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      @routes = vpn.get_routes()
+    end
+    def display_routes
+      rows = @routes.collect do |s|
+        [ s.destination_cidr, s.description, s.status.code, s.target_subnet, s.type, s.origin ]
+      end
+      table = Terminal::Table.new(
+        :headings => ['Route', 'Description', 'Status', 'Target', 'Type', 'Origin'],
+        :rows => rows)
+      puts table
+    end
+  end
+end

data/lib/cfnvpn/s3.rb ADDED Viewed

@@ -0,0 +1,57 @@
+require 'aws-sdk-s3'
+require 'fileutils'
+module CfnVpn
+  class S3
+    def initialize(region, bucket, name)
+      @client = Aws::S3::Client.new(region: region)
+      @bucket = bucket
+      @name = name
+      @path = "cfnvpn/certificates/#{@name}"
+    end
+    def store_object(file)
+      body = File.open(file, 'rb').read
+      file_name = file.split('/').last
+      Log.logger.debug("uploading #{file} to s3://#{@bucket}/#{@path}/#{file_name}")
+      @client.put_object({
+        body: body,
+        bucket: @bucket,
+        key: "#{@path}/#{file_name}",
+        server_side_encryption: "AES256",
+        tagging: "cfnvpn:name=#{@name}"
+      })
+    end
+    def get_object(file)
+      file_name = file.split('/').last
+      Log.logger.debug("downloading s3://#{@bucket}/#{@path}/#{file_name} to #{file}")
+      @client.get_object(
+        response_target: file,
+        bucket: @bucket,
+        key: "#{@path}/#{file_name}")
+    end
+    def store_config(config)
+      Log.logger.debug("uploading config to s3://#{@bucket}/#{@path}/#{@name}.config.ovpn")
+      @client.put_object({
+        body: config,
+        bucket: @bucket,
+        key: "#{@path}/#{@name}.config.ovpn",
+        tagging: "cfnvpn:name=#{@name}"
+      })
+    end
+    def get_url(file)
+      presigner = Aws::S3::Presigner.new(client: @client)
+      params = {
+        bucket: @bucket,
+        key: "#{@path}/#{file}",
+        expires_in: 3600
+      }
+      presigner.presigned_url(:get_object, params)
+    end
+  end
+end

data/lib/cfnvpn/sessions.rb ADDED Viewed

@@ -0,0 +1,64 @@
+require 'thor'
+require 'terminal-table'
+require 'cfnvpn/log'
+require 'cfnvpn/clientvpn'
+module CfnVpn
+  class Sessions < Thor::Group
+    include Thor::Actions
+    include CfnVpn::Log
+    argument :name
+    class_option :profile, aliases: :p, desc: 'AWS Profile'
+    class_option :region, aliases: :r, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+    class_option :kill, desc: 'connection id to kill the connection'
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+    def set_loglevel
+      Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+    def set_directory
+      @build_dir = "#{ENV['HOME']}/.cfnvpn/#{@name}"
+    end
+    def get_endpoint
+      @vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      @endpoint_id = @vpn.get_endpoint_id()
+    end
+    def kill_session
+      if !@options['kill'].nil?
+        sessions = @vpn.get_sessions(@endpoint_id)
+        session = sessions.select { |s| s if s.connection_id  == @options['kill'] }.first
+        if session.any? && session.status.code == "active"
+          terminate = yes? "Terminate connection #{@options['kill']} for #{session.common_name}?", :yellow
+          if terminate
+            Log.logger.info "Terminating connection #{@options['kill']} for #{session.common_name}"
+            @vpn.kill_session(@endpoint_id,@options['kill'])
+          end
+        else
+          Log.logger.error "Connection id #{@options['kill']} doesn't exist or is not active"
+        end
+      end
+    end
+    def display_sessions
+      sessions = @vpn.get_sessions(@endpoint_id)
+      rows = sessions.collect do |s|
+        [ s.common_name, s.connection_established_time, s.status.code, s.client_ip, s.connection_id, s.ingress_bytes, s.egress_bytes ]
+      end
+      table = Terminal::Table.new(
+        :headings => ['Common Name', 'Connected (UTC)', 'Status', 'IP Address', 'Connection ID', 'Ingress Bytes', 'Egress Bytes'],
+        :rows => rows)
+      puts table
+    end
+  end
+end

data/lib/cfnvpn/share.rb ADDED Viewed

@@ -0,0 +1,85 @@
+require 'cfnvpn/log'
+require 'cfnvpn/s3'
+module CfnVpn
+  class Share < Thor::Group
+    include Thor::Actions
+    include CfnVpn::Log
+    argument :name
+    class_option :profile, desc: 'AWS Profile'
+    class_option :region, default: ENV['AWS_REGION'], desc: 'AWS Region'
+    class_option :verbose, desc: 'set log level to debug', type: :boolean
+    class_option :bucket, required: true, desc: 's3 bucket'
+    class_option :client_cn, required: true, desc: "client certificates to download"
+    class_option :ignore_routes, alias: :i, type: :boolean, desc: "Ignore client VPN pushed routes and set routes in config file"
+    def self.source_root
+      File.dirname(__FILE__)
+    end
+    def set_loglevel
+      Log.logger.level = Logger::DEBUG if @options['verbose']
+    end
+    def copy_config_to_s3
+      vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+      @endpoint_id = vpn.get_endpoint_id()
+      Log.logger.debug "downloading client config for #{@endpoint_id}"
+      @config = vpn.get_config(@endpoint_id)
+      string = (0...8).map { (65 + rand(26)).chr.downcase }.join
+      @config.sub!(@endpoint_id, "#{string}.#{@endpoint_id}")
+    end
+    def add_routes
+      if @options['ignore_routes']
+        Log.logger.debug "Ignoring routes pushed by the client vpn"
+        @config.concat("\nroute-nopull\n")
+        vpn = CfnVpn::ClientVpn.new(@name,@options['region'])
+        routes = vpn.get_route_with_mask
+        Log.logger.debug "Found routes #{routes}"
+        routes.each do |r|
+          @config.concat("route #{r[:route]} #{r[:mask]}\n")
+        end
+        dns_servers = vpn.get_dns_servers()
+        if dns_servers.any?
+          Log.logger.debug "Found DNS servers #{dns_servers.join(' ')}"
+          @config.concat("dhcp-option DNS #{dns_servers.first}\n")
+        end
+      end
+    end
+    def upload_config
+      @s3 = CfnVpn::S3.new(@options['region'],@options['bucket'],@name)
+      @s3.store_config(@config)
+    end
+    def get_certificate_url
+      @certificate_url = @s3.get_url("#{@options['client_cn']}.tar.gz")
+      Log.logger.debug "Certificate presigned url: #{@certificate_url}"
+    end
+    def get_config_url
+      @config_url = @s3.get_url("#{@name}.config.ovpn")
+      Log.logger.debug "Config presigned url: #{@config_url}"
+    end
+    def display_instructions
+      Log.logger.info "Share the bellow instruction with the user..."
+      say "\nDownload the certificates and config from the bellow presigned URLs which will expire in 1 hour."
+      say "\nCertificate:"
+      say "\tcurl #{@certificate_url} > #{@options['client_cn']}.tar.gz", :cyan
+      say "\nConfig:\n"
+      say "\tcurl #{@certificate_url} > #{@name}.config.ovpn", :cyan
+      say "\nExtract the certificates from the tar and place into a safe location."
+      say "\ttar xzfv #{@options['client_cn']}.tar.gz -C <path> --strip 2", :cyan
+      say "\nModify #{@name}.config.ovpn to include the full location of your extracted certificates"
+      say "\techo \"key /<path>/#{@options['client_cn']}.key\" >> #{@name}.config.ovpn", :cyan
+      say "\techo \"cert /<path>/#{@options['client_cn']}.crt\" >> #{@name}.config.ovpn", :cyan
+      say "\nOpen #{@name}.config.ovpn with your favourite openvpn client."
+    end
+  end
+end

data/lib/cfnvpn/version.rb CHANGED Viewed

@@ -1,4 +1,4 @@
 module CfnVpn
-  VERSION = "0.2.0".freeze
+  VERSION = "0.3.0".freeze
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-vpn
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Guslington
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-06-27 00:00:00.000000000 Z
+date: 2019-06-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -24,6 +24,26 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '0.20'
+- !ruby/object:Gem::Dependency
+  name: terminal-table
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1'
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: cfhighlander
   requirement: !ruby/object:Gem::Requirement
@@ -105,7 +125,7 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2'
 - !ruby/object:Gem::Dependency
-  name: aws-sdk-ssm
+  name: aws-sdk-s3
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
@@ -193,13 +213,18 @@ files:
 - lib/cfnvpn/acm.rb
 - lib/cfnvpn/certificates.rb
 - lib/cfnvpn/cfhighlander.rb
+- lib/cfnvpn/client.rb
 - lib/cfnvpn/clientvpn.rb
 - lib/cfnvpn/cloudformation.rb
 - lib/cfnvpn/config.rb
 - lib/cfnvpn/init.rb
 - lib/cfnvpn/log.rb
 - lib/cfnvpn/modify.rb
-- lib/cfnvpn/ssm.rb
+- lib/cfnvpn/revoke.rb
+- lib/cfnvpn/routes.rb
+- lib/cfnvpn/s3.rb
+- lib/cfnvpn/sessions.rb
+- lib/cfnvpn/share.rb
 - lib/cfnvpn/templates/cfnvpn.cfhighlander.rb.tt
 - lib/cfnvpn/version.rb
 homepage: https://github.com/base2services/aws-client-vpn

data/lib/cfnvpn/ssm.rb DELETED Viewed

@@ -1,50 +0,0 @@
-require 'aws-sdk-ssm'
-require 'fileutils'
-require 'cfnvpn/log'
-module CfnVpn
-  class SSM
-    include CfnVpn::Log
-    def initialize(name,region,cert_dir)
-      @name = name
-      @cert_dir = cert_dir
-      @path_prefix = "/cfnvpn/#{@name}"
-      @client = Aws::SSM::Client.new(region: region)
-    end
-    def get_parameter(cert)
-      begin
-        resp = @client.get_parameter({
-          name: "#{@path_prefix}/#{cert}",
-          with_decryption: true
-        })
-      rescue Aws::SSM::Errors::ParameterNotFound
-        Log.logger.debug("Parameter #{@path_prefix}/#{cert} not found")
-        return false
-      end
-      Log.logger.debug("found parameter #{@path_prefix}/#{cert}")
-      return resp.parameter.value
-    end
-    def put_parameter(cert)
-      certificate = File.read("#{@cert_dir}/#{cert}")
-      Log.logger.debug("Reading certificate #{@cert_dir}/#{cert}")
-      ext = cert.split('.').last
-      @client.put_parameter({
-        name: "#{@path_prefix}/#{@name}.#{ext}",
-        description: "cfn-vpn #{@name} #{cert}",
-        value: certificate,
-        type: "SecureString",
-        overwrite: false,
-        tags: [
-          { key: "cfnvpn:name", value: @name },
-          { key: "cfnvpn:certificate", value: cert }
-        ],
-        tier: "Advanced",
-      })
-      Log.logger.info("Stored #{cert} in ssm parameter #{@path_prefix}/#{@name}.#{ext}")
-    end
-  end
-end