cfn-vpn 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: eb761d025f597c4de716819ae68760c9852186b37505dc565f26c60fa4679788
-  data.tar.gz: 8347f65e8c83d6a4b579b2f5a3e5209e0c24e7e59971be79afcc75adf4ebc2ae
+  metadata.gz: fc2272c2d2579de34fa1ae63db688ae1ae2a91ea2345004e3dac0a1aa992bfa7
+  data.tar.gz: e570c13a3af81fc161bf01c18bbad24498bff8620527994a1b43846f9b25732d
 SHA512:
-  metadata.gz: 0e8bf02b14cde539575af2a00306aee0a582e0907db6b103520d001b02aab3daf5f4a331fc5fe4363829ef764771b210eacd4e72f526d16901d6cfe64a3c7607
-  data.tar.gz: 1cf6528468ccd43734549ef00f35238b76ae190691aceddc2e29aed5984cb98ea06e2a5ae66b46e19cad1048a107f1293a9aa877e9f624a15d8ec5cb07d012ad
+  metadata.gz: 7a447e1385f39c171e7f5a16c5af5e913855d52fb1f1838220dd00e96c954cfd5258707c9dd389b256aaaf4a776fca5d9bf72cd39870b92cd0d02297ccc9568b
+  data.tar.gz: 52f82b3f55c856542e6c431613f64f6bae9d9b69378a84042c759da3cb620ee270f0cdd067b49e7564a1ebc490249896941db829a6836570af246c5a8278a911

data/Gemfile.lock

@@ -15,50 +15,48 @@ GEM
   remote: https://rubygems.org/
   specs:
     aws-eventstream (1.0.3)
-    aws-partitions (1.180.0)
+    aws-partitions (1.253.0)
     aws-sdk-acm (1.23.0)
       aws-sdk-core (~> 3, >= 3.56.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-cloudformation (1.23.0)
-      aws-sdk-core (~> 3, >= 3.56.0)
+    aws-sdk-cloudformation (1.29.0)
+      aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-core (3.56.0)
+    aws-sdk-core (3.85.1)
       aws-eventstream (~> 1.0, >= 1.0.2)
-      aws-partitions (~> 1.0)
+      aws-partitions (~> 1, >= 1.239.0)
       aws-sigv4 (~> 1.1)
       jmespath (~> 1.0)
-    aws-sdk-ec2 (1.96.0)
-      aws-sdk-core (~> 3, >= 3.56.0)
+    aws-sdk-ec2 (1.124.0)
+      aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.22.0)
-      aws-sdk-core (~> 3, >= 3.56.0)
+    aws-sdk-kms (1.27.0)
+      aws-sdk-core (~> 3, >= 3.71.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.43.0)
-      aws-sdk-core (~> 3, >= 3.56.0)
+    aws-sdk-s3 (1.59.0)
+      aws-sdk-core (~> 3, >= 3.83.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.1)
     aws-sigv4 (1.1.0)
       aws-eventstream (~> 1.0, >= 1.0.2)
-    cfhighlander (0.9.0)
+    cfhighlander (0.10.7)
       aws-sdk-cloudformation (~> 1, < 2)
       aws-sdk-core (~> 3, < 4)
       aws-sdk-ec2 (~> 1, < 2)
       aws-sdk-s3 (~> 1, < 2)
-      cfndsl (~> 0.16, < 1)
+      cfndsl (= 0.17.2)
       duplicate (~> 1.1)
       git (~> 1.4, < 2)
       highline (>= 1.7.10, < 1.8)
-      netaddr (~> 1.5, >= 1.5.1)
-      rubyzip (>= 1.2.1, < 2)
+      rubyzip (>= 2.0.0, < 3)
       thor (~> 0.20, < 1)
-    cfndsl (0.17.0)
+    cfndsl (0.17.2)
     duplicate (1.1.1)
     git (1.5.0)
     highline (1.7.10)
     jmespath (1.4.0)
-    netaddr (1.5.1)
     rake (10.5.0)
-    rubyzip (1.2.3)
+    rubyzip (2.0.0)
     terminal-table (1.8.0)
       unicode-display_width (~> 1.1, >= 1.1.1)
     thor (0.20.3)

data/README.md

@@ -3,6 +3,11 @@
 Manages the resources required to create a [client vpn](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/what-is.html) in AWS.
 Uses cloudformation to manage the state of the vpn resources.
 
+## Platforms
+
+- osx
+- linux
+
 ## Installation
 
 Install `cfn-vpn` gem
@@ -14,10 +19,49 @@ gem install cfn-vpn
 Install [docker](https://docs.docker.com/install/)
 
 Docker is required to generate the certificates required for the client vpn.
-The gem uses [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa) project in [base2/aws-client-vpn](https://hub.docker.com/r/base2/aws-client-vpn) dokcer image.
+The gem uses [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa) project in [base2/aws-client-vpn](https://hub.docker.com/r/base2/aws-client-vpn) docker image. [repo](https://github.com/base2Services/ciinabox-containers/tree/master/easy-rsa)
 
 Setup your [AWS credentials](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html) by either setting a profile or exporting them as environment variables.
 
+```bash
+export AWS_ACCESS_KEY_ID="XXXXXXXXXXXXXXXXXXXXX"
+export AWS_SECRET_ACCESS_KEY="XXXXXXXXXXXXXXXXXXXXX"
+export AWS_SESSION_TOKEN="XXXXXXXXXXXXXXXXXXXXX"
+```
+
+Optionally export the AWS region if not providing `--region` flag
+
+```bash
+export AWS_REGION="us-east-1"
+```
+
+## Scenarios 
+
+For further AWS documentation please visit https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario.html
+
+### SplitTunnel
+
+Split tunnel when enabled will only push the routes defined on the client vpn. This is useful if you only want to push routes from your vpc through the vpn.
+
+### Public subnet with Internet Access
+
+This can be setup with default options selected. This will push all routes from through the vpn including all internet traffic. The ENI attached to the vpn client attaches a public IP which is used for natting between the vpn and the internet. This must be placed inside a public subnet with a internet gateway attached to the vpc.
+Please read the AWS [documentation](https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario-internet.html) for troubleshooting any networking issues
+
+### Private subnet with Internet Access
+
+This is the same as above but the vpn attached to a subnet in a private subnet with the public route being routed through a nat gateway. **NOTE** the dns on the vpn must be set to the dns server of the vpc you've attached the vpn to, the reserved IP address at the base of the VPC IPv4 network range plus two. For example if you VPC cidr is 10.0.0.0/16 then the dns server for that vpc is 10.0.0.2.
+
+```bash
+cfn-vpn init myvpn --bucket mybucket --server-cn myvpn.domain.tld --subnet-id subnet-123456ab --dns-servers 10.0.0.2
+```
+
+If you are experiencing issue connecting to the internet check to see if your local dns configurations are overriding the ones set by the vpn. You can test this by using `dig` to query a domain from the vpc dns server. For example:
+
+```bash
+dig @10.0.0.2 google.com
+```
+
 ## Usage
 
 ```bash
@@ -50,8 +94,23 @@ This will create a new client vpn endpoint, associates it with a subnet and sets
 During this process a new CA and certificate and keys are generated using [openvpn/easy-rsa](https://github.com/OpenVPN/easy-rsa) and uploaded to ACM.
 These keys are bundled in a tar and stored encrypted in your provided s3 bucket.
 
-`cfn-vpn init myvpn --bucket mybucket --server-cn myvpn.domain.tld --subnet-id subnet-123456ab`
+```bash
+cfn-vpn init myvpn --bucket mybucket --server-cn myvpn.domain.tld --subnet-id subnet-123456ab
+```
+
+*Optional:*
 
+```bash
+[--cidr=CIDR]                              # cidr from which to assign client IP addresses
+                                           # Default: 10.250.0.0/16
+[--dns-servers=DNS_SERVERS]                # DNS Servers to push to clients.
+[--split-tunnel], [--no-split-tunnel]      # only push routes to the client on the vpn endpoint
+[--internet-route], [--no-internet-route]  # create a default route to the internet
+                                           # Default: true
+[--protocol=PROTOCOL]                      # set the protocol for the vpn connections
+                                           # Default: udp
+                                           # Possible values: udp, tcp
+```
 
 ### Create a new client
 
@@ -76,10 +135,6 @@ The config will be modified to include the local path of the client cert and key
 
 `cfn-vpn config myvpn --client-cn user1 --bucket mybucket`
 
-*Optional:*
-
-`--ignore-routes` By deafult AWS Client VPN will push all routes from your local through the VPN connection. Select this flag to only push routes specified in the Client VPN route table.
-
 
 ### Modify the Client VPN config
 
@@ -87,11 +142,19 @@ This will modify some attributes of the client vpn endpoint.
 
 `cfn-vpn config myvpn --dns-servers 8.8.8.8,8.8.4.4`
 
-*Optional:*
+*Options:*
 
-`--dns-servers` Change the DNS servers pushed by the VPN.
-`--subnet-id` Change the associated subnet.
-`--cidr` Change the Client CIDR range.
+```bash
+[--cidr=CIDR]                              # cidr from which to assign client IP addresses
+                                           # Default: 10.250.0.0/16
+[--dns-servers=DNS_SERVERS]                # DNS Servers to push to clients.
+[--split-tunnel], [--no-split-tunnel]      # only push routes to the client on the vpn endpoint
+[--internet-route], [--no-internet-route]  # create a default route to the internet
+                                           # Default: true
+[--protocol=PROTOCOL]                      # set the protocol for the vpn connections
+                                           # Default: udp
+                                           # Possible values: udp, tcp
+```
 
 
 ### Share client certificates with a user

data/cfn-vpn.gemspec

@@ -39,6 +39,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency "terminal-table", '~> 1', '<2'
   spec.add_dependency 'cfhighlander', '~> 0.9', '<1'
   spec.add_dependency 'cfndsl', '~> 0.17', '<1'
+  spec.add_dependency 'netaddr', '2.0.4'
   spec.add_runtime_dependency 'aws-sdk-ec2', '~> 1.95', '<2'
   spec.add_runtime_dependency 'aws-sdk-acm', '~> 1', '<2'
   spec.add_runtime_dependency 'aws-sdk-s3', '~> 1', '<2'

data/lib/cfnvpn/certificates.rb

@@ -12,6 +12,7 @@ module CfnVpn
       @config_dir = "#{build_dir}/config"
       @cert_dir = "#{build_dir}/certificates"
       @docker_cmd = %w(docker run -it --rm)
+      @docker_cmd << "--user #{Process.uid}:#{Process.gid}" if Process::UID.sid_available?
       @easyrsa_image = "base2/aws-client-vpn"
       FileUtils.mkdir_p(@cert_dir)
     end

data/lib/cfnvpn/clientvpn.rb

@@ -143,7 +143,7 @@ module CfnVpn
       routes = get_routes()
       routes
         .select { |r| r if r.destination_cidr != '0.0.0.0/0' }
-        .collect { |r| { route: r.destination_cidr.split('/').first, mask: NetAddr::CIDR.create(r.destination_cidr).wildcard_mask }}
+        .collect { |r| { route: r.destination_cidr.split('/').first, mask: NetAddr::IPv4Net.parse(r.destination_cidr).netmask.extended }}
     end
 
     def valid_cidr?(cidr)

data/lib/cfnvpn/init.rb

@@ -25,6 +25,11 @@ module CfnVpn
     class_option :subnet_id, required: true, desc: 'subnet id to associate your vpn with'
     class_option :cidr, default: '10.250.0.0/16', desc: 'cidr from which to assign client IP addresses'
     class_option :dns_servers, desc: 'DNS Servers to push to clients.'
+    
+    class_option :split_tunnel, type: :boolean, default: false, desc: 'only push routes to the client on the vpn endpoint'
+    class_option :internet_route, type: :boolean, default: true, desc: 'create a default route to the internet'
+    class_option :protocol, type: :string, default: 'udp', enum: ['udp','tcp'], desc: 'set the protocol for the vpn connections'
+
 
     def self.source_root
       File.dirname(__FILE__)
@@ -47,7 +52,10 @@ module CfnVpn
       @config['parameters']['AssociationSubnetId'] = @options['subnet_id']
       @config['parameters']['ClientCidrBlock'] = @options['cidr']
       @config['parameters']['DnsServers'] = @options['dns_servers']
-      @config['template_version'] = '0.1.1'
+      @config['parameters']['SplitTunnel'] = @options['split_tunnel'].to_s
+      @config['parameters']['InternetRoute'] = @options['internet_route'].to_s
+      @config['parameters']['Protocol'] = @options['protocol']
+      @config['template_version'] = '0.2.0'
     end
 
     def stack_exist

data/lib/cfnvpn/modify.rb

@@ -22,6 +22,10 @@ module CfnVpn
     class_option :cidr, desc: 'cidr from which to assign client IP addresses'
     class_option :dns_servers, desc: 'DNS Servers to push to clients.'
 
+    class_option :split_tunnel, type: :boolean, default: false, desc: 'only push routes to the client on the vpn endpoint'
+    class_option :internet_route, type: :boolean, default: true, desc: 'create a default route to the internet'
+    class_option :protocol, type: :string, default: 'udp', enum: ['udp','tcp'], desc: 'set the protocol for the vpn connections'
+
     def self.source_root
       File.dirname(__FILE__)
     end
@@ -42,7 +46,10 @@ module CfnVpn
       @config['parameters']['AssociationSubnetId'] = @options['subnet_id']
       @config['parameters']['ClientCidrBlock'] = @options['cidr']
       @config['parameters']['DnsServers'] = @options['dns_servers']
-      @config['template_version'] = '0.1.1'
+      @config['parameters']['SplitTunnel'] = @options['split_tunnel'].to_s
+      @config['parameters']['InternetRoute'] = @options['internet_route'].to_s
+      @config['parameters']['Protocol'] = @options['protocol']
+      @config['template_version'] = '0.2.0'
     end
 
     def stack_exist

data/lib/cfnvpn/share.rb

@@ -72,7 +72,7 @@ module CfnVpn
       say "\nCertificate:"
       say "\tcurl #{@certificate_url} > #{@options['client_cn']}.tar.gz", :cyan
       say "\nConfig:\n"
-      say "\tcurl #{@certificate_url} > #{@name}.config.ovpn", :cyan
+      say "\tcurl #{@config_url} > #{@name}.config.ovpn", :cyan
       say "\nExtract the certificates from the tar and place into a safe location."
       say "\ttar xzfv #{@options['client_cn']}.tar.gz -C <path> --strip 2", :cyan
       say "\nModify #{@name}.config.ovpn to include the full location of your extracted certificates"

data/lib/cfnvpn/templates/cfnvpn.cfhighlander.rb.tt

@@ -1,21 +1,27 @@
 CfhighlanderTemplate do
-
+  
   Parameters do
     ComponentParam 'EnvironmentName'
     ComponentParam 'AssociationSubnetId'
     ComponentParam 'ClientCidrBlock'
-    ComponentParam 'ClientCertificateArn'
-    ComponentParam 'ServerCertificateArn'
     ComponentParam 'DnsServers'
+    ComponentParam 'SplitTunnel'
+    ComponentParam 'InternetRoute'
+    ComponentParam 'Protocol'
+    ComponentParam 'ServerCertificateArn'
+    ComponentParam 'ClientCertificateArn'
   end
-
+  
   Component template: 'client-vpn@<%= @config['template_version'] %>', name: 'vpn', render: Inline do
-    parameter name: 'EnvironmentName', value: Ref('EnvironmentName')
-    parameter name: 'AssociationSubnetId', value: Ref('AssociationSubnetId')
-    parameter name: 'ClientCidrBlock', value: Ref('ClientCidrBlock')
-    parameter name: 'ClientCertificateArn', value: Ref('ClientCertificateArn')
-    parameter name: 'ServerCertificateArn', value: Ref('ServerCertificateArn')
-    parameter name: 'DnsServers', value: Ref('DnsServers')
+      parameter name: 'EnvironmentName', value: Ref('EnvironmentName')
+      parameter name: 'AssociationSubnetId', value: Ref('AssociationSubnetId')
+      parameter name: 'ClientCidrBlock', value: Ref('ClientCidrBlock')
+      parameter name: 'DnsServers', value: Ref('DnsServers')
+      parameter name: 'SplitTunnel', value: Ref('SplitTunnel')
+      parameter name: 'InternetRoute', value: Ref('InternetRoute')
+      parameter name: 'Protocol', value: Ref('Protocol')
+      parameter name: 'ServerCertificateArn', value: Ref('ServerCertificateArn')
+      parameter name: 'ClientCertificateArn', value: Ref('ClientCertificateArn')
   end
-
+  
 end

data/lib/cfnvpn/version.rb

@@ -1,4 +1,4 @@
 module CfnVpn
-  VERSION = "0.3.0".freeze
+  VERSION = "0.4.0".freeze
   CHANGE_SET_VERSION = VERSION.gsub('.', '-').freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: cfn-vpn
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.4.0
 platform: ruby
 authors:
 - Guslington
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-06-28 00:00:00.000000000 Z
+date: 2019-12-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thor
@@ -84,6 +84,20 @@ dependencies:
     - - "<"
       - !ruby/object:Gem::Version
         version: '1'
+- !ruby/object:Gem::Dependency
+  name: netaddr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.0.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 2.0.4
 - !ruby/object:Gem::Dependency
   name: aws-sdk-ec2
   requirement: !ruby/object:Gem::Requirement