Install cfn-vpn
gem
gem install cfn-vpn --source "https://rubygems.pkg.github.com/base2services"
Option 1 - Docker
Install docker
Docker is required to generate the certificates required for the client vpn. The gem uses openvpn/easy-rsa project in base2/aws-client-vpn docker image. repo
Option 2 - local
If you would rather setup easy-rsa than install docker, you can use the --easyrsa-local
flag when running the commands to use a local copy of easy-rsa, the binary just needs to be available in the $PATH
. Install from openvpn/easy-rsa
Setup your AWS credentials by either setting a profile or exporting them as environment variables.
export AWS_ACCESS_KEY_ID="XXXXXXXXXXXXXXXXXXXXX"
export AWS_SECRET_ACCESS_KEY="XXXXXXXXXXXXXXXXXXXXX"
export AWS_SESSION_TOKEN="XXXXXXXXXXXXXXXXXXXXX"
Optionally export the AWS region if not providing --region
flag
export AWS_REGION="us-east-1"
to launch a new CfnVpn stack run the init
command along with the options.
The following command and required option will launch a new certificate based Client-VPN
cfn-vpn init [name] --bucket [s3-bucket] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn]
Prerequisites: Client-VPN requires a IAM SAML identity provider ARN, see the AWS docs to create one.
The following command and required option will launch a new federated based Client-VPN
cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn]
The default authorization rule for the associated subets allows all. You can optionally change this by using the --default-groups
flag to set groups on the default authorization rule.
cfn-vpn init [name] --server-cn [server certificate name] --subnet-ids [list of subets to associate with the vpn] --saml-arn [identity providor arn] --default-groups [list of group ids]
AWS ClientVPN requires one or more subnets to be associated with the vpn. These subnets setup the default routes and by default cfn-vpn creates a allow all auth for the default routes.
When using a federated ClientVPN you can modify the default auth to only allow specific groups by setting the groups in the --default-groups
flag. This can also be modified later using the modify
command.
Options:
r, [--region=REGION] # AWS Region
# Default: ap-southeast-2
[--verbose], [--no-verbose] # set log level to debug
--server-cn=SERVER_CN # server certificate common name
[--client-cn=CLIENT_CN] # client certificate common name
[--easyrsa-local], [--no-easyrsa-local] # run the easyrsa executable from your local rather than from docker
[--bucket=BUCKET] # s3 bucket
--subnet-ids=one two three # subnet id to associate your vpn with
[--default-groups=one two three] # groups to allow through the subnet associations when using federated auth
[--cidr=CIDR] # cidr from which to assign client IP addresses
# Default: 10.250.0.0/16
[--dns-servers=one two three] # DNS Servers to push to clients.
[--split-tunnel], [--no-split-tunnel] # only push routes to the client on the vpn endpoint
# Default: true
[--internet-route=INTERNET_ROUTE] # [subnet-id] create a default route to the internet through a subnet
[--protocol=PROTOCOL] # set the protocol for the vpn connections
# Default: udp
# Possible values: udp, tcp
[--start=START] # cloudwatch event cron schedule in UTC to associate subnets to the client vpn
[--stop=STOP] # cloudwatch event cron schedule in UTC to disassociate subnets to the client vpn
[--saml-arn=SAML_ARN] # IAM SAML idenditiy providor arn if using SAML federated authentication