forked from samm-git/aws-vpn-client
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaws-connect.sh
executable file
·57 lines (45 loc) · 1.69 KB
/
aws-connect.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#!/bin/bash
set -e
# replace with your hostname
VPN_HOST="cvpn-endpoint-<id>.prod.clientvpn.us-east-1.amazonaws.com"
# path to the patched openvpn
OVPN_BIN="./openvpn"
# path to the configuration file
OVPN_CONF="vpn.conf"
PORT=1194
PROTO=udp
wait_file() {
local file="$1"; shift
local wait_seconds="${1:-10}"; shift # 10 seconds as default timeout
until test $((wait_seconds--)) -eq 0 -o -f "$file" ; do sleep 1; done
((++wait_seconds))
}
# create random hostname prefix for the vpn gw
RAND=$(openssl rand -hex 12)
# resolv manually hostname to IP, as we have to keep persistent ip address
SRV=$(dig a +short "${RAND}.${VPN_HOST}"|head -n1)
# cleanup
rm -f saml-response.txt
echo "Getting SAML redirect URL from the AUTH_FAILED response (host: ${SRV}:${PORT})"
OVPN_OUT=$($OVPN_BIN --config "${OVPN_CONF}" --verb 3 \
--proto "$PROTO" --remote "${SRV}" "${PORT}" \
--auth-user-pass <( printf "%s\n%s\n" "N/A" "ACS::35001" ) \
2>&1 | grep AUTH_FAILED,CRV1)
echo "Opening browser and wait for the response file..."
URL=$(echo "$OVPN_OUT" | grep -Eo 'https://.+')
open "$URL"
wait_file "saml-response.txt" 30 || {
echo "SAML Authentication time out"
exit 1
}
# get SID from the reply
VPN_SID=$(echo "$OVPN_OUT" | awk -F : '{print $7}')
echo "Running OpenVPN with sudo. Enter password if requested"
# Finally OpenVPN with a SAML response we got
# Delete saml-response.txt after connect
sudo bash -c "$OVPN_BIN --config "${OVPN_CONF}" \
--verb 3 --auth-nocache --inactive 3600 \
--proto "$PROTO" --remote $SRV $PORT \
--script-security 2 \
--route-up '/bin/rm saml-response.txt' \
--auth-user-pass <( printf \"%s\n%s\n\" \"N/A\" \"CRV1::${VPN_SID}::$(cat saml-response.txt)\" )"