Deploying AWS VPN Client with .ovpn file

cmasciarelli-L
New Contributor II

Hi folks, I'm looking to create a policy to do the following.

  • Install AWS VPN Client
  • Add Profile with provided .ovpn file.

Pushing the AWS VPN Client is easy enough by pushing the .pkg file.
Anyone have any experience/ideas for the second part?

Thanks!

17 REPLIES 17

bizzaredm
Contributor

Tried to package the ~/.config/AWS folder but that seems to error on other machines when trying to connect

bizzaredm
Contributor

@cmasciarelli-L

I think we cracked this...

We run this via Self Service

#!/bin/bash

#Find the logged in user
loggedInUser=$(stat -f %Su /dev/console)

#Set the file path to the ConnectionProfiles file with the loggedIn user
connectionProfiles="/Users/$loggedInUser/.config/AWSVPNClient/ConnectionProfiles"

#If directory not there create it.
mkdir -p "/Users/$loggedInUser/.config/AWSVPNClient/"

#make the file
cat <<EOF > "$connectionProfiles"
{"Version":"1","LastSelectedProfileIndex":0,"ConnectionProfiles":[{"ProfileName":"**YOUR PROFILE NAME HERE**","OvpnConfigFilePath":"/Users/$loggedInUser/.config/AWSVPNClient/OpenVpnConfigs/**YOUR PROFILE NAME HERE** ","CvpnEndpointId":"cvpn-endpoint-00000000","CvpnEndpointRegion":"us-west-1","CompatibilityVersion":"1","FederatedAuthType":0}]}
EOF

#Fix permissions

chown "$loggedInUser" "$connectionProfiles"

```

With that we make a DMG with the YOUR PROFILE NAME HERE in the right folder and fill existing users

atheisen
New Contributor

@bizzaredm Thanks for sharing the script. Worked great for me. FYI, I had to change the following values as well to match my AWS instance:

"CvpnEndpointId":"cvpn-endpoint-00000000","CvpnEndpointRegion":"us-west-1","CompatibilityVersion":"1","FederatedAuthType":0

AltHoosier
New Contributor

@bizzaredm 

Can you clarify what you are doing here?

"With that we make a DMG with the YOUR PROFILE NAME HERE in the right folder and fill existing users"

Because the script works in that it will create that file. But AWS vpn still expects that the ovpn file gets added with all of its info.

Hey AltHoosier,

We were making a DMG with composer with the file from 

/Users/MYUSER/.config/AWSVPNClient/OpenVpnConfigs/CompanyVPN 

 Since the app still need the file there as you said.

  1. Deploy the app with pkg
  2. Use the above script to make the AWS App think know about the profile
  3. Deploy DMG that you made from an already configured (manual) setup of the profile in 
    /Users/bizzaredm/.config/AWSVPNClient/OpenVpnConfigs/CompanyVPN
  4. Open the app and it should all work 

We NOW use 2 scripts rather than a DMG

This is our other script

 

#!/bin/bash

#Set VPN Config File Name Here(You could hard code this, but we use a policy and use parameters) 
vpnConfigFileName="$4"    
    


###### To update the profile the info between FOE needs to be updated ######

#Find the logged in user
loggedInUser=$(stat -f %Su /dev/console)


#Set the file path to the ConnectionProfiles file with the loggedIn user
vpnConfigFolder="/Users/$loggedInUser/.config/AWSVPNClient/OpenVpnConfigs/"

#If directory not there create it.  
mkdir -p "$vpnConfigFolder"


fullPathVpn="${vpnConfigFolder}${vpnConfigFileName}"
echo "$fullPathVpn"

#make the file ready for the 2nd profile
cat << FOE > "$fullPathVpn"
client
dev tun
proto udp
remote cvpn-endpoint-00000000.prod.clientvpn.us-west-1.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
remote-cert-tls server
cipher AES-256-GCM
verb 3
<ca>
-----BEGIN CERTIFICATE-----
NEEDOzCCAiOgAwIBAgIJAK0Nw9IHrd85MA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNV
DENMDWNlbGxzaWduYWwuY2EwHhcNMjAwNjAxMjIwMzU3WhcNMzAwNTMwMjIwMzU3
WjAYMRYwFAYDVQQDDA1jZWxsc2lnbmFsLmNhMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEArir6RuKFdHLMuH9mqljjwFR/y2xIQoPBwKwOXuv5dLYPbOLC
+t7EiYbS4EleaMI+6iGmhrkGv2pyjYRmpEXjfJa9Egq6Xgp0/UdOYn4g5589zsKm
MF8UWaDQ1y3YGhJP0GdRgCEYlOR9PSOvD0heTiU3aruMzGjhbjRtpe35Ey3VeV4t
ZWLY+76Lbo7uCs+L+do3dyv9EuZi0SEsJ0OxvW0tO6rhENtJImud1UAiJDWk5QVz
enximDjqCmeqTSxlhmTlCpW0uEMH5qUId99Ir5CrWOT+N9v8bA8J+5HH+ZJB5kC7
XL+Vv81DTeMkchoAVJKaz6kRRgcFDNQgpHR8CQIDAQABo4GHMIGEMB0GA1UdDgQW
BBRt/iVazFbynQodLwVoxVAvCL5jwDBIBgNVHSMEQTA/gBRt/iVazFbynQodLwVo
xVAvCL8jwKEcpBowGDEWMBQGA1UEAwwNY2VsbHNpZ25hbC5jYYIJAK0Nw9IHrd85
MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBo
lVda7Sd8LdQxOH16x/Oo5B6axD5xWkJzAjg/vlqt8UxAaiJ9w/O0ASNxieg9TmQ/
0fMVqRslXLNcaiT+jQnenIZAxyEtwPy//3QzU6PlyRhlAnJDLgLVHGRrfIL5lUmY
BdeR4Itm/HrmUBZWpS4o7aniIXOKBEZh12D/KkacI7kjZwezyfLzFQ9eUmTTZmX7
RR+C4cL270dm5FdAM7WXiW5Fgmega8g+sWo+uNjJsJtyZev2B70CbWKh9wrssSCl
+ij8nZ1BO8SnUZwdXodz8ecgUFaR/mWs1wVAOPslVgPGyKVAQ3zCfTPiR+XaHORm
CANvPEjFKntz/C3Vi7MB
-----END CERTIFICATE-----

</ca>
auth-user-pass

reneg-sec 0
static-challenge "Enter 2 Factor Code " 1
FOE
 
 

#Fix permissions
chown "$loggedInUser" "$fullPathVpn"
chown "$loggedInUser" "$vpnConfigFolder"
chown "$loggedInUser" "/Users/$loggedInUser/.config/"

 

 

 

This is great, thank you!

One problem I am having is if I install the app with the .pkg and run the 2 scripts... I get this error:

There was an error loading your connection profiles: /Users/johntest/.config/AWSVPNClient/ConnectionProfiles

The way I can bypass this is if open the app first, and then the scripts overwrite the folders that are created (.config/) it seems to accept them... But it will give me this error if  I install, run the scripts and try to open.

Any thoughts?

lsv
New Contributor III

I'm running into the same issue. Did you ever uncover a solution?

enpipi
New Contributor II

I have published a script to distribute the profile along with the AWS VPN Client.
I would be happy to help you.

https://github.com/enpipi/deploy-ovpn-for-aws-client-vpn

Thank you!  I realized I had a few errors in my script I was able to rectify 

TRVSG
New Contributor

The arguments in your script start with $1, but Jamf's script parameters require that you start with $4...

"Parameters 1–3 are predefined as mount point, computer name, and username"

Should those be modified?  Or is there something I am missing?

enpipi
New Contributor II

Arguments 4 to 9 on Jamf are assigned to arguments 1 to 9 in the source code. The received arguments are adjusted on line 53 of the source code.

I give priority to the readability of the source code.

lsv
New Contributor III

I was initially able to get this to work however more often than not now I get the following error when the script is run:

 

[INFO] Start aws vpn client profile deplyment...
0:29: execution error: AWS VPN Client got an error: Application isn’t running. (-600)

 

Has anyone come across this error and know how to fix it?

I know this was posted a little while ago, but I discovered what caused this error and though it might help other's using @enpipi 's excellent script. The script open and closes the AWS VPN Client app in order to create certain files/folders. This erro occurs when the app hasn't launched fast enough, so you can add a sleep command inbetween the open and close commands in the script. I used a 10 second gap.

vic-ama
New Contributor

Hi @enpipi 

If I am not mistaken, the .ovpn file has to be on the device initially before the script can be run?

I am looking for a workflow that would also pull the file unto the device.

devlinford
New Contributor III

Hey @enpipi!

Thanks for sharing your process - It works great!  I was using a simplified version prior but for some reason it stopped working.  I believe one of the latest AWS VPN client versions includes an auto-update feature that was causing a permissions error and making the client bounce in the dock, then quit out.

I pivoted and started to use your script, and its going to work for our needs!

I would like to echo @vic-ama's comment about simplifying the entire process by using a CURL command to download the OVPN, rather than having to have it already on the end-point.

This would allow us to modify the ovpn file server-side and any new deployments would get the new configuration without any Jamf Pro policy change.  Currently, any time a change needs to occur with that file - We would have to (re)package it up and add it to the policy.

Either way, awesome work & thanks for sharing!

devlinford
New Contributor III

Has anyone found a way automate AWS VPN client updates?

No need.  The latest client can auto-update!