Deploying AWS VPN Client with .ovpn file

cmasciarelli-L
New Contributor II

Hi folks, I'm looking to create a policy to do the following.

  • Install AWS VPN Client
  • Add Profile with provided .ovpn file.

Pushing the AWS VPN Client is easy enough by pushing the .pkg file.
Anyone have any experience/ideas for the second part?

Thanks!

11 REPLIES 11

bizzaredm
New Contributor III

Tried to package the ~/.config/AWS folder but that seems to error on other machines when trying to connect

bizzaredm
New Contributor III

@cmasciarelli-L

I think we cracked this...

We run this via Self Service

#!/bin/bash

#Find the logged in user
loggedInUser=$(stat -f %Su /dev/console)

#Set the file path to the ConnectionProfiles file with the loggedIn user
connectionProfiles="/Users/$loggedInUser/.config/AWSVPNClient/ConnectionProfiles"

#If directory not there create it.
mkdir -p "/Users/$loggedInUser/.config/AWSVPNClient/"

#make the file
cat <<EOF > "$connectionProfiles"
{"Version":"1","LastSelectedProfileIndex":0,"ConnectionProfiles":[{"ProfileName":"**YOUR PROFILE NAME HERE**","OvpnConfigFilePath":"/Users/$loggedInUser/.config/AWSVPNClient/OpenVpnConfigs/**YOUR PROFILE NAME HERE** ","CvpnEndpointId":"cvpn-endpoint-00000000","CvpnEndpointRegion":"us-west-1","CompatibilityVersion":"1","FederatedAuthType":0}]}
EOF

#Fix permissions

chown "$loggedInUser" "$connectionProfiles"

```

With that we make a DMG with the YOUR PROFILE NAME HERE in the right folder and fill existing users

atheisen
New Contributor

@bizzaredm Thanks for sharing the script. Worked great for me. FYI, I had to change the following values as well to match my AWS instance:

"CvpnEndpointId":"cvpn-endpoint-00000000","CvpnEndpointRegion":"us-west-1","CompatibilityVersion":"1","FederatedAuthType":0

AltHoosier
New Contributor

@bizzaredm 

Can you clarify what you are doing here?

"With that we make a DMG with the YOUR PROFILE NAME HERE in the right folder and fill existing users"

Because the script works in that it will create that file. But AWS vpn still expects that the ovpn file gets added with all of its info.

bizzaredm
New Contributor III

Hey AltHoosier,

We were making a DMG with composer with the file from 

/Users/MYUSER/.config/AWSVPNClient/OpenVpnConfigs/CompanyVPN 

 Since the app still need the file there as you said.

  1. Deploy the app with pkg
  2. Use the above script to make the AWS App think know about the profile
  3. Deploy DMG that you made from an already configured (manual) setup of the profile in 
    /Users/bizzaredm/.config/AWSVPNClient/OpenVpnConfigs/CompanyVPN
  4. Open the app and it should all work 

We NOW use 2 scripts rather than a DMG

This is our other script

 

#!/bin/bash

#Set VPN Config File Name Here(You could hard code this, but we use a policy and use parameters) 
vpnConfigFileName="$4"    
    


###### To update the profile the info between FOE needs to be updated ######

#Find the logged in user
loggedInUser=$(stat -f %Su /dev/console)


#Set the file path to the ConnectionProfiles file with the loggedIn user
vpnConfigFolder="/Users/$loggedInUser/.config/AWSVPNClient/OpenVpnConfigs/"

#If directory not there create it.  
mkdir -p "$vpnConfigFolder"


fullPathVpn="${vpnConfigFolder}${vpnConfigFileName}"
echo "$fullPathVpn"

#make the file ready for the 2nd profile
cat << FOE > "$fullPathVpn"
client
dev tun
proto udp
remote cvpn-endpoint-00000000.prod.clientvpn.us-west-1.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
remote-cert-tls server
cipher AES-256-GCM
verb 3
<ca>
-----BEGIN CERTIFICATE-----
NEEDOzCCAiOgAwIBAgIJAK0Nw9IHrd85MA0GCSqGSIb3DQEBCwUAMBgxFjAUBgNV
DENMDWNlbGxzaWduYWwuY2EwHhcNMjAwNjAxMjIwMzU3WhcNMzAwNTMwMjIwMzU3
WjAYMRYwFAYDVQQDDA1jZWxsc2lnbmFsLmNhMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEArir6RuKFdHLMuH9mqljjwFR/y2xIQoPBwKwOXuv5dLYPbOLC
+t7EiYbS4EleaMI+6iGmhrkGv2pyjYRmpEXjfJa9Egq6Xgp0/UdOYn4g5589zsKm
MF8UWaDQ1y3YGhJP0GdRgCEYlOR9PSOvD0heTiU3aruMzGjhbjRtpe35Ey3VeV4t
ZWLY+76Lbo7uCs+L+do3dyv9EuZi0SEsJ0OxvW0tO6rhENtJImud1UAiJDWk5QVz
enximDjqCmeqTSxlhmTlCpW0uEMH5qUId99Ir5CrWOT+N9v8bA8J+5HH+ZJB5kC7
XL+Vv81DTeMkchoAVJKaz6kRRgcFDNQgpHR8CQIDAQABo4GHMIGEMB0GA1UdDgQW
BBRt/iVazFbynQodLwVoxVAvCL5jwDBIBgNVHSMEQTA/gBRt/iVazFbynQodLwVo
xVAvCL8jwKEcpBowGDEWMBQGA1UEAwwNY2VsbHNpZ25hbC5jYYIJAK0Nw9IHrd85
MAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBCwUAA4IBAQBo
lVda7Sd8LdQxOH16x/Oo5B6axD5xWkJzAjg/vlqt8UxAaiJ9w/O0ASNxieg9TmQ/
0fMVqRslXLNcaiT+jQnenIZAxyEtwPy//3QzU6PlyRhlAnJDLgLVHGRrfIL5lUmY
BdeR4Itm/HrmUBZWpS4o7aniIXOKBEZh12D/KkacI7kjZwezyfLzFQ9eUmTTZmX7
RR+C4cL270dm5FdAM7WXiW5Fgmega8g+sWo+uNjJsJtyZev2B70CbWKh9wrssSCl
+ij8nZ1BO8SnUZwdXodz8ecgUFaR/mWs1wVAOPslVgPGyKVAQ3zCfTPiR+XaHORm
CANvPEjFKntz/C3Vi7MB
-----END CERTIFICATE-----

</ca>
auth-user-pass

reneg-sec 0
static-challenge "Enter 2 Factor Code " 1
FOE
 
 

#Fix permissions
chown "$loggedInUser" "$fullPathVpn"
chown "$loggedInUser" "$vpnConfigFolder"
chown "$loggedInUser" "/Users/$loggedInUser/.config/"

 

 

 

jlombardo
New Contributor III

This is great, thank you!

One problem I am having is if I install the app with the .pkg and run the 2 scripts... I get this error:

There was an error loading your connection profiles: /Users/johntest/.config/AWSVPNClient/ConnectionProfiles

The way I can bypass this is if open the app first, and then the scripts overwrite the folders that are created (.config/) it seems to accept them... But it will give me this error if  I install, run the scripts and try to open.

Any thoughts?

lsv
New Contributor II

I'm running into the same issue. Did you ever uncover a solution?

enpipi
New Contributor II

I have published a script to distribute the profile along with the AWS VPN Client.
I would be happy to help you.

https://github.com/enpipi/deploy-ovpn-for-aws-client-vpn

jlombardo
New Contributor III

Thank you!  I realized I had a few errors in my script I was able to rectify 

TRVSG
New Contributor

The arguments in your script start with $1, but Jamf's script parameters require that you start with $4...

"Parameters 1–3 are predefined as mount point, computer name, and username"

Should those be modified?  Or is there something I am missing?

devlinford
New Contributor III

Has anyone found a way automate AWS VPN client updates?