-
Notifications
You must be signed in to change notification settings - Fork 0
/
VpnStack.ts
116 lines (106 loc) · 3.5 KB
/
VpnStack.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
import {
Construct,
Stack,
Tag,
ConcreteDependable,
StackProps,
} from "@aws-cdk/core";
import {
CfnClientVpnTargetNetworkAssociation,
CfnClientVpnEndpoint,
CfnClientVpnAuthorizationRule,
CfnClientVpnRoute,
Vpc,
} from "@aws-cdk/aws-ec2";
import { ISecret } from "@aws-cdk/aws-secretsmanager";
import * as certManager from "@aws-cdk/aws-certificatemanager";
import * as logs from "@aws-cdk/aws-logs";
export class VpnStack extends Stack {
readonly secret: ISecret;
// creating server and clients certs is best done by following the AWS page on:
// https://docs.aws.amazon.com/de_de/vpn/latest/clientvpn-admin/authentication-authorization.html#mutual
certArn =
"arn:aws:acm:us-west-2:196230260133:certificate/d9e2ecee-a307-411f-bec4-a21a81aad805";
clientArn =
"arn:aws:acm:us-west-2:196230260133:certificate/25a5f45c-25c1-4318-a4e6-1d67702bc57a";
constructor(scope: Construct, id: string, props: StackProps & { vpc: Vpc }) {
super(scope, id, props);
const clientCert = certManager.Certificate.fromCertificateArn(
this,
"ClientCertificate",
this.clientArn
);
const serverCert = certManager.Certificate.fromCertificateArn(
this,
"ServerCertificate",
this.certArn
);
const logGroup = new logs.LogGroup(this, "ClientVpnLogGroup", {
retention: logs.RetentionDays.ONE_MONTH,
});
const logStream = logGroup.addStream("ClientVpnLogStream");
const endpoint = new CfnClientVpnEndpoint(this, "ClientVpnEndpoint2", {
description: "VPN",
authenticationOptions: [
{
type: "certificate-authentication",
mutualAuthentication: {
clientRootCertificateChainArn: clientCert.certificateArn,
},
},
],
tagSpecifications: [
{
resourceType: "client-vpn-endpoint",
tags: [
{
key: "Name",
value: "Swyp VPN CDK created",
},
],
},
],
clientCidrBlock: "10.1.132.0/22",
connectionLogOptions: {
enabled: true,
cloudwatchLogGroup: logGroup.logGroupName,
cloudwatchLogStream: logStream.logStreamName,
},
serverCertificateArn: serverCert.certificateArn,
// If you need to route all the traffic through the VPN (not only for the resources inside, turn this off)
splitTunnel: false,
dnsServers: ["8.8.8.8", "8.8.4.4"],
});
let i = 0;
const dependables = new ConcreteDependable();
props?.vpc.privateSubnets.map((subnet) => {
let networkAsc = new CfnClientVpnTargetNetworkAssociation(
this,
"ClientVpnNetworkAssociation-" + i,
{
clientVpnEndpointId: endpoint.ref,
subnetId: subnet.subnetId,
}
);
dependables.add(networkAsc);
i++;
});
new CfnClientVpnAuthorizationRule(this, "ClientVpnAuthRule", {
clientVpnEndpointId: endpoint.ref,
targetNetworkCidr: "0.0.0.0/0",
authorizeAllGroups: true,
description: "Allow all",
});
// add routs for two subnets so that i can surf the internet while in VPN (useful when splitTunnel is off)
let x = 0;
props?.vpc.privateSubnets.map((subnet) => {
new CfnClientVpnRoute(this, `CfnClientVpnRoute${x}`, {
clientVpnEndpointId: endpoint.ref,
destinationCidrBlock: "0.0.0.0/0",
description: "Route to all",
targetVpcSubnetId: props?.vpc.privateSubnets[x].subnetId!,
}).node.addDependency(dependables);
x++;
});
}
}