Open two terminal windows (or tabs). Run ./samlserver in one, then run ./aws-connect.sh in another. Proceed with Google account selection and confirm non-secure form submission. The VPN should be up with various 10.x/16 routes setup to VPN gateway.
Depending on your machine Security & Privacy settings and macOS version (10.15+), you may get an error cannot be opened because the developer cannot be verified. Please read on for a simple workaround.
Alternativelly, to set global preference to Allow apps downloaded from: Anywhere, execute:
$ sudo spctl --master-disable
This is PoC to connect to the AWS Client VPN with OSS OpenVPN using SAML authentication. Tested on macOS and Linux, should also work on other POSIX OS with a minor changes.
See my blog post for the implementation details.
- openvpn-v2.4.9-aws.patch - patch required to build AWS compatible OpenVPN v2.4.9, based on the AWS source code (thanks to @heprotecbuthealsoattac) for the link.
- server.go - Go server to listed on http://127.0.0.1:35001 and save SAML Post data to the file
- aws-connect.sh - bash wrapper to run OpenVPN. It runs OpenVPN first time to get SAML Redirect and open browser and second time with actual SAML response
- Build patched openvpn version and put it to the folder with a script
- Start HTTP server with
go run server.go - Set VPN_HOST in the aws-connect.sh
- Replace CA section in the sample vpn.conf with one from your AWS configuration
- Finally run
aws-connect.shto connect to the AWS.
Inspect your ovpn config and remove the following lines if present
auth-user-pass(we dont want to show user prompt)auth-federate(do not retry on failures)auth-retry interact(propietary AWS keyword)remoteandremote-random-hostname(already handled in CLI and can cause conflicts with it)
Better integrate SAML HTTP server with a script or rewrite everything on golang