AWS SSO support

306 views
Skip to first unread message

Stephane Odul

unread,
Apr 20, 2023, 2:06:36 PM4/20/23
to tunnelblick-discuss
We use the AWS VPN with AWS SSO and this makes it incompatible with Tunnelblick. Is there any plan to add support for this authentication mechanism?

Someone has done some work to be able to use an OpenVPN client but if it could be integrated into Tunnelblick that would be very useful.


Thank you!

Tim Gahagan

unread,
Apr 20, 2023, 3:20:18 PM4/20/23
to tunnelbli...@googlegroups.com
AWS Client VPN is a managed client-based VPN service that enables users to use an OpenVPN-based client to securely access their resources in Amazon Web Services (AWS) and in their on-premises network from any location. In this blog post, we show you how you can integrate Client VPN with your existing AWS IAM Identity Center via a custom SAML 2.0 application to authenticate and authorize your Client VPN connections and traffic

https://docs.aws.amazon.com/vpn/latest/clientvpn-user/client-vpn-connect-macos.html

Why does AWS Client VPN for macOS not work for you?

I get we like tunnelblick but there is a supported solution that is available, what's the challenge with using it?




On Apr 20, 2023, at 1:06 PM, Stephane Odul <step...@clumio.com> wrote:

We use the AWS VPN with AWS SSO and this makes it incompatible with Tunnelblick. Is there any plan to add support for this authentication mechanism?

Someone has done some work to be able to use an OpenVPN client but if it could be integrated into Tunnelblick that would be very useful.


Thank you!

--
You received this message because you are subscribed to the Google Groups "tunnelblick-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tunnelblick-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tunnelblick-discuss/805f0d69-84ad-4b19-9354-7efd5b512ea9n%40googlegroups.com.
Message has been deleted

Stephane Odul

unread,
Apr 20, 2023, 3:37:00 PM4/20/23
to tunnelblick-discuss
Hi Tim,

Some of the issues with the AWS VPN Client on macOS are:
- When AWS VPN Client connects it steals focus. When a user happens to be typing when the focus is stolen this cause the keyboard input to be stolen and if the user happens to press Enter, it disconnects the session and we have to re-connect again. This is extremely frustrating and a loss of productivity for the user. Apple development guidelines strongly frown upon stealing focus, exactly because it is poor for usability.
- The AWS VPN Client is compiled for Intel only on macOS, this forces users with Apple CPUs to install Rosetta and run the VPN code under emulation. Besides running some docker containers, this is the only macOS application we run daily that still need Rosetta for us.
- The menu bar icon of tunnelblick reflects if the VPN is connected or not. The AWS VPN client is static so we can't know if the VPN is running without clicking or making the main window of the client visible.
- More of a nitpick: the official client comes with Windows binaries bundled in it: exe and dll files. It does not feel like the build and release process for the client was polished properly.

While the official client is simple and functional it has many shortcomings that tunnelblick solves.

471733951

unread,
Apr 20, 2023, 3:37:13 PM4/20/23
to Stephane Odul

Tim Gahagan

unread,
Apr 20, 2023, 4:05:18 PM4/20/23
to tunnelbli...@googlegroups.com
Maybe try OpenVPN connect as it supports SAML. 

As for the other issues:

Can't argue the focus issue.

Rosetta, nothing to install, it does it on the fly with ZERO user input. You just don't like Rosetta, but other solutions don't fit. Pick the one that has the least problems. Rosetta is a zero issue problem here.

More complaints about the aws client, and how it functions, but instead of asking a billion dollar company to make a better app, ask a free app they has limited resources by devs on their  personal time to make changes...you close to losing many of the communities "please care about my problem" 

Comes with windows binaries, again, ask the billion dollar company to fix their crap app.

I'm not trying to argue but the issue is superficial on your side that causes close to 5 seconds of your user time to pause before connect/focus issue and the SSO.
So you ask a community to add functionality that is not even on the roadmap that I see.

Maybe I am being combative, since this project is supported by devs free time and you want to use in a commercial instance and want to use free software. Maybe donate harder:


Tim 

On Apr 20, 2023, at 2:37 PM, Stephane Odul <step...@clumio.com> wrote:

Hi Tim,
Message has been deleted

Stephane Odul

unread,
Apr 20, 2023, 5:38:31 PM4/20/23
to tunnelblick-discuss
We have contacted AWS to fix these issues in their client, they might be fixed eventually.

We do appreciate all the work done on Tunnelblick, it is a really good OpenVPN client. If AWS SSO support is not going to be planned we are ok with that.
The goal of this report was to mention the compatibility issue and if it can be done trivially with little effort, great, if not that's fine.
Message has been deleted

Tunnelblick developer

unread,
Apr 20, 2023, 6:45:58 PM4/20/23
to tunnelblick-discuss
I have no plans to add support for additional authentication methods. I would consider a pull request if one is presented.
Reply all
Reply to author
Forward
0 new messages