Skip to content
/ WaykDen-ps Public

Devolutions Wayk Den PowerShell Module

License

MIT license
0 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

stephgagnon/WaykDen-ps

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

59 Commits

WaykDen

WaykDen

 
 

ci

ci

 
 

docs

docs

 
 

.gitignore

.gitignore

 
 

LICENSE-MIT

LICENSE-MIT

 
 

README.adoc

README.adoc

 
 

build.ps1

build.ps1

 
 

logo.png

logo.png

 
 

Repository files navigation

Wayk Den PowerShell Cmdlet

Table of Contents

WaykDen-ps is a PowerShell cmdlet for Wayk Den, the centralized server for Devolutions Wayk Now. For assistance or feature requests, please use the Wayk Now forums or open a ticket on this github project.

Make sure you have all software prerequisites (see Installation section) then read our quick getting started guide. Once you have been familiarized with Wayk Den, come back to this page for more details on specific aspects of the software.

Installation

PowerShell Core

On Windows, the regular PowerShell already installed can be used. On macOS and Linux, you need PowerShell Core 6.0:

To launch a PowerShell Core terminal, use the pwsh command.

Wayk Den PowerShell module

A powershell module is available to configure and manage the Wayk Den server. It is available on PSGallery or it could be built directly from source code. We recommand to install the latest version available on PSGallery, but if needed, a section describe how to build it if you need it.

Installation from PSGallery

The Wayk Den PowerShell module is available on PSGallery.

Install-Module -Name WaykDen
Import-Module WaykDen

If you encounter issues with the Install-Module command, you may have to install or update PowerShellGet.

You can then list all commands exported from the WaykDen module:

Get-Command -Module WaykDen

Installation from Source

If you have installed the module from PSGallery, this section is not useful for you. You can jump to the next section.

To build the Cmdlet, you will need the .NET Core 2.2 SDK and the .NET Framework 4.7.2 SDK. The latter is only needed if you want to support PowerShell for Windows.

From PowerShell, run the build.ps1 script, and then load the resulting PowerShell module:

.\build.ps1
Import-Module "./WaykDen" -Force

Docker Installation

Wayk Den is composed of multiple microservices running inside Docker containers. The PowerShell cmdlet simplifies the usage of Docker for users not familiar with it. For more advanced users, the cmdlet can export a usable docker-compose configuration file.

The current version of Wayk Den requires support for Linux containers and bind mounts. Windows containers will be supported in the future.

On Windows, the recommended option is to use Docker Desktop for Windows. This version of Docker requires Hyper-V for Linux container support.

For bind mount support with Linux containers on Windows, you need to go in the Docker settings and select the required drives from the "Shared Drives" section.

On macOS and Linux, follow the instructions here to install Docker CE correctly. It is recommended to use the official Docker packages instead as documented in the Docker install page.

On Linux, do not forget to add your user to the docker group after installation.

To confirm that Docker is up and running, use the docker run hello-world command. If you don’t see the "Hello from Docker!" message, something is wrong with your Docker installation.

Configuration

The first step is to create a Wayk Den configuration file with mandatory parameters using the New-WaykDenConfig command.

You need to choose a realm for your Wayk Den, such as "contoso.net". This realm does not need to be a valid DNS domain name, but it will become your Wayk Den realm used in various places, including the peer-to-peer certificates generated by the Wayk Den built-in certificate authority.

The second mandatory parameter is the external URL at which the Wayk Den will be exposed. We recommend using the "den" subdomain under the domain of your choice, such as "den.contoso.net". The protocol prefix (http:// or https://) also needs to be included.

Create a new Wayk Den configuration file, using "contoso.net" as realm and "https://den.contoso.net" as the external url:

PS > New-WaykDenConfig -Realm contoso.net -ExternalUrl https://den.contoso.net

Certificate configuration

Using certificates with Wayk Den

To expose Wayk Den to the external world, you will need a TLS certificate from a trusted certificate authority such as Let’s Encrypt. Wayk Now will validate certificates in the same way as a browser does for a website.

If you wish to make your own certificate authority, the Root CA certificate will need to be installed in each machine’s certificate trust store. If the system browser can validate it, Wayk Now should be able to validate it as well, it’s just a lot more work.

Before going any further, check the following points:

  1. The certificate name matches your configured external URL. This means that if your external URL is "https://den.contoso.com" then your certificate name should be "den.contoso.com" or "*.contoso.com" if you have a wildcard certificate.

  2. The certificate is either in pem + key or pfx (PKCS#12) format. The private key password is only supported for the pfx format.

  3. The certificate file contains the certificate chain excluding the Root CA. This means that in most cases, you should have a leaf certificate, followed by one or more intermediate certificates. If validation works in a browser but not in Wayk Now, the intermediate certificate is likely missing.

The PEM format is the simplest to work with, since it is the Base64 representation of the DER-encoded certificate in between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" tags. To add the intermediate certificate to the certificate file, just append it after your leaf certificate in a text editor.

PS > Set-WaykDenWebCertificate -CertificatePath /path/to/certificate.pem -PrivateKeyPath /path/to/private_key.key
PS > Set-WaykDenWebCertificate -CertificatePath /path/to/certificate.pfx -KeyPassword <password>

If you want to roll your own certificate authority, you can check smallstep ca.

Relay Configuration

To get started, it is recommended to try using our existing relay servers, even if you intend to deploy your own servers later on. It is the quickest path to getting something functional up and running.

Set your Jet Relay Url to https://api.jet-relay.net:

PS > Set-WaykConfig -JetRelayUrl https://api.jet-relay.net

Continue your initial configuration, and once you know it is working, come back to the Devolutions Jet page for more information on how to deploy your own relays.

Running

Start Wayk Den, and wait for all microservices to start:

PS > Start-WaykDen

Once started, Wayk Den listens on http://localhost:4000 by default. We recommend using a reverse tunnel such as ngrok or argo tunnels from Cloudflare. In this case, a tunnel is used to expose localhost:4000 on the den.contoso.net external url.

You can check that all containers are up and running with the docker ps -f network=den-network command.

To confirm everything is correctly configured, you should be able to get a response from the Wayk Den well known configuration endpoint:

curl http://localhost:4000/.well-known/configuration
{"den_router_uri":"https://den.contoso.net/cow","lucid_uri":"https://den.contoso.net/lucid","realm":"contoso.net","wayk_client_id":"zqdvSbCRWdDrj1fQXwzPQbCg"}

If you have correctly configured external access, you should be able to get the same response using the external configuration URL (https://den.contoso.net/.well-known/configuration).

Stop Wayk Den, and wait for all microservices to stop:

PS > Stop-WaykDen

User Management

User using Wayk Now client can log in to be authenticated with Wayk Den Server. The server, by default, will provide a Wayk Den ID to any user who wants to connect to it. The server can be configured in a way forcing the user to be authenticated to accept a connection with the server. The command Set-WaykDenConfig -LoginRequired True can be used to force users to log in.

To authenticate user, Wayk Den can be configured to use a specific user group through LDAP integration. Two options are supported: Active Directory and JumpCloud.

In order to fetch user and group information, a user with read-only LDAP access must first be created.

Active Directory

To integrate Active Directory, here are the information needed:

  • LDAP server url: ldap://server_ip

  • LDAP user credentials: username and password

  • LDAP user group (optional)

It is important to specify the server IP since there is not DNS resolution in the docker container. The user used should be a user with only read-only access. A section below explains how to create a such user. Finally, the user group is not mandatory. If it is not specified, all users will be accepted. If it is specified, only users from that group will be able to be authenticated.

The following command will set LDAP property value for active directory.

Set-WaykDenConfig -LDAPServerType ActiveDirectory -LDAPUsername ldap-user@contoso.local -LDAPPassword ldap-password -LDAPServerUrl ldap://ldap-server -LDAPUserGroup 'Domain Users'
User creation with read-only access

By default, a new user created in active directory has read-only access on the LDAP server. But that user is also member of the group Domain Users by default. Being member of that group is enough to be able to use that user and log on any domain’s computer. To avoid that, we suggest to use a user who is not a member of Domain Users group and has only read-only access on the LDAP server. To do that, a few steps is needed.

First, a new group has to be created, let’s say "Read-only Users". Then a new user can be created and added only to that group. After that, the new group can be set as primary group for the user. And finally, the user can be removed from the Domain Users group. This user should be used to configured WaykDen Server.

JumpCloud

JumpCloud is a cloud service who help you to centralize user management. You can create users and groups then use the service call "LDAP-as-a-Service" to access those users and groups from WaykDen. You can read more on how to use JumpCloud’s LDAP-as-a-Service.

To integrate Jump Cloud with Wayk Den, here are the information needed :

  • LDAP server url : ldaps://ldap.jumpcloud.com:636

  • LDAP user credential: username and password

  • LDAP Base DN: Distinguised Name where to retrieve users and groups

  • LDAP user group (optional)

The LDAP server url should be set to ldaps://ldap.jumpcloud.com:636. JumpCloud provide a non secure access as well, but we don’t recommand it. A user who can read the ldap directory should be created following steps here. The username has to be provided with the Distinguished Name (DN), something like uid=LDAP_BINDING_USER,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com. The base DN is similar and should be set to ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com. Finally, a user group name can be specified to limit user to that group.

The following command will set LDAP property value for JumpCloud.

Set-WaykDenConfig -LDAPServerType JumpCloud -LDAPUsername "uid=ldap-user,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -LDAPPassword ldap-password -LDAPServerUrl ldaps://ldap.jumpcloud.com:636 -LDAPBaseDn "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com -LDAPUserGroup wayk-users"

About

Devolutions Wayk Den PowerShell Module

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 6

Languages