---
myst:
html_meta:
"description lang=en": "Create Egress Configurations in Kasm Workspaces."
"keywords": "Kasm, Users, Groups, Configuration, Workspaces"
"property=og:locale": "en_US"
---
```{title} Egress
```
# Egress
Kasm Workspaces allows for the Kasm Administrator to define an **Egress Provider**, which contains a collection of **Egress Gateways** that can be selected upon Workspace launch to tunnel all of a Workspace's network traffic.
Administrators may use the Egress feature to grant access to secure environments via a VPN or have Kasm
traffic be routed through a location geographically separated from the Kasm Deployment.
**Egress Providers** can be mapped to a {doc}`Workspace `, {doc}`User ` or {doc}`Group ` in order to allow for a user to select
an **Egress Gateway** when launching their Kasm Workspace.
An **Egress Credential** can also be created on a Workspace, Group or User which allows for the Credential to be used when making a connection to the Egress Gateway. These may be a **Username** and **Password** for an OpenVPN Provider, a **Private Key** for Wireguard or a **Key** for Tailscale.
The following is an example of the new Egress Selection menu presented when a User launches a Workspace:
```{figure} /images/dynamic_egress/egress_selection.webp
:align: center
:width: 60%
**Egress Launch Selection**
```
## Gateway Selection Behavior
Egress Providers and Egress Credentials can be applied to Users, Groups and Workspaces.
When users attempt to launch a Kasm they will be presented with a list of available Gateways.
Gateways are only shown if they are enabled and there is credential for the same Provider mapped to the selected Workspace, the User or any of the User's groups.
A Credential can be paired with a Gateway even if they are mapped to different resources. For instance the User "user@kasm.local"
can use a Gateway attached to "All Users" group with a credential attached to "user@kasm.local".
The first matching, enabled credential in a list credentials sorted by their egress_credential_id will
be automatically selected to be used when a user specifies an Egress Gateway when launching a Workspace.
Manually specifying an Egress Credential on Workspace launch is not currently supported.
If a Credential has **Limit Active Connections** enabled and the number of concurrent connections using that credential has reached the limit
it will not be available to be used on a new Egress credential until a Kasm Session using the credential have ended.
## Configuration
In this example we will be configuring an OpenVPN provider, but Wireguard, and Tailscale are also supported.
### Creating Provider and Gateways
- Log into the Kasm Web UI as an administrator
- Click **Infrastructure -> Egress**
- Click **Add**
```{figure} /images/dynamic_egress/egress_provider_form.webp
:align: center
:width: 80%
**Egress Provider Form**
```
```{eval-rst}
.. table::
:widths: 70
+-------------------------------------------------+-------------------------------------------------+
| Name | Description |
+-------------------------------------------------+-------------------------------------------------+
| **Enabled** | Enable or disable this configuration |
+-------------------------------------------------+-------------------------------------------------+
| **Name** | The Unique Name for the Egress Provider |
+-------------------------------------------------+-------------------------------------------------+
| **Egress Provider Type** | The type of Egress Provider Configuration |
+-------------------------------------------------+-------------------------------------------------+
```
- Fill out the form and click **Save**
- A list of all Egress Providers is shown.
```{figure} /images/dynamic_egress/egress_provider_list.webp
:align: center
:width: 80%
**Egress Provider List**
```
- Click the arrow menu on the OpenVPN Provider and Select **Edit**
- Select the **Egress Gateway** tab and click **Add**
```{figure} /images/dynamic_egress/egress_gateway_form.webp
:align: center
:width: 80%
**Egress Gateway Form**
```
```{eval-rst}
.. table::
:widths: 70
+-------------------------------------------------+----------------------------------------------------------+
| Name | Description |
+-------------------------------------------------+----------------------------------------------------------+
| **Enabled** | Enable or Disable this configuration. |
+-------------------------------------------------+----------------------------------------------------------+
| **Name** | The Unique Name for the Egress Gateway |
+-------------------------------------------------+----------------------------------------------------------+
| **Country** | The Country for the Egress Gateway |
+-------------------------------------------------+----------------------------------------------------------+
| **City** | The City for the Egress Gateway |
+-------------------------------------------------+----------------------------------------------------------+
| **Config** | The Egress Gateway Config (OpenVPN, Wireguard or Custom) |
+-------------------------------------------------+----------------------------------------------------------+
```
```{note}
For Wireguard Configurations the `PrivateKey` value in Config is set by the Egress Credential.
```
### Assigning Provider and Credentials
Provider Assignments and Credential creation can be done on Users, Groups and Workspaces. In this example we will be
performing an Assignment on the User *user@kasm.local*.
- Log in to the Kasm Web UI as Administrator
- Click **Access Management** -> **Users**
- Click the arrow menu on *user@kasm.local* and select **Edit**.
- Click on the **Egress** tab and select **Add**
```{figure} /images/dynamic_egress/egress_provider_mapping_form.webp
:align: center
:width: 60%
**Egress Provider Mapping Form**
```
```{eval-rst}
.. table::
:widths: 70
+-------------------------------------------------+------------------------------------------------------------+
| Name | Description |
+-------------------------------------------------+------------------------------------------------------------+
| **Enabled** | Enable or Disable this configuration. |
+-------------------------------------------------+------------------------------------------------------------+
| **Egress Provider** | The name of the Egress Provider to Map. |
+-------------------------------------------------+------------------------------------------------------------+
| **Allow All Gateways** | When Enabled, all Egress Gateways in the selected Provider |
| | will be mapped. Disabling requires that the Admin specify |
| | which gateways to map in the **Selected Gateways** |
| | field. |
+-------------------------------------------------+------------------------------------------------------------+
| **Selected Gateways** | When **Allow All Gateways** is enabled this setting |
| | sets the gateways that apply to this mapping. |
| | |
+-------------------------------------------------+------------------------------------------------------------+
```
- Fill out the form and click **Save**
- Click on the **Egress Credential** tab.
```{figure} /images/dynamic_egress/egress_credential_form.webp
:align: center
:width: 60%
**Egress Credentials Form**
```
```{eval-rst}
.. table::
:widths: 70
+-------------------------------------------------+------------------------------------------------------------+
| Name | Description |
+-------------------------------------------------+------------------------------------------------------------+
| **Enabled** | Enable or Disable this configuration. |
+-------------------------------------------------+------------------------------------------------------------+
| **Egress Provider** | The name of the Egress Provider for this Credential. |
+-------------------------------------------------+------------------------------------------------------------+
| **Name** | The name of this Egress Credential. |
+-------------------------------------------------+------------------------------------------------------------+
| **Username** | The Username for the Egress Credential (OpenVPN Provider) |
+-------------------------------------------------+------------------------------------------------------------+
| **Password** | The Password for the Egress Credential (OpenVPN Provider) |
+-------------------------------------------------+------------------------------------------------------------+
| **Private Key** | The Wireguard Private Key for the Egress Credential |
| | (Wireguard Provider) |
+-------------------------------------------------+------------------------------------------------------------+
| **Key** | The Tailscale Key for the Egress Credential |
| | (Tailscale Provider) |
+-------------------------------------------------+------------------------------------------------------------+
| **Custom Credential** | The Custom Credential for the Egress Credential |
| | (Custom Provider) |
+-------------------------------------------------+------------------------------------------------------------+
| **Allow All Gateways** | When Enabled, the Credential will apply to all Egress |
| | Gateways in the selected Provider. |
| | Disabling requires that the Admin specify |
| | which gateways to map in the **Selected Gateways** |
| | setting. |
+-------------------------------------------------+------------------------------------------------------------+
| **Selected Gateways** | When **Allow All Gateways** is enabled, this |
| | sets the gateways that this Credential can be used with. |
+-------------------------------------------------+------------------------------------------------------------+
| **Limit Active Connections** | When Enabled, the number of concurrent connections that |
| | this Egress Credential can be used in is limited |
| | to the setting in **Active Connection Limit**. |
+-------------------------------------------------+------------------------------------------------------------+
| **Active Connection Limit** | When **Limit Active Connections** is enabled, this value |
| | sets the maximum number concurrent connections the |
| | credential can be used in. |
+-------------------------------------------------+------------------------------------------------------------+
```
Now that the Egress Provider and Credential are assigned to this user, they may select the Egress Gateway when launching a Container Workspace.