Egress

Kasm Workspaces allows for the Kasm Administrator to define an Egress Provider, which contains a collection of Egress Gateways that can be selected upon Workspace launch to tunnel all of a Workspace’s network traffic.

Administrators may use the Egress feature to grant access to secure environments via a VPN or have Kasm traffic be routed through a location geographically separated from the Kasm Deployment.

Egress Providers can be mapped to a Workspace, User or Group in order to allow for a user to select an Egress Gateway when launching their Kasm Workspace.

An Egress Credential can also be created on a Workspace, Group or User which allows for the Credential to be used when making a connection to the Egress Gateway. These may be a Username and Password for an OpenVPN Provider, a Private Key for Wireguard or a Key for Tailscale.

The following is an example of the new Egress Selection menu presented when a User launches a Workspace:

../_images/egress_selection.webp — **Egress Launch Selection**

Gateway Selection Behavior

Egress Providers and Egress Credentials can be applied to Users, Groups and Workspaces.

When users attempt to launch a Kasm they will be presented with a list of available Gateways. Gateways are only shown if they are enabled and there is credential for the same Provider mapped to the selected Workspace, the User or any of the User’s groups.

A Credential can be paired with a Gateway even if they are mapped to different resources. For instance the User “user@kasm.local” can use a Gateway attached to “All Users” group with a credential attached to “user@kasm.local”.

The first matching, enabled credential in a list credentials sorted by their egress_credential_id will be automatically selected to be used when a user specifies an Egress Gateway when launching a Workspace. Manually specifying an Egress Credential on Workspace launch is not currently supported.

If a Credential has Limit Active Connections enabled and the number of concurrent connections using that credential has reached the limit it will not be available to be used on a new Egress credential until a Kasm Session using the credential have ended.

Configuration

In this example we will be configuring an OpenVPN provider, but Wireguard, and Tailscale are also supported.

Creating Provider and Gateways

Log into the Kasm Web UI as an administrator
Click Infrastructure -> Egress
Click Add

../_images/egress_provider_form.webp — **Egress Provider Form**

Name	Description
Enabled	Enable or disable this configuration
Name	The Unique Name for the Egress Provider
Egress Provider Type	The type of Egress Provider Configuration

Fill out the form and click Save
A list of all Egress Providers is shown.

../_images/egress_provider_list.webp — **Egress Provider List**

Click the arrow menu on the OpenVPN Provider and Select Edit
Select the Egress Gateway tab and click Add

../_images/egress_gateway_form.webp — **Egress Gateway Form**

Name	Description
Enabled	Enable or Disable this configuration.
Name	The Unique Name for the Egress Gateway
Country	The Country for the Egress Gateway
City	The City for the Egress Gateway
Config	The Egress Gateway Config (OpenVPN, Wireguard or Custom)

Note

For Wireguard Configurations the PrivateKey value in Config is set by the Egress Credential.

Assigning Provider and Credentials

Provider Assignments and Credential creation can be done on Users, Groups and Workspaces. In this example we will be performing an Assignment on the User user@kasm.local.

Log in to the Kasm Web UI as Administrator
Click Access Management -> Users
Click the arrow menu on user@kasm.local and select Edit.
Click on the Egress tab and select Add

../_images/egress_provider_mapping_form.webp — **Egress Provider Mapping Form**

Name	Description
Enabled	Enable or Disable this configuration.
Egress Provider	The name of the Egress Provider to Map.
Allow All Gateways	When Enabled, all Egress Gateways in the selected Provider will be mapped. Disabling requires that the Admin specify which gateways to map in the Selected Gateways field.
Selected Gateways	When Allow All Gateways is enabled this setting sets the gateways that apply to this mapping.

Fill out the form and click Save
Click on the Egress Credential tab.

../_images/egress_credential_form.webp — **Egress Credentials Form**

Name	Description
Enabled	Enable or Disable this configuration.
Egress Provider	The name of the Egress Provider for this Credential.
Name	The name of this Egress Credential.
Username	The Username for the Egress Credential (OpenVPN Provider)
Password	The Password for the Egress Credential (OpenVPN Provider)
Private Key	The Wireguard Private Key for the Egress Credential (Wireguard Provider)
Key	The Tailscale Key for the Egress Credential (Tailscale Provider)
Custom Credential	The Custom Credential for the Egress Credential (Custom Provider)
Allow All Gateways	When Enabled, the Credential will apply to all Egress Gateways in the selected Provider. Disabling requires that the Admin specify which gateways to map in the Selected Gateways setting.
Selected Gateways	When Allow All Gateways is enabled, this sets the gateways that this Credential can be used with.
Limit Active Connections	When Enabled, the number of concurrent connections that this Egress Credential can be used in is limited to the setting in Active Connection Limit.
Active Connection Limit	When Limit Active Connections is enabled, this value sets the maximum number concurrent connections the credential can be used in.

Now that the Egress Provider and Credential are assigned to this user, they may select the Egress Gateway when launching a Container Workspace.