Egress
Kasm Workspaces allows for the Kasm Administrator to define an Egress Provider, which contains a collection of Egress Gateways that can be selected upon Workspace launch to tunnel all of a Workspace’s network traffic.
Administrators may use the Egress feature to grant access to secure environments via a VPN or have Kasm traffic be routed through a location geographically separated from the Kasm Deployment.
Egress Providers can be mapped to a Workspace, User or Group in order to allow for a user to select an Egress Gateway when launching their Kasm Workspace.
An Egress Credential can also be created on a Workspace, Group or User which allows for the Credential to be used when making a connection to the Egress Gateway. These may be a Username and Password for an OpenVPN Provider, a Private Key for Wireguard or a Key for Tailscale.
The following is an example of the new Egress Selection menu presented when a User launches a Workspace:
Gateway Selection Behavior
Egress Providers and Egress Credentials can be applied to Users, Groups and Workspaces.
When users attempt to launch a Kasm they will be presented with a list of available Gateways. Gateways are only shown if they are enabled and there is credential for the same Provider mapped to the selected Workspace, the User or any of the User’s groups.
A Credential can be paired with a Gateway even if they are mapped to different resources. For instance the User “user@kasm.local” can use a Gateway attached to “All Users” group with a credential attached to “user@kasm.local”.
The first matching, enabled credential in a list credentials sorted by their egress_credential_id will be automatically selected to be used when a user specifies an Egress Gateway when launching a Workspace. Manually specifying an Egress Credential on Workspace launch is not currently supported.
If a Credential has Limit Active Connections enabled and the number of concurrent connections using that credential has reached the limit it will not be available to be used on a new Egress credential until a Kasm Session using the credential have ended.
Configuration
In this example we will be configuring an OpenVPN provider, but Wireguard, and Tailscale are also supported.
Creating Provider and Gateways
Log into the Kasm Web UI as an administrator
Click Infrastructure -> Egress
Click Add
Name |
Description |
Enabled |
Enable or disable this configuration |
Name |
The Unique Name for the Egress Provider |
Egress Provider Type |
The type of Egress Provider Configuration |
Fill out the form and click Save
A list of all Egress Providers is shown.
Click the arrow menu on the OpenVPN Provider and Select Edit
Select the Egress Gateway tab and click Add
Name |
Description |
Enabled |
Enable or Disable this configuration. |
Name |
The Unique Name for the Egress Gateway |
Country |
The Country for the Egress Gateway |
City |
The City for the Egress Gateway |
Config |
The Egress Gateway Config (OpenVPN, Wireguard or Custom) |
Note
For Wireguard Configurations the PrivateKey
value in Config is set by the Egress Credential.
Assigning Provider and Credentials
Provider Assignments and Credential creation can be done on Users, Groups and Workspaces. In this example we will be performing an Assignment on the User user@kasm.local.
Log in to the Kasm Web UI as Administrator
Click Access Management -> Users
Click the arrow menu on user@kasm.local and select Edit.
Click on the Egress tab and select Add
Name |
Description |
Enabled |
Enable or Disable this configuration. |
Egress Provider |
The name of the Egress Provider to Map. |
Allow All Gateways |
When Enabled, all Egress Gateways in the selected Provider will be mapped. Disabling requires that the Admin specify which gateways to map in the Selected Gateways field. |
Selected Gateways |
When Allow All Gateways is enabled this setting sets the gateways that apply to this mapping. |
Fill out the form and click Save
Click on the Egress Credential tab.
Name |
Description |
Enabled |
Enable or Disable this configuration. |
Egress Provider |
The name of the Egress Provider for this Credential. |
Name |
The name of this Egress Credential. |
Username |
The Username for the Egress Credential (OpenVPN Provider) |
Password |
The Password for the Egress Credential (OpenVPN Provider) |
Private Key |
The Wireguard Private Key for the Egress Credential (Wireguard Provider) |
Key |
The Tailscale Key for the Egress Credential (Tailscale Provider) |
Custom Credential |
The Custom Credential for the Egress Credential (Custom Provider) |
Allow All Gateways |
When Enabled, the Credential will apply to all Egress Gateways in the selected Provider. Disabling requires that the Admin specify which gateways to map in the Selected Gateways setting. |
Selected Gateways |
When Allow All Gateways is enabled, this sets the gateways that this Credential can be used with. |
Limit Active Connections |
When Enabled, the number of concurrent connections that this Egress Credential can be used in is limited to the setting in Active Connection Limit. |
Active Connection Limit |
When Limit Active Connections is enabled, this value sets the maximum number concurrent connections the credential can be used in. |
Now that the Egress Provider and Credential are assigned to this user, they may select the Egress Gateway when launching a Container Workspace.