diff --git a/docs.json b/docs.json index 0c49896..d19cc55 100644 --- a/docs.json +++ b/docs.json @@ -124,7 +124,8 @@ "integrations/infisical", "integrations/snyk", "integrations/stripe", - "integrations/teams" + "integrations/teams", + "integrations/openconnect" ] }, { diff --git a/integrations/openconnect.mdx b/integrations/openconnect.mdx new file mode 100644 index 0000000..65868dc --- /dev/null +++ b/integrations/openconnect.mdx @@ -0,0 +1,69 @@ +--- +title: "OpenConnect" +description: "Connect sandboxes to private networks via OpenConnect VPN." +--- + +## Features + +- Connect agent sandboxes to private networks so they can reach internal databases and services +- VPN connection is established automatically at the start of every session +- Works alongside the Postgres integration to access databases that aren't publicly reachable + +## Supported VPNs + +The VPN integration uses [OpenConnect](https://www.infradead.org/openconnect/), an open-source VPN client that is compatible with several enterprise VPN servers: + +| Protocol | Compatible with | +|----------|----------------| +| Fortinet SSL VPN | FortiClient, FortiGate | +| Cisco AnyConnect | Cisco Secure Client, ASA, IOS | +| Palo Alto GlobalProtect | GlobalProtect client, PAN-OS | +| Juniper Network Connect | Juniper/Pulse Secure, Ivanti Connect Secure | + +If your organization uses any of these VPN products, Tembo can connect to it directly — no changes to your VPN infrastructure required. + +## Installation + + + + Open [Integrations](https://app.tembo.io/integrations) and click **Install** next to VPN under the **Network** category. + + + Fill in the connection form: + - **Connection Name** — a label for this VPN (e.g. "Production VPN") + - **Protocol** — select your VPN type + - **VPN Gateway** — the hostname or IP of your VPN concentrator (e.g. `vpn.example.com`) + - **Username** and **Password** — credentials that the sandbox will use to authenticate + + + Once the VPN is configured, add a [Postgres integration](/integrations/postgres) using the **private** connection string of your database. Tembo will connect to the VPN first, then reach the database through the tunnel. + + + +## Usage + +When a session starts, Tembo automatically connects to your VPN before the agent begins work. The tunnel stays active for the duration of the session. + +This is useful when your database or internal services are behind a firewall and not reachable from the public internet. Instead of exposing your database publicly or setting up a bastion host, you provide the same VPN credentials your team already uses. + +### Example workflow + +1. Configure the VPN integration with your gateway credentials +2. Add a Postgres integration with your private connection string (e.g. `postgresql://user:pass@10.0.1.50:5432/mydb`) +3. Create a session — Tembo connects to the VPN, then the agent can query your database as if it were on your network + +## Advanced + + + + At each session start, the sandbox VM runs OpenConnect in the background to establish a VPN tunnel. This creates a virtual network interface (`tun0`) that routes traffic to your private network through the encrypted tunnel. The connection is re-established on every session start since VPN state does not persist across sessions. + + + + OpenConnect supports some forms of MFA (e.g. TOTP tokens appended to the password field), but interactive MFA prompts are not supported. If your VPN requires interactive two-factor authentication, consider creating a dedicated service account with a static password or certificate-based authentication for Tembo access. + + + + VPN credentials are injected into the sandbox at session start for the system to establish the tunnel before the agent begins work. Consider using a dedicated VPN account with limited network access scoped to only the resources Tembo needs. + +