From ea99cea816b7ca370aba0aff5c83afb87a25f376 Mon Sep 17 00:00:00 2001 From: milldr Date: Mon, 6 Jul 2026 16:40:55 -0400 Subject: [PATCH 1/4] docs(integrations): add VPN integration page --- docs.json | 3 +- integrations/vpn.mdx | 65 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 integrations/vpn.mdx diff --git a/docs.json b/docs.json index 0c49896..67eca4f 100644 --- a/docs.json +++ b/docs.json @@ -124,7 +124,8 @@ "integrations/infisical", "integrations/snyk", "integrations/stripe", - "integrations/teams" + "integrations/teams", + "integrations/vpn" ] }, { diff --git a/integrations/vpn.mdx b/integrations/vpn.mdx new file mode 100644 index 0000000..f33f282 --- /dev/null +++ b/integrations/vpn.mdx @@ -0,0 +1,65 @@ +--- +title: "VPN" +description: "Connect sandboxes to private networks via OpenConnect VPN." +--- + +## Features + +- Connect agent sandboxes to private networks so they can reach internal databases and services +- Supports Fortinet SSL VPN, Cisco AnyConnect, Palo Alto GlobalProtect, and Juniper Network Connect +- VPN connection is established automatically at the start of every session +- Works alongside the Postgres integration to access databases that aren't publicly reachable + +## Installation + + + + Open [Integrations](https://app.tembo.io/integrations) and click **Install** next to VPN under the **Network** category. + + + Fill in the connection form: + - **Connection Name** — a label for this VPN (e.g. "Production VPN") + - **Protocol** — select your VPN type (Fortinet, Cisco AnyConnect, Palo Alto GlobalProtect, or Juniper) + - **VPN Gateway** — the hostname or IP of your VPN concentrator (e.g. `vpn.example.com`) + - **Username** and **Password** — credentials that the sandbox will use to authenticate + + + Once the VPN is configured, add a [Postgres integration](/integrations/postgres) using the **private** connection string of your database. Tembo will connect to the VPN first, then reach the database through the tunnel. + + + +## Usage + +When a session starts, Tembo automatically connects to your VPN before the agent begins work. The tunnel stays active for the duration of the session. + +This is useful when your database or internal services are behind a firewall and not reachable from the public internet. Instead of exposing your database publicly or setting up a bastion host, you provide the same VPN credentials your team already uses. + +### Example workflow + +1. Configure the VPN integration with your Fortinet gateway credentials +2. Add a Postgres integration with your private connection string (e.g. `postgresql://user:pass@10.0.1.50:5432/mydb`) +3. Create a session — Tembo connects to the VPN, then the agent can query your database as if it were on your network + +## Advanced + + + + The VPN integration uses [OpenConnect](https://www.infradead.org/openconnect/), which supports: + - **Fortinet SSL VPN** (`fortinet`) — compatible with FortiClient + - **Cisco AnyConnect** (`anyconnect`) — compatible with Cisco Secure Client + - **Palo Alto GlobalProtect** (`gp`) — compatible with GlobalProtect client + - **Juniper Network Connect** (`nc`) — compatible with Juniper/Pulse Secure + + + + At each session start, the sandbox VM runs OpenConnect in the background to establish a VPN tunnel. This creates a virtual network interface (`tun0`) that routes traffic to your private network through the encrypted tunnel. The connection is re-established on every session start since VPN state does not persist across sessions. + + + + OpenConnect supports some forms of MFA (e.g. TOTP tokens appended to the password field), but interactive MFA prompts are not supported. If your VPN requires interactive two-factor authentication, consider creating a dedicated service account with a static password or certificate-based authentication for Tembo access. + + + + VPN credentials are stored encrypted and are only injected into the sandbox at session start. The credentials are never exposed to the agent — they are used by the system to establish the tunnel before the agent begins work. Consider using a dedicated VPN account with limited network access scoped to only the resources Tembo needs. + + From 371191c04d49d7ad9b035109295d0d3c1aa16be9 Mon Sep 17 00:00:00 2001 From: milldr Date: Mon, 6 Jul 2026 16:56:13 -0400 Subject: [PATCH 2/4] docs(integrations): reframe VPN page around OpenConnect and supported protocols --- integrations/vpn.mdx | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/integrations/vpn.mdx b/integrations/vpn.mdx index f33f282..0392187 100644 --- a/integrations/vpn.mdx +++ b/integrations/vpn.mdx @@ -6,10 +6,22 @@ description: "Connect sandboxes to private networks via OpenConnect VPN." ## Features - Connect agent sandboxes to private networks so they can reach internal databases and services -- Supports Fortinet SSL VPN, Cisco AnyConnect, Palo Alto GlobalProtect, and Juniper Network Connect - VPN connection is established automatically at the start of every session - Works alongside the Postgres integration to access databases that aren't publicly reachable +## Supported VPNs + +The VPN integration uses [OpenConnect](https://www.infradead.org/openconnect/), an open-source VPN client that is compatible with several enterprise VPN servers: + +| Protocol | Compatible with | +|----------|----------------| +| Fortinet SSL VPN | FortiClient, FortiGate | +| Cisco AnyConnect | Cisco Secure Client, ASA, IOS | +| Palo Alto GlobalProtect | GlobalProtect client, PAN-OS | +| Juniper Network Connect | Juniper/Pulse Secure, Ivanti Connect Secure | + +If your organization uses any of these VPN products, Tembo can connect to it directly — no changes to your VPN infrastructure required. + ## Installation @@ -19,7 +31,7 @@ description: "Connect sandboxes to private networks via OpenConnect VPN." Fill in the connection form: - **Connection Name** — a label for this VPN (e.g. "Production VPN") - - **Protocol** — select your VPN type (Fortinet, Cisco AnyConnect, Palo Alto GlobalProtect, or Juniper) + - **Protocol** — select your VPN type - **VPN Gateway** — the hostname or IP of your VPN concentrator (e.g. `vpn.example.com`) - **Username** and **Password** — credentials that the sandbox will use to authenticate @@ -36,21 +48,13 @@ This is useful when your database or internal services are behind a firewall and ### Example workflow -1. Configure the VPN integration with your Fortinet gateway credentials +1. Configure the VPN integration with your gateway credentials 2. Add a Postgres integration with your private connection string (e.g. `postgresql://user:pass@10.0.1.50:5432/mydb`) 3. Create a session — Tembo connects to the VPN, then the agent can query your database as if it were on your network ## Advanced - - The VPN integration uses [OpenConnect](https://www.infradead.org/openconnect/), which supports: - - **Fortinet SSL VPN** (`fortinet`) — compatible with FortiClient - - **Cisco AnyConnect** (`anyconnect`) — compatible with Cisco Secure Client - - **Palo Alto GlobalProtect** (`gp`) — compatible with GlobalProtect client - - **Juniper Network Connect** (`nc`) — compatible with Juniper/Pulse Secure - - At each session start, the sandbox VM runs OpenConnect in the background to establish a VPN tunnel. This creates a virtual network interface (`tun0`) that routes traffic to your private network through the encrypted tunnel. The connection is re-established on every session start since VPN state does not persist across sessions. From fa2e4da14f98d61d4c39aa2be0dc66123f08b9a3 Mon Sep 17 00:00:00 2001 From: Dan Miller Date: Mon, 6 Jul 2026 17:16:26 -0400 Subject: [PATCH 3/4] Apply suggestion from @tembo[bot] Co-authored-by: tembo[bot] <208362400+tembo[bot]@users.noreply.github.com> --- integrations/vpn.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integrations/vpn.mdx b/integrations/vpn.mdx index 0392187..74af855 100644 --- a/integrations/vpn.mdx +++ b/integrations/vpn.mdx @@ -64,6 +64,6 @@ This is useful when your database or internal services are behind a firewall and - VPN credentials are stored encrypted and are only injected into the sandbox at session start. The credentials are never exposed to the agent — they are used by the system to establish the tunnel before the agent begins work. Consider using a dedicated VPN account with limited network access scoped to only the resources Tembo needs. + VPN credentials are injected into the sandbox at session start for the system to establish the tunnel before the agent begins work. Consider using a dedicated VPN account with limited network access scoped to only the resources Tembo needs. From 7d320ec9e22aba032b7fcfe6fc91aed266b059f1 Mon Sep 17 00:00:00 2001 From: milldr Date: Mon, 6 Jul 2026 17:20:58 -0400 Subject: [PATCH 4/4] refactor: rename integration from vpn to openconnect --- docs.json | 2 +- integrations/{vpn.mdx => openconnect.mdx} | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) rename integrations/{vpn.mdx => openconnect.mdx} (99%) diff --git a/docs.json b/docs.json index 67eca4f..d19cc55 100644 --- a/docs.json +++ b/docs.json @@ -125,7 +125,7 @@ "integrations/snyk", "integrations/stripe", "integrations/teams", - "integrations/vpn" + "integrations/openconnect" ] }, { diff --git a/integrations/vpn.mdx b/integrations/openconnect.mdx similarity index 99% rename from integrations/vpn.mdx rename to integrations/openconnect.mdx index 74af855..65868dc 100644 --- a/integrations/vpn.mdx +++ b/integrations/openconnect.mdx @@ -1,5 +1,5 @@ --- -title: "VPN" +title: "OpenConnect" description: "Connect sandboxes to private networks via OpenConnect VPN." ---