Remove connect script, update README

This commit is contained in:
Wolfgang Klinger 2019-10-15 08:11:23 +02:00
parent 9c66adcf4b
commit 1bb2a1217b
6 changed files with 83 additions and 89 deletions

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.env

View File

@ -1,55 +1,72 @@
# openconnect + tinyproxy + microsocks
This Docker image contains an [openconnect client](http://www.infradead.org/openconnect/) (version 8.04 with pulse/juniper support) and the [tinyproxy proxy server](https://tinyproxy.github.io/) for http/s connections (default on port 8888) and the [microsocks proxy](https://github.com/rofl0r/microsocks) for socks5 connections (default on port 8889) in a very small [alpine linux](https://www.alpinelinux.org/) image.
This Docker image contains an [openconnect client](http://www.infradead.org/openconnect/) (version 8.04 with pulse/juniper support) and the [tinyproxy proxy server](https://tinyproxy.github.io/) for http/s connections (default on port 8888) and the [microsocks proxy](https://github.com/rofl0r/microsocks) for socks5 connections (default on port 8889) in a very small [alpine linux](https://www.alpinelinux.org/) image (around 60 MB).
You can find the image on docker hub:
https://hub.docker.com/r/wazum/openconnect-proxy
# Run
# Requirements
First set the variables in `connect` according to your credentials.
If you don't want to set the environment variables on the command line
set the environment variables in a `.env` file:
OPENCONNECT_URL=<VPN URL>
OPENCONNECT_USER=<VPN User>
OPENCONNECT_OPTIONS="--authgroup <VPN Group> --servercert <VPN Server Certificate> --protocol=<Protocol>"
OPENCONNECT_URL=<Gateway URL>
OPENCONNECT_USER=<Username>
OPENCONNECT_PASSWORD=<Password>
OPENCONNECT_OPTIONS=--authgroup <VPN Group> \
--servercert <VPN Server Certificate> --protocol=<Protocol> \
--reconnect-timeout 86400
You can also change the ports used
_(don't use quotes around the values!)_
Either set the password in the `.env` file or leave the variable `OPENCONNECT_PASSWORD` unset, so you get prompted when starting up the container.
Optionally set a multi factor authentication code:
OPENCONNECT_MFA_CODE=<Multi factor authentication code>
You can also change the ports the proxies are listening on (these are the default values):
HTTPS_PROXY_PORT=8888
SOCKS5_PROXY_PORT=8889
If you have the password for your connection in a file, provide the path
# Run container in foreground
PASSWORD_FILE=/path/to/file
To start the container in foreground run:
Next start the container with
docker run -it --rm --privileged --env-file=.env --net host wazum/openconnect-proxy
chmod 755 ./connect
./connect
Either use `--net host` or `-p 8888:8888 -p 8889:8889` to make the proxy ports available on the host.
The container will be started in the foreground.
If you want to start it in the background in daemon mode you can call
Without using a `.env` file set the environment variables on the command line with the docker run option `-e`:
./connect -d
docker run … -e OPENCONNECT_URL=vpn.gateway.com/example \
-e OPENCONNECT_OPTIONS='<Openconnect Options>' \
-e OPENCONNECT_USER=<Username>
In daemon mode you can view the stderr log with
# Run container in background
To start the container in daemon mode (background) set the `-d` option:
docker run -d -it --rm …
In daemon mode you can view the stderr log with `docker logs`:
docker logs <container ID>
docker logs `docker ps|grep "wazum/openconnect-proxy"|awk -F' ' '{print $1}'`
# Configure proxy
The container is connected via openconnect and you can configure your browser
to use the proxy on port 8888 (see configuration above),
e.g. with FoxyProxy or any suitable extension.
The container is connected via _openconnect_ and now you can configure your browser
and other software to use one of the proxies (8888 for http/s or 8889 for socks).
Or set environment variables with
For example FoxyProxy (available for Firefox, Chrome) is a suitable browser extension.
You may also set environment variables:
export http_proxy="http://127.0.0.1:8888/"
export https_proxy="http://127.0.0.1:8888/"
composer, git and others use these if you don't use the git+ssh protocol.
For that see the next section.
composer, git (if you don't use the git+ssh protocol, see below) and others use these.
# ssh through the proxy
@ -86,3 +103,8 @@ You can build the container yourself with
docker build -f build/Dockerfile -t wazum/openconnect-proxy:custom ./build
# Support
You like using my work? Get something for me (surprise! surprise!) from my wishlist on [Amazon](https://smile.amazon.de/hz/wishlist/ls/307SIOOD654GF/) or [help me pay](https://www.paypal.me/wazum) the next pizza or Pho soup (mjam). Thanks a lot!

View File

@ -1,25 +1,23 @@
FROM alpine:edge
MAINTAINER Wolfgang Klinger <wolfgang@wazum.com>
# openconnect is not yet available on main
RUN apk add --no-cache libcrypto1.1 libssl1.1 libstdc++ --repository http://dl-cdn.alpinelinux.org/alpine/edge/main
RUN apk add --no-cache oath-toolkit-libpskc --repository http://dl-cdn.alpinelinux.org/alpine/edge/community
RUN apk add --no-cache nettle --repository http://dl-cdn.alpinelinux.org/alpine/edge/main
# openconnect is not yet available on main
RUN apk add --no-cache openconnect tinyproxy --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing
RUN apk --no-cache add ca-certificates wget && \
wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub && \
wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.30-r0/glibc-2.30-r0.apk && \
apk add glibc-2.30-r0.apk
RUN apk add --no-cache gcc make musl-dev && \
cd /tmp && \
wget https://github.com/rofl0r/microsocks/archive/v1.0.1.tar.gz && \
tar -xzvf v1.0.1.tar.gz && \
cd microsocks-1.0.1 && \
make && \
make install && \
apk del gcc make musl-dev
RUN apk add --no-cache ca-certificates wget \
&& wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub \
&& wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.30-r0/glibc-2.30-r0.apk \
&& apk add --no-cache --virtual .build-deps glibc-2.30-r0.apk gcc make musl-dev \
&& cd /tmp \
&& wget https://github.com/rofl0r/microsocks/archive/v1.0.1.tar.gz \
&& tar -xzvf v1.0.1.tar.gz \
&& cd microsocks-1.0.1 \
&& make \
&& make install \
&& apk del .build-deps wget
# Use an up-to-date version of vpnc-script
# https://www.infradead.org/openconnect/vpnc-script.html
@ -31,4 +29,10 @@ COPY tinyproxy.conf /etc/tinyproxy.conf
COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
ENV HTTPS_PROXY_PORT=${HTTPS_PROXY_PORT:-8888}
ENV SOCKS5_PROXY_PORT=${SOCKS5_PROXY_PORT:-8889}
EXPOSE ${HTTPS_PROXY_PORT}
EXPOSE ${SOCKS5_PROXY_PORT}
ENTRYPOINT ["/entrypoint.sh"]

View File

@ -4,10 +4,20 @@
sed "s/^Port .*$/Port $HTTPS_PROXY_PORT/" -i /etc/tinyproxy.conf
# Start proxy
tinyproxy -c /etc/tinyproxy.conf
/usr/bin/tinyproxy -c /etc/tinyproxy.conf && echo "HTTP/S proxy listening on $HTTPS_PROXY_PORT"
# Start socks5 proxy
/usr/local/bin/microsocks -i 0.0.0.0 -p $SOCKS5_PROXY_PORT &
echo "socks5 proxy listening on $SOCKS5_PROXY_PORT"
# Start openconnect with a reconnect timeout of 24 hours
echo "$OPENCONNECT_PASSWORD" | openconnect -v -u $OPENCONNECT_USER --no-dtls --passwd-on-stdin $OPENCONNECT_OPTIONS --reconnect-timeout 86400 $OPENCONNECT_URL
# Start openconnect
if [[ -z "${OPENCONNECT_PASSWORD}" ]]; then
# Ask for password
openconnect -v -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS $OPENCONNECT_URL
elif [[ ! -z "${OPENCONNECT_PASSWORD}" ]] && [[ ! -z "${OPENCONNECT_MFA_CODE}" ]]; then
# Multi factor authentication (MFA)
(echo $OPENCONNECT_PASSWORD; echo $OPENCONNECT_MFA_CODE) | openconnect -v -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS --passwd-on-stdin $OPENCONNECT_URL
elif [[ ! -z "${OPENCONNECT_PASSWORD}" ]]; then
# Standard authentication
echo $OPENCONNECT_PASSWORD | openconnect -v -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS --passwd-on-stdin $OPENCONNECT_URL
fi

View File

@ -46,7 +46,7 @@ Port 8888
# Timeout: The maximum number of seconds of inactivity a connection is
# allowed to have before it is closed by tinyproxy.
#
Timeout 600
Timeout 3600
#
# ErrorFile: Defines the HTML file to send when a given HTTP error
@ -99,7 +99,7 @@ StatFile "/usr/local/share/tinyproxy/stats.html"
# option must not be enabled if the Logfile directive is being used.
# These two directives are mutually exclusive.
#
#Syslog On
Syslog On
#
# Log to stdout if no Syslog and no LogFile given
@ -118,7 +118,7 @@ StatFile "/usr/local/share/tinyproxy/stats.html"
# LogLevel was set to Warning, then all log messages from Warning to
# Critical would be output, but Notice and below would be suppressed.
#
LogLevel Info
LogLevel Connect
#
# PidFile: Write the PID of the main tinyproxy thread to this file so it
@ -191,7 +191,7 @@ MaxSpareServers 10
#
# StartServers: The number of servers to start initially.
#
StartServers 5
StartServers 2
#
# MaxRequestsPerChild: The number of connections a thread will handle
@ -210,6 +210,7 @@ MaxRequestsPerChild 0
# tested against the controls based on order.
#
Allow 127.0.0.1
Allow 0.0.0.0/0
#
# AddHeader: Adds the specified headers to outgoing HTTP requests that
@ -327,5 +328,3 @@ ViaProxyName "tinyproxy"
# If not set then no rewriting occurs.
#
#ReverseBaseURL "http://localhost:8888/"
Allow 0.0.0.0/0

42
connect
View File

@ -1,42 +0,0 @@
#!/bin/bash
# Edit this
PASSWORD_FILE=
OPENCONNECT_USER=
OPENCONNECT_URL=
OPENCONNECT_OPTIONS="--authgroup <VPN Group> --servercert <VPN Server Certificate> --protocol=pulse"
HTTPS_PROXY_PORT=8888
SOCKS5_PROXY_PORT=8889
# Don't touch this
container() {
if [ "$PASSWORD_FILE" ]; then
OPENCONNECT_PASSWORD="`cat $PASSWORD_FILE`"
else
# Ask for password on the commandline
stty -echo
printf "VPN password: "
read OPENCONNECT_PASSWORD
stty echo
printf "\n\n"
fi
# Start container with proxy on specified port
until docker run -it --rm "$@" --privileged --name openconnect-proxy \
-e OPENCONNECT_URL="$OPENCONNECT_URL" \
-e OPENCONNECT_OPTIONS="$OPENCONNECT_OPTIONS" \
-e OPENCONNECT_USER="$OPENCONNECT_USER" \
-e OPENCONNECT_PASSWORD="$OPENCONNECT_PASSWORD" \
-e HTTPS_PROXY_PORT="$HTTPS_PROXY_PORT" \
-e SOCKS5_PROXY_PORT="$SOCKS5_PROXY_PORT" \
-p $HTTPS_PROXY_PORT:$HTTPS_PROXY_PORT \
-p $SOCKS5_PROXY_PORT:$SOCKS5_PROXY_PORT \
"wazum/openconnect-proxy:latest"; do
echo "openconnect exited with code $?. Restarting process…" >&2
sleep 1
done
}
container "$@"