diff --git a/build/Dockerfile b/build/Dockerfile index 70932b9..972491f 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -1,18 +1,24 @@ -FROM alpine:3.8 +FROM alpine:edge MAINTAINER Wolfgang Klinger # openconnect is not yet available on main -RUN apk add --no-cache tinyproxy openconnect --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing +RUN apk add --no-cache libcrypto1.1 libssl1.1 libstdc++ --repository http://dl-cdn.alpinelinux.org/alpine/edge/main +RUN apk add --no-cache oath-toolkit-libpskc --repository http://dl-cdn.alpinelinux.org/alpine/edge/community +RUN apk add --no-cache nettle --repository http://dl-cdn.alpinelinux.org/alpine/edge/main +RUN apk add --no-cache openconnect tinyproxy --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing -COPY tinyproxy.conf /etc/tinyproxy.conf - -# https://github.com/gliderlabs/docker-alpine/issues/367 -RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf +RUN apk --no-cache add ca-certificates wget && \ + wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub && \ + wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.30-r0/glibc-2.30-r0.apk && \ + apk add glibc-2.30-r0.apk # Use an up-to-date version of vpnc-script +# https://www.infradead.org/openconnect/vpnc-script.html COPY vpnc-script /etc/vpnc/vpnc-script RUN chmod 755 /etc/vpnc/vpnc-script +COPY tinyproxy.conf /etc/tinyproxy.conf + COPY entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh diff --git a/build/vpnc-script b/build/vpnc-script index 6a55546..93c70cc 100644 --- a/build/vpnc-script +++ b/build/vpnc-script @@ -21,7 +21,7 @@ ################ # # List of parameters passed through environment -#* reason -- why this script was called, one of: pre-init connect disconnect reconnect +#* reason -- why this script was called, one of: pre-init connect disconnect reconnect attempt-reconnect #* VPNGATEWAY -- vpn gateway address (always present) #* TUNDEV -- tunnel device (always present) #* INTERNAL_IP4_ADDRESS -- address (always present) @@ -88,9 +88,6 @@ if [ ! -d "/var/run/vpnc" ]; then [ -x /sbin/restorecon ] && /sbin/restorecon /var/run/vpnc fi -# stupid SunOS: no blubber in /usr/local/bin ... (on stdout) -IPROUTE="`which ip 2> /dev/null | grep '^/'`" - if ifconfig --help 2>&1 | grep BusyBox > /dev/null; then ifconfig_syntax_inet="" else @@ -98,11 +95,15 @@ else fi if [ "$OS" = "Linux" ]; then + IPROUTE="`which ip 2> /dev/null | grep '^/'`" ifconfig_syntax_ptp="pointopoint" route_syntax_gw="gw" route_syntax_del="del" route_syntax_netmask="netmask" else + # iproute2 is Linux only; if `which ip` returns something on another OS, it's likely an unrelated tool + # (see https://github.com/dlenski/openconnect/issues/132#issuecomment-470475009) + IPROUTE="" ifconfig_syntax_ptp="" route_syntax_gw="" route_syntax_del="delete" @@ -116,7 +117,7 @@ else ifconfig_syntax_ptpv6="" fi -grep ^hosts /etc/nsswitch.conf|grep resolve >/dev/null 2>&1 +grep ^hosts /etc/nsswitch.conf 2>/dev/null|grep resolve >/dev/null 2>&1 if [ $? = 0 ];then RESOLVEDENABLED=1 else @@ -230,18 +231,18 @@ if [ -n "$IPROUTE" ]; then set_vpngateway_route() { $IPROUTE route add `$IPROUTE route get "$VPNGATEWAY" | fix_ip_get_output` - $IPROUTE route flush cache + $IPROUTE route flush cache 2>/dev/null } del_vpngateway_route() { $IPROUTE route $route_syntax_del "$VPNGATEWAY" - $IPROUTE route flush cache + $IPROUTE route flush cache 2>/dev/null } set_default_route() { $IPROUTE route | grep '^default' | fix_ip_get_output > "$DEFAULT_ROUTE_FILE" $IPROUTE route replace default dev "$TUNDEV" - $IPROUTE route flush cache + $IPROUTE route flush cache 2>/dev/null } set_network_route() { @@ -255,7 +256,7 @@ if [ -n "$IPROUTE" ]; then else $IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV" fi - $IPROUTE route flush cache + $IPROUTE route flush cache 2>/dev/null } set_exclude_route() { @@ -265,7 +266,7 @@ if [ -n "$IPROUTE" ]; then NETMASK="$2" NETMASKLEN="$3" $IPROUTE route add `$IPROUTE route get "$NETWORK/$NETMASKLEN" | fix_ip_get_output` - $IPROUTE route flush cache + $IPROUTE route flush cache 2>/dev/null } del_exclude_route() { @@ -275,13 +276,13 @@ if [ -n "$IPROUTE" ]; then NETMASK="$2" NETMASKLEN="$3" $IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" - $IPROUTE route flush cache + $IPROUTE route flush cache 2>/dev/null } reset_default_route() { if [ -s "$DEFAULT_ROUTE_FILE" ]; then $IPROUTE route replace `cat "$DEFAULT_ROUTE_FILE"` - $IPROUTE route flush cache + $IPROUTE route flush cache 2>/dev/null rm -f -- "$DEFAULT_ROUTE_FILE" fi } @@ -292,13 +293,13 @@ if [ -n "$IPROUTE" ]; then NETMASKLEN="$3" NETDEV="$4" $IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" dev "$NETDEV" - $IPROUTE route flush cache + $IPROUTE route flush cache 2>/dev/null } set_ipv6_default_route() { # We don't save/restore IPv6 default route; just add a higher-priority one. $IPROUTE -6 route add default dev "$TUNDEV" metric 1 - $IPROUTE -6 route flush cache + $IPROUTE -6 route flush cache 2>/dev/null } set_ipv6_network_route() { @@ -311,7 +312,7 @@ if [ -n "$IPROUTE" ]; then else $IPROUTE -6 route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV" fi - $IPROUTE route flush cache + $IPROUTE route flush cache 2>/dev/null } set_ipv6_exclude_route() { @@ -320,12 +321,12 @@ if [ -n "$IPROUTE" ]; then NETWORK="$1" NETMASKLEN="$2" $IPROUTE -6 route add `$IPROUTE route get "$NETWORK/$NETMASKLEN" | fix_ip_get_output` - $IPROUTE route flush cache + $IPROUTE route flush cache 2>/dev/null } reset_ipv6_default_route() { $IPROUTE -6 route del default dev "$TUNDEV" - $IPROUTE route flush cache + $IPROUTE route flush cache 2>/dev/null } del_ipv6_network_route() { @@ -333,7 +334,7 @@ if [ -n "$IPROUTE" ]; then NETMASKLEN="$2" NETDEV="$3" $IPROUTE -6 route del "$NETWORK/$NETMASKLEN" dev "$NETDEV" - $IPROUTE -6 route flush cache + $IPROUTE -6 route flush cache 2>/dev/null } del_ipv6_exclude_route() { @@ -342,7 +343,7 @@ if [ -n "$IPROUTE" ]; then NETWORK="$1" NETMASKLEN="$2" $IPROUTE -6 route del "$NETWORK/$NETMASKLEN" - $IPROUTE -6 route flush cache + $IPROUTE -6 route flush cache 2>/dev/null } else # use route command get_default_gw() { @@ -682,7 +683,7 @@ nameserver $i" done if [ -n "$CISCO_DEF_DOMAIN" ]; then NEW_RESOLVCONF="$NEW_RESOLVCONF -domain $CISCO_DEF_DOMAIN" +search $CISCO_DEF_DOMAIN" fi echo "$NEW_RESOLVCONF" | /sbin/resolvconf -a $TUNDEV } @@ -881,10 +882,10 @@ do_connect() { while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}" eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}" - if [ $NETMASKLEN -lt 128 ]; then - set_ipv6_network_route "$NETWORK" "$NETMASKLEN" "$TUNDEV" - else + if [ $NETMASKLEN -eq 0 ]; then set_ipv6_default_route + else + set_ipv6_network_route "$NETWORK" "$NETMASKLEN" "$TUNDEV" fi i=`expr $i + 1` done @@ -1018,7 +1019,15 @@ case "$reason" in do_disconnect run_hooks post-disconnect ;; + attempt-reconnect) + # Invoked before each attempt to re-establish the session. + # If the underlying physical connection changed, we might + # be left with a route to the VPN server through the VPN + # itself, which would need to be fixed. + run_hooks attempt-reconnect + ;; reconnect) + # After successfully re-establishing the session. run_hooks reconnect ;; *) diff --git a/connect b/connect index dbce51a..9e910e8 100755 --- a/connect +++ b/connect @@ -4,7 +4,7 @@ OPENCONNECT_USER= OPENCONNECT_URL= -OPENCONNECT_OPTIONS="--authgroup --servercert " +OPENCONNECT_OPTIONS="--authgroup --servercert --protocol=pulse" PROXY_PORT=8888 # Don't touch this