Update to latest openconnect version 8.04 with pulse support

This commit is contained in:
Wolfgang Klinger 2019-09-18 15:32:57 +02:00
parent 0fdc0d1eff
commit 9dad4b64b8
3 changed files with 45 additions and 30 deletions

View File

@ -1,18 +1,24 @@
FROM alpine:3.8 FROM alpine:edge
MAINTAINER Wolfgang Klinger <wolfgang@wazum.com> MAINTAINER Wolfgang Klinger <wolfgang@wazum.com>
# openconnect is not yet available on main # openconnect is not yet available on main
RUN apk add --no-cache tinyproxy openconnect --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing RUN apk add --no-cache libcrypto1.1 libssl1.1 libstdc++ --repository http://dl-cdn.alpinelinux.org/alpine/edge/main
RUN apk add --no-cache oath-toolkit-libpskc --repository http://dl-cdn.alpinelinux.org/alpine/edge/community
RUN apk add --no-cache nettle --repository http://dl-cdn.alpinelinux.org/alpine/edge/main
RUN apk add --no-cache openconnect tinyproxy --repository http://dl-cdn.alpinelinux.org/alpine/edge/testing
COPY tinyproxy.conf /etc/tinyproxy.conf RUN apk --no-cache add ca-certificates wget && \
wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub && \
# https://github.com/gliderlabs/docker-alpine/issues/367 wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.30-r0/glibc-2.30-r0.apk && \
RUN [ ! -e /etc/nsswitch.conf ] && echo 'hosts: files dns' > /etc/nsswitch.conf apk add glibc-2.30-r0.apk
# Use an up-to-date version of vpnc-script # Use an up-to-date version of vpnc-script
# https://www.infradead.org/openconnect/vpnc-script.html
COPY vpnc-script /etc/vpnc/vpnc-script COPY vpnc-script /etc/vpnc/vpnc-script
RUN chmod 755 /etc/vpnc/vpnc-script RUN chmod 755 /etc/vpnc/vpnc-script
COPY tinyproxy.conf /etc/tinyproxy.conf
COPY entrypoint.sh /entrypoint.sh COPY entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh RUN chmod +x /entrypoint.sh

View File

@ -21,7 +21,7 @@
################ ################
# #
# List of parameters passed through environment # List of parameters passed through environment
#* reason -- why this script was called, one of: pre-init connect disconnect reconnect #* reason -- why this script was called, one of: pre-init connect disconnect reconnect attempt-reconnect
#* VPNGATEWAY -- vpn gateway address (always present) #* VPNGATEWAY -- vpn gateway address (always present)
#* TUNDEV -- tunnel device (always present) #* TUNDEV -- tunnel device (always present)
#* INTERNAL_IP4_ADDRESS -- address (always present) #* INTERNAL_IP4_ADDRESS -- address (always present)
@ -88,9 +88,6 @@ if [ ! -d "/var/run/vpnc" ]; then
[ -x /sbin/restorecon ] && /sbin/restorecon /var/run/vpnc [ -x /sbin/restorecon ] && /sbin/restorecon /var/run/vpnc
fi fi
# stupid SunOS: no blubber in /usr/local/bin ... (on stdout)
IPROUTE="`which ip 2> /dev/null | grep '^/'`"
if ifconfig --help 2>&1 | grep BusyBox > /dev/null; then if ifconfig --help 2>&1 | grep BusyBox > /dev/null; then
ifconfig_syntax_inet="" ifconfig_syntax_inet=""
else else
@ -98,11 +95,15 @@ else
fi fi
if [ "$OS" = "Linux" ]; then if [ "$OS" = "Linux" ]; then
IPROUTE="`which ip 2> /dev/null | grep '^/'`"
ifconfig_syntax_ptp="pointopoint" ifconfig_syntax_ptp="pointopoint"
route_syntax_gw="gw" route_syntax_gw="gw"
route_syntax_del="del" route_syntax_del="del"
route_syntax_netmask="netmask" route_syntax_netmask="netmask"
else else
# iproute2 is Linux only; if `which ip` returns something on another OS, it's likely an unrelated tool
# (see https://github.com/dlenski/openconnect/issues/132#issuecomment-470475009)
IPROUTE=""
ifconfig_syntax_ptp="" ifconfig_syntax_ptp=""
route_syntax_gw="" route_syntax_gw=""
route_syntax_del="delete" route_syntax_del="delete"
@ -116,7 +117,7 @@ else
ifconfig_syntax_ptpv6="" ifconfig_syntax_ptpv6=""
fi fi
grep ^hosts /etc/nsswitch.conf|grep resolve >/dev/null 2>&1 grep ^hosts /etc/nsswitch.conf 2>/dev/null|grep resolve >/dev/null 2>&1
if [ $? = 0 ];then if [ $? = 0 ];then
RESOLVEDENABLED=1 RESOLVEDENABLED=1
else else
@ -230,18 +231,18 @@ if [ -n "$IPROUTE" ]; then
set_vpngateway_route() { set_vpngateway_route() {
$IPROUTE route add `$IPROUTE route get "$VPNGATEWAY" | fix_ip_get_output` $IPROUTE route add `$IPROUTE route get "$VPNGATEWAY" | fix_ip_get_output`
$IPROUTE route flush cache $IPROUTE route flush cache 2>/dev/null
} }
del_vpngateway_route() { del_vpngateway_route() {
$IPROUTE route $route_syntax_del "$VPNGATEWAY" $IPROUTE route $route_syntax_del "$VPNGATEWAY"
$IPROUTE route flush cache $IPROUTE route flush cache 2>/dev/null
} }
set_default_route() { set_default_route() {
$IPROUTE route | grep '^default' | fix_ip_get_output > "$DEFAULT_ROUTE_FILE" $IPROUTE route | grep '^default' | fix_ip_get_output > "$DEFAULT_ROUTE_FILE"
$IPROUTE route replace default dev "$TUNDEV" $IPROUTE route replace default dev "$TUNDEV"
$IPROUTE route flush cache $IPROUTE route flush cache 2>/dev/null
} }
set_network_route() { set_network_route() {
@ -255,7 +256,7 @@ if [ -n "$IPROUTE" ]; then
else else
$IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV" $IPROUTE route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV"
fi fi
$IPROUTE route flush cache $IPROUTE route flush cache 2>/dev/null
} }
set_exclude_route() { set_exclude_route() {
@ -265,7 +266,7 @@ if [ -n "$IPROUTE" ]; then
NETMASK="$2" NETMASK="$2"
NETMASKLEN="$3" NETMASKLEN="$3"
$IPROUTE route add `$IPROUTE route get "$NETWORK/$NETMASKLEN" | fix_ip_get_output` $IPROUTE route add `$IPROUTE route get "$NETWORK/$NETMASKLEN" | fix_ip_get_output`
$IPROUTE route flush cache $IPROUTE route flush cache 2>/dev/null
} }
del_exclude_route() { del_exclude_route() {
@ -275,13 +276,13 @@ if [ -n "$IPROUTE" ]; then
NETMASK="$2" NETMASK="$2"
NETMASKLEN="$3" NETMASKLEN="$3"
$IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" $IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN"
$IPROUTE route flush cache $IPROUTE route flush cache 2>/dev/null
} }
reset_default_route() { reset_default_route() {
if [ -s "$DEFAULT_ROUTE_FILE" ]; then if [ -s "$DEFAULT_ROUTE_FILE" ]; then
$IPROUTE route replace `cat "$DEFAULT_ROUTE_FILE"` $IPROUTE route replace `cat "$DEFAULT_ROUTE_FILE"`
$IPROUTE route flush cache $IPROUTE route flush cache 2>/dev/null
rm -f -- "$DEFAULT_ROUTE_FILE" rm -f -- "$DEFAULT_ROUTE_FILE"
fi fi
} }
@ -292,13 +293,13 @@ if [ -n "$IPROUTE" ]; then
NETMASKLEN="$3" NETMASKLEN="$3"
NETDEV="$4" NETDEV="$4"
$IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" dev "$NETDEV" $IPROUTE route $route_syntax_del "$NETWORK/$NETMASKLEN" dev "$NETDEV"
$IPROUTE route flush cache $IPROUTE route flush cache 2>/dev/null
} }
set_ipv6_default_route() { set_ipv6_default_route() {
# We don't save/restore IPv6 default route; just add a higher-priority one. # We don't save/restore IPv6 default route; just add a higher-priority one.
$IPROUTE -6 route add default dev "$TUNDEV" metric 1 $IPROUTE -6 route add default dev "$TUNDEV" metric 1
$IPROUTE -6 route flush cache $IPROUTE -6 route flush cache 2>/dev/null
} }
set_ipv6_network_route() { set_ipv6_network_route() {
@ -311,7 +312,7 @@ if [ -n "$IPROUTE" ]; then
else else
$IPROUTE -6 route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV" $IPROUTE -6 route replace "$NETWORK/$NETMASKLEN" dev "$NETDEV"
fi fi
$IPROUTE route flush cache $IPROUTE route flush cache 2>/dev/null
} }
set_ipv6_exclude_route() { set_ipv6_exclude_route() {
@ -320,12 +321,12 @@ if [ -n "$IPROUTE" ]; then
NETWORK="$1" NETWORK="$1"
NETMASKLEN="$2" NETMASKLEN="$2"
$IPROUTE -6 route add `$IPROUTE route get "$NETWORK/$NETMASKLEN" | fix_ip_get_output` $IPROUTE -6 route add `$IPROUTE route get "$NETWORK/$NETMASKLEN" | fix_ip_get_output`
$IPROUTE route flush cache $IPROUTE route flush cache 2>/dev/null
} }
reset_ipv6_default_route() { reset_ipv6_default_route() {
$IPROUTE -6 route del default dev "$TUNDEV" $IPROUTE -6 route del default dev "$TUNDEV"
$IPROUTE route flush cache $IPROUTE route flush cache 2>/dev/null
} }
del_ipv6_network_route() { del_ipv6_network_route() {
@ -333,7 +334,7 @@ if [ -n "$IPROUTE" ]; then
NETMASKLEN="$2" NETMASKLEN="$2"
NETDEV="$3" NETDEV="$3"
$IPROUTE -6 route del "$NETWORK/$NETMASKLEN" dev "$NETDEV" $IPROUTE -6 route del "$NETWORK/$NETMASKLEN" dev "$NETDEV"
$IPROUTE -6 route flush cache $IPROUTE -6 route flush cache 2>/dev/null
} }
del_ipv6_exclude_route() { del_ipv6_exclude_route() {
@ -342,7 +343,7 @@ if [ -n "$IPROUTE" ]; then
NETWORK="$1" NETWORK="$1"
NETMASKLEN="$2" NETMASKLEN="$2"
$IPROUTE -6 route del "$NETWORK/$NETMASKLEN" $IPROUTE -6 route del "$NETWORK/$NETMASKLEN"
$IPROUTE -6 route flush cache $IPROUTE -6 route flush cache 2>/dev/null
} }
else # use route command else # use route command
get_default_gw() { get_default_gw() {
@ -682,7 +683,7 @@ nameserver $i"
done done
if [ -n "$CISCO_DEF_DOMAIN" ]; then if [ -n "$CISCO_DEF_DOMAIN" ]; then
NEW_RESOLVCONF="$NEW_RESOLVCONF NEW_RESOLVCONF="$NEW_RESOLVCONF
domain $CISCO_DEF_DOMAIN" search $CISCO_DEF_DOMAIN"
fi fi
echo "$NEW_RESOLVCONF" | /sbin/resolvconf -a $TUNDEV echo "$NEW_RESOLVCONF" | /sbin/resolvconf -a $TUNDEV
} }
@ -881,10 +882,10 @@ do_connect() {
while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do while [ $i -lt $CISCO_IPV6_SPLIT_INC ] ; do
eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}" eval NETWORK="\${CISCO_IPV6_SPLIT_INC_${i}_ADDR}"
eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}" eval NETMASKLEN="\${CISCO_IPV6_SPLIT_INC_${i}_MASKLEN}"
if [ $NETMASKLEN -lt 128 ]; then if [ $NETMASKLEN -eq 0 ]; then
set_ipv6_network_route "$NETWORK" "$NETMASKLEN" "$TUNDEV"
else
set_ipv6_default_route set_ipv6_default_route
else
set_ipv6_network_route "$NETWORK" "$NETMASKLEN" "$TUNDEV"
fi fi
i=`expr $i + 1` i=`expr $i + 1`
done done
@ -1018,7 +1019,15 @@ case "$reason" in
do_disconnect do_disconnect
run_hooks post-disconnect run_hooks post-disconnect
;; ;;
attempt-reconnect)
# Invoked before each attempt to re-establish the session.
# If the underlying physical connection changed, we might
# be left with a route to the VPN server through the VPN
# itself, which would need to be fixed.
run_hooks attempt-reconnect
;;
reconnect) reconnect)
# After successfully re-establishing the session.
run_hooks reconnect run_hooks reconnect
;; ;;
*) *)

View File

@ -4,7 +4,7 @@
OPENCONNECT_USER= OPENCONNECT_USER=
OPENCONNECT_URL= OPENCONNECT_URL=
OPENCONNECT_OPTIONS="--authgroup <VPN Group> --servercert <VPN Server Certificate>" OPENCONNECT_OPTIONS="--authgroup <VPN Group> --servercert <VPN Server Certificate> --protocol=pulse"
PROXY_PORT=8888 PROXY_PORT=8888
# Don't touch this # Don't touch this