From e6f2dae038d5fd529e99e28e8b14a8b2f5291ef9 Mon Sep 17 00:00:00 2001
From: Wolfgang Klinger <wk@plan2.net>
Date: Fri, 20 Sep 2019 16:49:38 +0200
Subject: [PATCH] Add microsocks proxy (socks5), update connect script

---
 README.md           | 43 +++++++++++++++++++++++++-------------
 build/Dockerfile    |  9 ++++++++
 build/entrypoint.sh |  9 +++++---
 connect             | 51 ++++++++++++++++++++-------------------------
 4 files changed, 67 insertions(+), 45 deletions(-)

diff --git a/README.md b/README.md
index 3dc5226..8921332 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,9 @@
-# openconnect + tinyproxy
+# openconnect + tinyproxy + microsocks
 
-This Docker image contains an [openconnect client](http://www.infradead.org/openconnect/) and the [tinyproxy proxy server](https://tinyproxy.github.io/)
-on a very small [alpine linux](https://www.alpinelinux.org/) image (requires around 60 MB of download).
+This Docker image contains an [openconnect client](http://www.infradead.org/openconnect/) (version 8.04 with pulse/juniper support) and the [tinyproxy proxy server](https://tinyproxy.github.io/) for http/s connections (default on port 8888) and the [microsocks proxy](https://github.com/rofl0r/microsocks) for socks5 connections (default on port 8889) in a very small [alpine linux](https://www.alpinelinux.org/) image.
+
+You can find the image on docker hub:
+https://hub.docker.com/r/wazum/openconnect-proxy
 
 # Run
 
@@ -9,8 +11,16 @@ First set the variables in `connect` according to your credentials.
 
 	OPENCONNECT_URL=<VPN URL>
 	OPENCONNECT_USER=<VPN User>
-	OPENCONNECT_OPTIONS="--authgroup <VPN Group> --servercert <VPN Server Certificate>"
-	PROXY_PORT=8888
+	OPENCONNECT_OPTIONS="--authgroup <VPN Group> --servercert <VPN Server Certificate> --protocol=<Protocol>"
+
+You can also change the ports used
+
+	HTTPS_PROXY_PORT=8888
+	SOCKS5_PROXY_PORT=8889
+
+If you have the password for your connection in a file, provide the path
+
+	PASSWORD_FILE=/path/to/file
 
 Next start the container with 
 
@@ -42,23 +52,28 @@ Or set environment variables with
 
 # ssh through the proxy
 
-Install _corkscrew_ (e.g. with `brew install corkscrew` on macOS)
-and if the container is running (see above) connect with
+## nc (netcat)
 
-	./connect ssh <user>@<host>
-
-or if you always use the same port simply add the following in your 
-`~/.ssh/config`
+Set a `ProxyCommand` in your `~/.ssh/config` file like
 
 	Host <hostname>
-		User <user>
-		ProxyCommand corkscrew 127.0.0.1 8888 %h %p
+		User                    git
+		ProxyCommand            nc -x 127.0.0.1:8889 %h %p
 
 and your connection will be passed through the proxy.
+The above example is for using git with ssh keys.
+
+## corkscrew 
+
+An alternative is to use software like _corkscrew_ (e.g. install with `brew install corkscrew` on mac OS)
+
+	Host <hostname>
+		User                    <user>
+		ProxyCommand            corkscrew 127.0.0.1 8888 %h %p
 
 # Build
 
 You can build the container yourself with
 
-	docker build -f build/Dockerfile -t wazum/openconnect-proxy:latest ./build
+	docker build -f build/Dockerfile -t wazum/openconnect-proxy:custom ./build
 
diff --git a/build/Dockerfile b/build/Dockerfile
index 972491f..5176492 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -12,6 +12,15 @@ RUN apk --no-cache add ca-certificates wget && \
     wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.30-r0/glibc-2.30-r0.apk && \
     apk add glibc-2.30-r0.apk
 
+RUN apk add --no-cache gcc make musl-dev && \
+    cd /tmp && \
+    wget https://github.com/rofl0r/microsocks/archive/v1.0.1.tar.gz && \
+    tar -xzvf v1.0.1.tar.gz && \
+    cd microsocks-1.0.1 && \
+    make && \
+    make install && \
+    apk del gcc make musl-dev
+
 # Use an up-to-date version of vpnc-script
 # https://www.infradead.org/openconnect/vpnc-script.html
 COPY vpnc-script /etc/vpnc/vpnc-script
diff --git a/build/entrypoint.sh b/build/entrypoint.sh
index cda65ad..fd3b7e9 100644
--- a/build/entrypoint.sh
+++ b/build/entrypoint.sh
@@ -1,10 +1,13 @@
 #!/bin/sh
 
 # Set proxy port
-sed "s/^Port .*$/Port $PROXY_PORT/" -i /etc/tinyproxy.conf
+sed "s/^Port .*$/Port $HTTPS_PROXY_PORT/" -i /etc/tinyproxy.conf
 
 # Start proxy
 tinyproxy -c /etc/tinyproxy.conf
 
-# Start openconnect
-echo "$OPENCONNECT_PASSWORD" | openconnect -v -u $OPENCONNECT_USER --no-dtls --passwd-on-stdin $OPENCONNECT_OPTIONS $OPENCONNECT_URL
+# Start socks5 proxy
+/usr/local/bin/microsocks -i 0.0.0.0 -p $SOCKS5_PROXY_PORT &
+
+# Start openconnect with a reconnect timeout of 24 hours
+echo "$OPENCONNECT_PASSWORD" | openconnect -v -u $OPENCONNECT_USER --no-dtls --passwd-on-stdin $OPENCONNECT_OPTIONS --reconnect-timeout 86400 $OPENCONNECT_URL
diff --git a/connect b/connect
index 9e910e8..c17c1a2 100755
--- a/connect
+++ b/connect
@@ -2,46 +2,41 @@
 
 # Edit this
 
+PASSWORD_FILE=
 OPENCONNECT_USER=
 OPENCONNECT_URL=
 OPENCONNECT_OPTIONS="--authgroup <VPN Group> --servercert <VPN Server Certificate> --protocol=pulse"
-PROXY_PORT=8888
+HTTPS_PROXY_PORT=8888
+SOCKS5_PROXY_PORT=8889
 
 # Don't touch this
 
 container() {
-	# Ask for password on the commandline
-	stty -echo
-	printf "VPN password: "
-	read OPENCONNECT_PASSWORD
-	stty echo
-	printf "\n\n"
+	if [ "$PASSWORD_FILE" ]; then
+		OPENCONNECT_PASSWORD="`cat $PASSWORD_FILE`"
+	else
+# Ask for password on the commandline
+		stty -echo
+		printf "VPN password: "
+		read OPENCONNECT_PASSWORD
+		stty echo
+		printf "\n\n"
+	fi
 
 	# Start container with proxy on specified port
-	docker run -it --rm "$@" --privileged \
+	until docker run -it --rm "$@" --privileged --name openconnect-proxy \
 		-e OPENCONNECT_URL="$OPENCONNECT_URL" \
 		-e OPENCONNECT_OPTIONS="$OPENCONNECT_OPTIONS" \
 		-e OPENCONNECT_USER="$OPENCONNECT_USER" \
 		-e OPENCONNECT_PASSWORD="$OPENCONNECT_PASSWORD" \
-		-e PROXY_PORT="$PROXY_PORT" \
-		-p $PROXY_PORT:$PROXY_PORT \
-		"wazum/openconnect-proxy:latest"
+		-e HTTPS_PROXY_PORT="$HTTPS_PROXY_PORT" \
+		-e SOCKS5_PROXY_PORT="$SOCKS5_PROXY_PORT" \
+		-p $HTTPS_PROXY_PORT:$HTTPS_PROXY_PORT \
+		-p $SOCKS5_PROXY_PORT:$SOCKS5_PROXY_PORT \
+		"wazum/openconnect-proxy:latest"; do
+    		echo "openconnect exited with code $?. Restarting process…" >&2
+    		sleep 1
+	done
 }
 
-ssh_proxy() {
-	if hash corkscrew 2>/dev/null; then
-		ssh -o ProxyCommand="corkscrew 127.0.0.1 $PROXY_PORT %h %p" "$@"
-	else
-		printf "The ssh command requires 'corkscrew' to be installed and executable.\n"
-	fi
-}
-
-case $1 in
-	ssh)
-		shift
-	  	ssh_proxy "$@"
-	  	;;
-	*)
-		container "$@"
-	  	;;
-esac
+container "$@"