archive/openconnect-proxy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: archive:tmp/ssh-server
Branches Tags
archive:master
archive:tmp/ssh-server
..
compare: archive:master
Branches Tags
archive:master
archive:tmp/ssh-server

5 commits
tmp/ssh-se ... master

Author SHA1 Message Date
Przemysław Grondek
c1aef6f1aa Fix Dockerfile and create run script 2021-03-10 11:49:28 +01:00
Wolfgang Klinger
93e6ce3f1c Add vpn-slice support 2019-10-19 13:04:46 +02:00
Wolfgang Klinger
46e2544936 Run openconnect calls in an endless loop with 60s sleep on failure 2019-10-17 17:45:23 +02:00
Wolfgang Klinger
d7bba950af Set docker dns server in vpnc script 2019-10-16 21:14:31 +02:00
Wolfgang Klinger
4c6641ab76 Cleanup and updated README 2019-10-16 08:20:43 +02:00
5 changed files with 77 additions and 81 deletions
Show stats Expand all files Collapse all files

78
README.md
View file

@ -1,6 +1,6 @@
# openconnect + tinyproxy + microsocks
This Docker image contains an [openconnect client](http://www.infradead.org/openconnect/) (version 8.04 with pulse/juniper support) and the [tinyproxy proxy server](https://tinyproxy.github.io/) for http/s connections (on port 8888) and the [microsocks proxy](https://github.com/rofl0r/microsocks) for socks5 connections (on port 8889) and a sshd server (on port 22) in a very small [alpine linux](https://www.alpinelinux.org/) image (around 20 MB).
This Docker image contains an [openconnect client](http://www.infradead.org/openconnect/) (version 8.04 with pulse/juniper support) and the [tinyproxy proxy server](https://tinyproxy.github.io/) for http/https connections (default on port 8888) and the [microsocks proxy](https://github.com/rofl0r/microsocks) for socks5 connections (default on port 8889) in a very small [alpine linux](https://www.alpinelinux.org/) image (around 20 MB).
You can find the image on docker hub:
https://hub.docker.com/r/wazum/openconnect-proxy
@ -17,7 +17,9 @@ set the environment variables in a `.env` file:
--servercert <VPN Server Certificate> --protocol=<Protocol> \
--reconnect-timeout 86400
_(don't use quotes around the values!)_
_Don't use quotes around the values!_
See the [openconnect documentation](https://www.infradead.org/openconnect/manual.html) for available options.
Either set the password in the `.env` file or leave the variable `OPENCONNECT_PASSWORD` unset, so you get prompted when starting up the container.
@ -25,44 +27,20 @@ Optionally set a multi factor authentication code:
OPENCONNECT_MFA_CODE=<Multi factor authentication code>
# SSH server
To use the ssh server, mount your public key as volume with the `-v` option:
docker run … -v ~/.ssh/id_rsa.pub:/tmp/public_key …
or use the root password `docker`. The ssh server is listening on port 22.
Set
Host 127.0.0.1
StrictHostKeyChecking no
UserKnownHostsFile=/dev/null
in your `~/.ssh/config` on the host.
# Run container in foreground
To start the container in foreground run:
docker run -it --rm --privileged --env-file=.env --net host wazum/openconnect-proxy:latest
The proxies are listening on ports 8888 (http/https) and 8889 (socks).
Either use `--net host` or `-p <local port>:8888 -p <local port>:8889` to make the proxy ports available on the host.
Another example:
docker run -it --rm --privileged --env-file=.env \
-v ~/.ssh/id_rsa.pub:/tmp/public_key \
-p 8888:8888 -p 8889:8889 -p 2222:22 wazum/openconnect-proxy:latest
-p 8888:8888 -p 8889:8889 wazum/openconnect-proxy:latest
The proxies are listening on ports 8888 (http/https) and 8889 (socks). Either use `--net host` or `-p <local port>:8888 -p <local port>:8889` to make the proxy ports available on the host.
Without using a `.env` file set the environment variables on the command line with the docker run option `-e`:
docker run … -e OPENCONNECT_URL=vpn.gateway.com/example \
-e OPENCONNECT_OPTIONS='<Openconnect Options>' \
-e OPENCONNECT_USER=<Username>
-e OPENCONNECT_OPTIONS='<Openconnect Options>' \
-e OPENCONNECT_USER=<Username>
# Run container in background
@ -76,30 +54,40 @@ In daemon mode you can view the stderr log with `docker logs`:
# Use container with docker-compose
```
vpn:
container_name: openconnect_vpn
image: wazum/openconnect-proxy:latest
privileged: true
env_file:
- .env
ports:
- 8888:8888
- 8889:8889
- 22:2222
networks:
- mynetwork
```
vpn:
container_name: openconnect_vpn
image: wazum/openconnect-proxy:latest
privileged: true
env_file:
- .env
ports:
- 8888:8888
- 8889:8889
cap_add:
- NET_ADMIN
networks:
- mynetwork
Set the environment variables for _openconnect_ in the `.env` file again (or specify another file) and
map the configured ports in the container to your local ports if you want to access the VPN
on the host too when running your containers. Otherwise only the docker containers in the same
network have access to the proxy ports.
# Route traffic through VPN container
Let's say you have a `vpn` container defined as above, then add `network_mode` option to your other containers:
depends_on:
- vpn
network_mode: "service:vpn"
Keep in mind that `networks`, `extra_hosts`, etc. and `network_mode` are mutually exclusive!
# Configure proxy
The container is connected via _openconnect_ and now you can configure your browser
and other software to use one of the proxies (8888 for http/s or 8889 for socks).
and other software to use one of the proxies (8888 for http/https or 8889 for socks).
For example FoxyProxy (available for Firefox, Chrome) is a suitable browser extension.

13
build/Dockerfile
View file

@ -17,15 +17,13 @@ RUN apk add --no-cache ca-certificates wget \
&& cd microsocks-1.0.1 \
&& make \
&& make install \
# add vpn-slice with dependencies (dig) https://github.com/dlenski/vpn-slice
&& apk add --no-cache python3 py3-pip bind-tools && pip3 install --upgrade pip \
&& pip3 install https://github.com/dlenski/vpn-slice/archive/master.zip \
# always add the docker DNS server
&& grep -qxF 'nameserver 127.0.0.11' /etc/resolv.conf || echo 'nameserver 127.0.0.11' >> /etc/resolv.conf \
&& apk del .build-deps wget
RUN apk add --no-cache openssh \
&& echo "root:docker" | chpasswd \
&& mkdir -p /root/.ssh \
&& touch /root/.ssh/authorized_keys \
&& chmod 700 /root/.ssh \
&& chmod 600 /root/.ssh/authorized_keys
# Use an up-to-date version of vpnc-script
# https://www.infradead.org/openconnect/vpnc-script.html
COPY vpnc-script /etc/vpnc/vpnc-script
@ -38,6 +36,5 @@ RUN chmod +x /entrypoint.sh
EXPOSE 8888
EXPOSE 8889
EXPOSE 22
ENTRYPOINT ["/entrypoint.sh"]

45
build/entrypoint.sh
View file

@ -1,37 +1,26 @@
#!/bin/sh
# Copy possibly mounted public key for ssh
if test -f "/tmp/public_key"; then
cat /tmp/public_key > /root/.ssh/authorized_keys
fi
# Set proxy port
sed "s/^Port .*$/Port 8888/" -i /etc/tinyproxy.conf
# Start proxy
/usr/bin/tinyproxy -c /etc/tinyproxy.conf
# Start socks5 proxy
/usr/local/bin/microsocks -i 0.0.0.0 -p 8889 &
# Start ssh server
sed -i s/#PermitRootLogin.*/PermitRootLogin\ yes/ /etc/ssh/sshd_config
sed -i s/#AllowTCPForwarding.*/AllowTCPForwarding\ yes/ /etc/ssh/sshd_config
sed -i s/#PermitTunnel.*/PermitTunnel\ yes/ /etc/ssh/sshd_config
sed -i s/#AllowAgentForwarding.*/AllowAgentForwarding\ yes/ /etc/ssh/sshd_config
sed -i s/#GatewayPorts.*/GatewayPorts\ yes/ /etc/ssh/sshd_config
ssh-keygen -A
/usr/sbin/sshd -4 -e
run () {
# Start openconnect
if [[ -z "${OPENCONNECT_PASSWORD}" ]]; then
# Ask for password
openconnect -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS $OPENCONNECT_URL
elif [[ ! -z "${OPENCONNECT_PASSWORD}" ]] && [[ ! -z "${OPENCONNECT_MFA_CODE}" ]]; then
# Multi factor authentication (MFA)
(echo $OPENCONNECT_PASSWORD; echo $OPENCONNECT_MFA_CODE) | openconnect -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS --passwd-on-stdin $OPENCONNECT_URL
elif [[ ! -z "${OPENCONNECT_PASSWORD}" ]]; then
# Standard authentication
echo $OPENCONNECT_PASSWORD | openconnect -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS --passwd-on-stdin $OPENCONNECT_URL
fi
}
# Start openconnect
if [[ -z "${OPENCONNECT_PASSWORD}" ]]; then
# Ask for password
openconnect -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS $OPENCONNECT_URL
elif [[ ! -z "${OPENCONNECT_PASSWORD}" ]] && [[ ! -z "${OPENCONNECT_MFA_CODE}" ]]; then
# Multi factor authentication (MFA)
(echo $OPENCONNECT_PASSWORD; echo $OPENCONNECT_MFA_CODE) | openconnect -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS --passwd-on-stdin $OPENCONNECT_URL
elif [[ ! -z "${OPENCONNECT_PASSWORD}" ]]; then
# Standard authentication
echo $OPENCONNECT_PASSWORD | openconnect -u $OPENCONNECT_USER $OPENCONNECT_OPTIONS --passwd-on-stdin $OPENCONNECT_URL
fi
until (run); do
echo "openconnect exited. Restarting process in 60 seconds…" >&2
sleep 60
done

7
build/vpnc-script
View file

@ -501,6 +501,10 @@ $LINE" ;;
done
exec 6<&-
# Add default Docker nameserver
NEW_RESOLVCONF="$NEW_RESOLVCONF
nameserver 127.0.0.11"
for i in $INTERNAL_IP4_DNS ; do
NEW_RESOLVCONF="$NEW_RESOLVCONF
nameserver $i"
@ -676,6 +680,9 @@ restore_resolvconf_openwrt() {
# === resolv.conf handling via /sbin/resolvconf (Debian, Ubuntu, Gentoo)) =========
modify_resolvconf_manager() {
# Add default Docker nameserver
NEW_RESOLVCONF="$NEW_RESOLVCONF
nameserver 127.0.0.11"
NEW_RESOLVCONF=""
for i in $INTERNAL_IP4_DNS; do
NEW_RESOLVCONF="$NEW_RESOLVCONF

15
run.sh Executable file
View file

@ -0,0 +1,15 @@
#!/usr/bin/env sh
CONTAINER_TAG=openconnect_vpn
docker build -t "$CONTAINER_TAG" build/
docker run \
-it \
--privileged \
--cap-add NET_ADMIN \
-e OPENCONNECT_URL= \
-e OPENCONNECT_USER= \
-p 9000:8888 \
-p 9001:8889 \
"$CONTAINER_TAG"