docker openconnect proxy
Go to file
Wolfgang Klinger 44b05a7074 Add ssh server
2019-10-16 08:03:25 +02:00
build Add ssh server 2019-10-16 08:03:25 +02:00
.gitignore Remove connect script, update README 2019-10-15 09:28:24 +02:00
LICENSE Initial commit 2018-11-29 12:58:38 +01:00
README.md Add ssh server 2019-10-16 08:03:25 +02:00

openconnect + tinyproxy + microsocks

This Docker image contains an openconnect client (version 8.04 with pulse/juniper support) and the tinyproxy proxy server for http/s connections (on port 8888) and the microsocks proxy for socks5 connections (on port 8889) and a sshd server (on port 22) in a very small alpine linux image (around 20 MB).

You can find the image on docker hub: https://hub.docker.com/r/wazum/openconnect-proxy

Requirements

If you don't want to set the environment variables on the command line set the environment variables in a .env file:

OPENCONNECT_URL=<Gateway URL>
OPENCONNECT_USER=<Username>
OPENCONNECT_PASSWORD=<Password>
OPENCONNECT_OPTIONS=--authgroup <VPN Group> \
	--servercert <VPN Server Certificate> --protocol=<Protocol> \
	--reconnect-timeout 86400

(don't use quotes around the values!)

Either set the password in the .env file or leave the variable OPENCONNECT_PASSWORD unset, so you get prompted when starting up the container.

Optionally set a multi factor authentication code:

OPENCONNECT_MFA_CODE=<Multi factor authentication code>

SSH server

To use the ssh server, mount your public key as volume with the -v option:

docker run … -v ~/.ssh/id_rsa.pub:/tmp/public_key …

or use the root password docker. The ssh server is listening on port 22.

Set

Host 127.0.0.1
   StrictHostKeyChecking no
   UserKnownHostsFile=/dev/null

in your ~/.ssh/config on the host.

Run container in foreground

To start the container in foreground run:

docker run -it --rm --privileged --env-file=.env --net host wazum/openconnect-proxy:latest

The proxies are listening on ports 8888 (http/https) and 8889 (socks). Either use --net host or -p <local port>:8888 -p <local port>:8889 to make the proxy ports available on the host.

Another example:

docker run -it --rm --privileged --env-file=.env \
  -v ~/.ssh/id_rsa.pub:/tmp/public_key \
      -p 8888:8888 -p 8889:8889 -p 2222:22 wazum/openconnect-proxy:latest

Without using a .env file set the environment variables on the command line with the docker run option -e:

docker run … -e OPENCONNECT_URL=vpn.gateway.com/example \
  -e OPENCONNECT_OPTIONS='<Openconnect Options>' \
  -e OPENCONNECT_USER=<Username> …

Run container in background

To start the container in daemon mode (background) set the -d option:

docker run -d -it --rm …

In daemon mode you can view the stderr log with docker logs:

docker logs `docker ps|grep "wazum/openconnect-proxy"|awk -F' ' '{print $1}'`

Use container with docker-compose

  vpn:
    container_name: openconnect_vpn
    image: wazum/openconnect-proxy:latest
    privileged: true
    env_file:
      - .env
    ports:
      - 8888:8888
      - 8889:8889
      - 22:2222
    networks:
      - mynetwork

Set the environment variables for openconnect in the .env file again (or specify another file) and map the configured ports in the container to your local ports if you want to access the VPN on the host too when running your containers. Otherwise only the docker containers in the same network have access to the proxy ports.

Configure proxy

The container is connected via openconnect and now you can configure your browser and other software to use one of the proxies (8888 for http/s or 8889 for socks).

For example FoxyProxy (available for Firefox, Chrome) is a suitable browser extension.

You may also set environment variables:

export http_proxy="http://127.0.0.1:8888/"
export https_proxy="http://127.0.0.1:8888/"

composer, git (if you don't use the git+ssh protocol, see below) and others use these.

ssh through the proxy

You need nc (netcat), corkscrew or something similar to make this work.

Unfortunately some git clients (e.g. Gitkraken) don't use the settings from ssh config and you can't pull/push from a repository that's reachable (DNS resolution) only through VPN.

nc (netcat, ncat)

Set a ProxyCommand in your ~/.ssh/config file like

Host <hostname>
	ProxyCommand            nc -x 127.0.0.1:8889 %h %p

or (depending on your ncat version)

Host <hostname>
	ProxyCommand            ncat --proxy 127.0.0.1:8889 --proxy-type socks5 %h %p

and your connection will be passed through the proxy. The above example is for using git with ssh keys.

corkscrew

An alternative is corkscrew (e.g. install with brew install corkscrew on mac OS)

Host <hostname>
	ProxyCommand            corkscrew 127.0.0.1 8888 %h %p

Build

You can build the container yourself with

docker build -f build/Dockerfile -t wazum/openconnect-proxy:custom ./build

Support

You like using my work? Get something for me (surprise! surprise!) from my wishlist on Amazon or help me pay the next pizza or Pho soup (mjam). Thanks a lot!