diff --git a/apps/cistech-tunnel/metadata/description.md b/apps/cistech-tunnel/metadata/description.md index db2f89a..cdad9d1 100755 --- a/apps/cistech-tunnel/metadata/description.md +++ b/apps/cistech-tunnel/metadata/description.md @@ -1,22 +1,23 @@ -# Rego Tunnel - Cisco Secure Client VPN +# Cistech Tunnel - OpenConnect-SSO VPN -Native Docker container running Cisco Secure Client (AnyConnect) with full GUI support via noVNC. Provides transparent VPN access to protected resources from your LAN. +Docker container running OpenConnect-SSO for Cisco AnyConnect VPN with SSO/SAML authentication support via noVNC. Provides transparent VPN access to protected resources from your LAN. ## Features -- **Cisco Secure Client 5.1.14.145** - Full GUI with VPN, DART, and Posture modules -- **Web-based access** via noVNC (port 6080) -- **Auto-login with TOTP** - Fully automated VPN connection +- **OpenConnect-SSO** - Handles SAML/SSO authentication automatically +- **Playwright browser** - Headless Chromium for SSO login +- **Web-based access** via noVNC (port 6092) +- **Auto-login with TOTP** - Credentials stored in keyring - **LAN routing** - Other machines on your network can reach VPN targets -- **Native Docker** - No QEMU/VM overhead +- **Lightweight** - No systemd, no Cisco bloat ## Architecture ``` -LAN Devices ──► Linux Host ──► Container (172.31.0.10) ──► VPN Tunnel ──► Target (10.35.33.230) +LAN Devices ──► Linux Host ──► Container (172.30.0.10) ──► VPN Tunnel ──► Target │ │ - │ └── Cisco Secure Client - │ └── noVNC web UI (port 6080) + │ └── openconnect-sso + openconnect + │ └── noVNC web UI (port 6092) │ └── Host routing service (routes VPN traffic through container) @@ -30,22 +31,22 @@ Configure your VPN credentials in app settings: - VPN Email - VPN Password - TOTP Secret (base32) -- VPN Host (default: vpn-ord1.dovercorp.com) -- Target IP (default: 10.35.33.230) +- VPN Host (e.g., `https://vpn.cistech.net/Employees`) +- Target IP (for connectivity testing) ### 2. Install host routing service (required for LAN access) **Run this ONCE on the host after app install:** ```bash -/etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/install-host-services.sh +/etc/runtipi/repos/runtipi/apps/cistech-tunnel/shared/install-host-services.sh ``` This creates systemd services that route VPN traffic through the container. ### 3. Access the VPN GUI -Open `http://:6080/vnc.html` +Open `http://:6092/vnc.html` The VPN will auto-connect using your configured credentials. @@ -53,18 +54,17 @@ The VPN will auto-connect using your configured credentials. ### Access noVNC -Navigate to port 6080 on your server. The cisco-vpn script runs automatically and provides a menu: +Navigate to port 6092 on your server. The openconnect-vpn script runs automatically and provides a menu: ``` -1 - Start Cisco AnyConnect -2 - Copy credentials to clipboard -3 - Show live TOTP -4 - Setup IP forwarding rules -5 - Test connection to target +1 - Connect VPN +2 - Disconnect VPN +3 - Show VPN status +4 - Setup IP forwarding +5 - Test connection 6 - Show network status -7 - Kill all Cisco processes -8 - Show routing table -9 - Show /etc/hosts +7 - Show routing table +8 - Setup keyring q - Quit ``` @@ -72,21 +72,20 @@ q - Quit ```bash # Inside container -cisco-vpn -m # Menu only (skip auto-connect) -cisco-vpn -c # Connect and exit -cisco-vpn -d # Disconnect and exit -cisco-vpn -s # Show status -cisco-vpn --help # Show all options +openconnect-vpn -c # Connect and exit +openconnect-vpn -d # Disconnect and exit +openconnect-vpn -s # Show status +openconnect-vpn --help # Show all options ``` ### View logs ```bash # Inside container -cat /var/log/cisco-vpn/$(date +%Y-%m-%d).log +cat /var/log/openconnect-vpn/$(date +%Y-%m-%d).log # On host -cat /var/log/rego-routing.log +cat /var/log/cistech-routing.log ``` ## LAN Access @@ -98,7 +97,7 @@ After the host routing service is installed, any device on your LAN can reach th Example (Windows client): ```cmd -route add 10.35.33.230 mask 255.255.255.255 192.168.0.150 -p +route add 10.3.1.0 mask 255.255.255.0 192.168.0.150 -p ``` Where `192.168.0.150` is your Linux host IP. @@ -108,37 +107,41 @@ Where `192.168.0.150` is your Linux host IP. Before removing the app from Runtipi: ```bash -/etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/uninstall-host-services.sh +/etc/runtipi/repos/runtipi/apps/cistech-tunnel/shared/uninstall-host-services.sh ``` ## Troubleshooting -### noVNC not accessible +### VPN not connecting ```bash -docker exec rego-tunnel_runtipi-rego-tunnel-1 systemctl status vnc.service +# Check logs +docker exec cistech-tunnel cat /var/log/openconnect-vpn/$(date +%Y-%m-%d).log + +# Try manual connect +docker exec -it cistech-tunnel /shared/openconnect-vpn -c ``` ### VPN connects but can't reach target ```bash # Check routes inside container -docker exec rego-tunnel_runtipi-rego-tunnel-1 ip route +docker exec cistech-tunnel ip route # Check host routing -ip route | grep 10.35.33.230 +ip route | grep ``` ### Host routing not working ```bash # Check watcher service -systemctl status rego-routing-watcher.path +systemctl status cistech-routing-watcher.path # Manually trigger routing -touch /etc/runtipi/app-data/runtipi/rego-tunnel/restart-routing +touch /etc/runtipi/app-data/runtipi/cistech-tunnel/restart-routing ``` ## Technical Details -- **Container IP:** 172.31.0.10 (on br-rego-vpn bridge) -- **Ports:** 6080 (noVNC), 5901 (VNC) -- **Privileges:** `--privileged`, `NET_ADMIN`, `/dev/net/tun` +- **Container IP:** 172.30.0.10 (on br-cistech-vpn bridge) +- **Ports:** 6092 (noVNC), 5901 (VNC) +- **Capabilities:** `NET_ADMIN`, `/dev/net/tun` - **Log retention:** 7 days (auto-cleanup)