@@ -1,22 +1,23 @@
|
|||||||
# Rego Tunnel - Cisco Secure Client VPN
|
# Cistech Tunnel - OpenConnect-SSO VPN
|
||||||
|
|
||||||
Native Docker container running Cisco Secure Client (AnyConnect) with full GUI support via noVNC. Provides transparent VPN access to protected resources from your LAN.
|
Docker container running OpenConnect-SSO for Cisco AnyConnect VPN with SSO/SAML authentication support via noVNC. Provides transparent VPN access to protected resources from your LAN.
|
||||||
|
|
||||||
## Features
|
## Features
|
||||||
|
|
||||||
- **Cisco Secure Client 5.1.14.145** - Full GUI with VPN, DART, and Posture modules
|
- **OpenConnect-SSO** - Handles SAML/SSO authentication automatically
|
||||||
- **Web-based access** via noVNC (port 6080)
|
- **Playwright browser** - Headless Chromium for SSO login
|
||||||
- **Auto-login with TOTP** - Fully automated VPN connection
|
- **Web-based access** via noVNC (port 6092)
|
||||||
|
- **Auto-login with TOTP** - Credentials stored in keyring
|
||||||
- **LAN routing** - Other machines on your network can reach VPN targets
|
- **LAN routing** - Other machines on your network can reach VPN targets
|
||||||
- **Native Docker** - No QEMU/VM overhead
|
- **Lightweight** - No systemd, no Cisco bloat
|
||||||
|
|
||||||
## Architecture
|
## Architecture
|
||||||
|
|
||||||
```
|
```
|
||||||
LAN Devices ──► Linux Host ──► Container (172.31.0.10) ──► VPN Tunnel ──► Target (10.35.33.230)
|
LAN Devices ──► Linux Host ──► Container (172.30.0.10) ──► VPN Tunnel ──► Target
|
||||||
│ │
|
│ │
|
||||||
│ └── Cisco Secure Client
|
│ └── openconnect-sso + openconnect
|
||||||
│ └── noVNC web UI (port 6080)
|
│ └── noVNC web UI (port 6092)
|
||||||
│
|
│
|
||||||
└── Host routing service
|
└── Host routing service
|
||||||
(routes VPN traffic through container)
|
(routes VPN traffic through container)
|
||||||
@@ -30,22 +31,22 @@ Configure your VPN credentials in app settings:
|
|||||||
- VPN Email
|
- VPN Email
|
||||||
- VPN Password
|
- VPN Password
|
||||||
- TOTP Secret (base32)
|
- TOTP Secret (base32)
|
||||||
- VPN Host (default: vpn-ord1.dovercorp.com)
|
- VPN Host (e.g., `https://vpn.cistech.net/Employees`)
|
||||||
- Target IP (default: 10.35.33.230)
|
- Target IP (for connectivity testing)
|
||||||
|
|
||||||
### 2. Install host routing service (required for LAN access)
|
### 2. Install host routing service (required for LAN access)
|
||||||
|
|
||||||
**Run this ONCE on the host after app install:**
|
**Run this ONCE on the host after app install:**
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
/etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/install-host-services.sh
|
/etc/runtipi/repos/runtipi/apps/cistech-tunnel/shared/install-host-services.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
This creates systemd services that route VPN traffic through the container.
|
This creates systemd services that route VPN traffic through the container.
|
||||||
|
|
||||||
### 3. Access the VPN GUI
|
### 3. Access the VPN GUI
|
||||||
|
|
||||||
Open `http://<your-server>:6080/vnc.html`
|
Open `http://<your-server>:6092/vnc.html`
|
||||||
|
|
||||||
The VPN will auto-connect using your configured credentials.
|
The VPN will auto-connect using your configured credentials.
|
||||||
|
|
||||||
@@ -53,18 +54,17 @@ The VPN will auto-connect using your configured credentials.
|
|||||||
|
|
||||||
### Access noVNC
|
### Access noVNC
|
||||||
|
|
||||||
Navigate to port 6080 on your server. The cisco-vpn script runs automatically and provides a menu:
|
Navigate to port 6092 on your server. The openconnect-vpn script runs automatically and provides a menu:
|
||||||
|
|
||||||
```
|
```
|
||||||
1 - Start Cisco AnyConnect
|
1 - Connect VPN
|
||||||
2 - Copy credentials to clipboard
|
2 - Disconnect VPN
|
||||||
3 - Show live TOTP
|
3 - Show VPN status
|
||||||
4 - Setup IP forwarding rules
|
4 - Setup IP forwarding
|
||||||
5 - Test connection to target
|
5 - Test connection
|
||||||
6 - Show network status
|
6 - Show network status
|
||||||
7 - Kill all Cisco processes
|
7 - Show routing table
|
||||||
8 - Show routing table
|
8 - Setup keyring
|
||||||
9 - Show /etc/hosts
|
|
||||||
q - Quit
|
q - Quit
|
||||||
```
|
```
|
||||||
|
|
||||||
@@ -72,21 +72,20 @@ q - Quit
|
|||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Inside container
|
# Inside container
|
||||||
cisco-vpn -m # Menu only (skip auto-connect)
|
openconnect-vpn -c # Connect and exit
|
||||||
cisco-vpn -c # Connect and exit
|
openconnect-vpn -d # Disconnect and exit
|
||||||
cisco-vpn -d # Disconnect and exit
|
openconnect-vpn -s # Show status
|
||||||
cisco-vpn -s # Show status
|
openconnect-vpn --help # Show all options
|
||||||
cisco-vpn --help # Show all options
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### View logs
|
### View logs
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Inside container
|
# Inside container
|
||||||
cat /var/log/cisco-vpn/$(date +%Y-%m-%d).log
|
cat /var/log/openconnect-vpn/$(date +%Y-%m-%d).log
|
||||||
|
|
||||||
# On host
|
# On host
|
||||||
cat /var/log/rego-routing.log
|
cat /var/log/cistech-routing.log
|
||||||
```
|
```
|
||||||
|
|
||||||
## LAN Access
|
## LAN Access
|
||||||
@@ -98,7 +97,7 @@ After the host routing service is installed, any device on your LAN can reach th
|
|||||||
|
|
||||||
Example (Windows client):
|
Example (Windows client):
|
||||||
```cmd
|
```cmd
|
||||||
route add 10.35.33.230 mask 255.255.255.255 192.168.0.150 -p
|
route add 10.3.1.0 mask 255.255.255.0 192.168.0.150 -p
|
||||||
```
|
```
|
||||||
|
|
||||||
Where `192.168.0.150` is your Linux host IP.
|
Where `192.168.0.150` is your Linux host IP.
|
||||||
@@ -108,37 +107,41 @@ Where `192.168.0.150` is your Linux host IP.
|
|||||||
Before removing the app from Runtipi:
|
Before removing the app from Runtipi:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
/etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/uninstall-host-services.sh
|
/etc/runtipi/repos/runtipi/apps/cistech-tunnel/shared/uninstall-host-services.sh
|
||||||
```
|
```
|
||||||
|
|
||||||
## Troubleshooting
|
## Troubleshooting
|
||||||
|
|
||||||
### noVNC not accessible
|
### VPN not connecting
|
||||||
```bash
|
```bash
|
||||||
docker exec rego-tunnel_runtipi-rego-tunnel-1 systemctl status vnc.service
|
# Check logs
|
||||||
|
docker exec cistech-tunnel cat /var/log/openconnect-vpn/$(date +%Y-%m-%d).log
|
||||||
|
|
||||||
|
# Try manual connect
|
||||||
|
docker exec -it cistech-tunnel /shared/openconnect-vpn -c
|
||||||
```
|
```
|
||||||
|
|
||||||
### VPN connects but can't reach target
|
### VPN connects but can't reach target
|
||||||
```bash
|
```bash
|
||||||
# Check routes inside container
|
# Check routes inside container
|
||||||
docker exec rego-tunnel_runtipi-rego-tunnel-1 ip route
|
docker exec cistech-tunnel ip route
|
||||||
|
|
||||||
# Check host routing
|
# Check host routing
|
||||||
ip route | grep 10.35.33.230
|
ip route | grep <target-ip>
|
||||||
```
|
```
|
||||||
|
|
||||||
### Host routing not working
|
### Host routing not working
|
||||||
```bash
|
```bash
|
||||||
# Check watcher service
|
# Check watcher service
|
||||||
systemctl status rego-routing-watcher.path
|
systemctl status cistech-routing-watcher.path
|
||||||
|
|
||||||
# Manually trigger routing
|
# Manually trigger routing
|
||||||
touch /etc/runtipi/app-data/runtipi/rego-tunnel/restart-routing
|
touch /etc/runtipi/app-data/runtipi/cistech-tunnel/restart-routing
|
||||||
```
|
```
|
||||||
|
|
||||||
## Technical Details
|
## Technical Details
|
||||||
|
|
||||||
- **Container IP:** 172.31.0.10 (on br-rego-vpn bridge)
|
- **Container IP:** 172.30.0.10 (on br-cistech-vpn bridge)
|
||||||
- **Ports:** 6080 (noVNC), 5901 (VNC)
|
- **Ports:** 6092 (noVNC), 5901 (VNC)
|
||||||
- **Privileges:** `--privileged`, `NET_ADMIN`, `/dev/net/tun`
|
- **Capabilities:** `NET_ADMIN`, `/dev/net/tun`
|
||||||
- **Log retention:** 7 days (auto-cleanup)
|
- **Log retention:** 7 days (auto-cleanup)
|
||||||
|
|||||||
Reference in New Issue
Block a user