alexz/runtipi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

cisco-vpn: Remove sudo (running as root) and add file logging
Some checks failed
Test / test (push) Has been cancelled
Details

Browse Source 
- Removed all sudo commands since container runs as root
- Added LOG_FILE at /var/log/cisco-vpn.log
- Modified log() to write to both console and file
- Added startup logging with env var status
This commit is contained in:
Alex Zaw
2026-01-17 02:33:07 +00:00
parent c933d6e6da
commit 38530ea0df
1 changed files with 53 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

87
apps/rego-tunnel/shared/cisco-vpn
View File

@@ -26,6 +26,10 @@ TOTP_SECRET="${VPN_TOTP_SECRET:-}"
VPN_HOST="${VPN_HOST:-vpn-ord1.dovercorp.com}" VPN_HOST="${VPN_HOST:-vpn-ord1.dovercorp.com}"
TARGET_IP="${TARGET_IP:-10.35.33.230}" TARGET_IP="${TARGET_IP:-10.35.33.230}"
# Log file
LOG_FILE="/var/log/cisco-vpn.log"
mkdir -p "$(dirname "$LOG_FILE")" 2>/dev/null
# Colors # Colors
RED='\033[0;31m' RED='\033[0;31m'
GREEN='\033[0;32m' GREEN='\033[0;32m'
@@ -47,18 +51,24 @@ SKIP_AUTO_LOGIN=false
DO_CONNECT=false DO_CONNECT=false
DO_DISCONNECT=false DO_DISCONNECT=false
# Logging function with timestamp # Logging function with timestamp - writes to both console and file
log() { log() {
local level="$1" local level="$1"
local msg="$2" local msg="$2"
local timestamp=$(date '+%H:%M:%S') local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
local timestamp_short=$(date '+%H:%M:%S')
# Write to log file (plain text, no colors)
echo "[$timestamp] [$level] $msg" >> "$LOG_FILE"
# Write to console (with colors)
case $level in case $level in
INFO) echo -e "${GRAY}[$timestamp]${NC} ${GREEN}[INFO]${NC} $msg" ;; INFO) echo -e "${GRAY}[$timestamp_short]${NC} ${GREEN}[INFO]${NC} $msg" ;;
WARN) echo -e "${GRAY}[$timestamp]${NC} ${YELLOW}[WARN]${NC} $msg" ;; WARN) echo -e "${GRAY}[$timestamp_short]${NC} ${YELLOW}[WARN]${NC} $msg" ;;
ERROR) echo -e "${GRAY}[$timestamp]${NC} ${RED}[ERROR]${NC} $msg" ;; ERROR) echo -e "${GRAY}[$timestamp_short]${NC} ${RED}[ERROR]${NC} $msg" ;;
DEBUG) echo -e "${GRAY}[$timestamp]${NC} ${CYAN}[DEBUG]${NC} $msg" ;; DEBUG) echo -e "${GRAY}[$timestamp_short]${NC} ${CYAN}[DEBUG]${NC} $msg" ;;
CMD) echo -e "${GRAY}[$timestamp]${NC} ${GRAY}[CMD]${NC} $msg" ;; CMD) echo -e "${GRAY}[$timestamp_short]${NC} ${GRAY}[CMD]${NC} $msg" ;;
*) echo -e "${GRAY}[$timestamp]${NC} $msg" ;; *) echo -e "${GRAY}[$timestamp_short]${NC} $msg" ;;
esac esac
} }
@@ -148,10 +158,10 @@ show_hosts() {
edit_hosts() { edit_hosts() {
local editor="${EDITOR:-nano}" local editor="${EDITOR:-nano}"
if command -v "$editor" &>/dev/null; then if command -v "$editor" &>/dev/null; then
sudo "$editor" /etc/hosts "$editor" /etc/hosts
else else
log ERROR "No editor found. Set EDITOR environment variable." log ERROR "No editor found. Set EDITOR environment variable."
log INFO "Try: sudo nano /etc/hosts" log INFO "Try: nano /etc/hosts"
fi fi
} }
@@ -233,7 +243,7 @@ kill_cisco_processes() {
for pid in $(pgrep -x "vpnui" 2>/dev/null); do for pid in $(pgrep -x "vpnui" 2>/dev/null); do
if [ "$pid" != "$my_pid" ] && [ "$pid" != "$my_ppid" ]; then if [ "$pid" != "$my_pid" ] && [ "$pid" != "$my_ppid" ]; then
log DEBUG "Killing vpnui (PID $pid)" log DEBUG "Killing vpnui (PID $pid)"
sudo kill -9 "$pid" 2>/dev/null && ((killed++)) kill -9 "$pid" 2>/dev/null && ((killed++))
fi fi
done done
@@ -242,7 +252,7 @@ kill_cisco_processes() {
for pid in $(pgrep -x "vpnagentd" 2>/dev/null); do for pid in $(pgrep -x "vpnagentd" 2>/dev/null); do
if [ "$pid" != "$my_pid" ] && [ "$pid" != "$my_ppid" ]; then if [ "$pid" != "$my_pid" ] && [ "$pid" != "$my_ppid" ]; then
log DEBUG "Killing vpnagentd (PID $pid)" log DEBUG "Killing vpnagentd (PID $pid)"
sudo kill -9 "$pid" 2>/dev/null && ((killed++)) kill -9 "$pid" 2>/dev/null && ((killed++))
fi fi
done done
fi fi
@@ -251,14 +261,14 @@ kill_cisco_processes() {
for proc in cstub cscan acwebsecagent vpndownloader; do for proc in cstub cscan acwebsecagent vpndownloader; do
for pid in $(pgrep -x "$proc" 2>/dev/null); do for pid in $(pgrep -x "$proc" 2>/dev/null); do
log DEBUG "Killing $proc (PID $pid)" log DEBUG "Killing $proc (PID $pid)"
sudo kill -9 "$pid" 2>/dev/null && ((killed++)) kill -9 "$pid" 2>/dev/null && ((killed++))
done done
done done
# Kill openconnect (exact match) # Kill openconnect (exact match)
for pid in $(pgrep -x "openconnect" 2>/dev/null); do for pid in $(pgrep -x "openconnect" 2>/dev/null); do
log DEBUG "Killing openconnect (PID $pid)" log DEBUG "Killing openconnect (PID $pid)"
sudo kill -9 "$pid" 2>/dev/null && ((killed++)) kill -9 "$pid" 2>/dev/null && ((killed++))
done done
if [ $killed -eq 0 ]; then if [ $killed -eq 0 ]; then
@@ -275,7 +285,7 @@ disconnect_vpn() {
# If vpncli exists, attempt a clean disconnect first (ignore failures) # If vpncli exists, attempt a clean disconnect first (ignore failures)
if [ -x /opt/cisco/secureclient/bin/vpncli ]; then if [ -x /opt/cisco/secureclient/bin/vpncli ]; then
run_cmd "Attempting clean disconnect via vpncli" sudo /opt/cisco/secureclient/bin/vpncli -s <<'EOF' || true run_cmd "Attempting clean disconnect via vpncli" /opt/cisco/secureclient/bin/vpncli -s <<'EOF' || true
disconnect disconnect
exit exit
EOF EOF
@@ -314,59 +324,59 @@ setup_forwarding() {
log DEBUG "Container gateway: $container_gw" log DEBUG "Container gateway: $container_gw"
# Enable IP forwarding # Enable IP forwarding
run_cmd "Enabling IP forwarding" sudo sysctl -w net.ipv4.ip_forward=1 run_cmd "Enabling IP forwarding" sysctl -w net.ipv4.ip_forward=1
# NAT masquerade for traffic from container network (172.31.0.0/24) going through VPN # NAT masquerade for traffic from container network (172.31.0.0/24) going through VPN
# This is the ONLY masquerade rule needed - source-based, not destination-based # This is the ONLY masquerade rule needed - source-based, not destination-based
if ! sudo iptables -t nat -C POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE 2>/dev/null; then if ! iptables -t nat -C POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE 2>/dev/null; then
run_cmd "Adding NAT masquerade for container network -> VPN" sudo iptables -t nat -A POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE run_cmd "Adding NAT masquerade for container network -> VPN" iptables -t nat -A POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE
else else
log DEBUG "NAT masquerade for container network already exists" log DEBUG "NAT masquerade for container network already exists"
fi fi
# Forward rules # Forward rules
if ! sudo iptables -C FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then if ! iptables -C FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then
run_cmd "Adding forward rule (to target)" sudo iptables -A FORWARD -d "$TARGET_IP" -j ACCEPT run_cmd "Adding forward rule (to target)" iptables -A FORWARD -d "$TARGET_IP" -j ACCEPT
else else
log DEBUG "Forward rule (to target) already exists" log DEBUG "Forward rule (to target) already exists"
fi fi
if ! sudo iptables -C FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then if ! iptables -C FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then
run_cmd "Adding forward rule (from target)" sudo iptables -A FORWARD -s "$TARGET_IP" -j ACCEPT run_cmd "Adding forward rule (from target)" iptables -A FORWARD -s "$TARGET_IP" -j ACCEPT
else else
log DEBUG "Forward rule (from target) already exists" log DEBUG "Forward rule (from target) already exists"
fi fi
# Accept forwarding from container network # Accept forwarding from container network
if ! sudo iptables -C FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then if ! iptables -C FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
run_cmd "Adding forward rule (from container network)" sudo iptables -A FORWARD -s 172.31.0.0/24 -j ACCEPT run_cmd "Adding forward rule (from container network)" iptables -A FORWARD -s 172.31.0.0/24 -j ACCEPT
else else
log DEBUG "Forward rule (from container network) already exists" log DEBUG "Forward rule (from container network) already exists"
fi fi
if ! sudo iptables -C FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null; then if ! iptables -C FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
run_cmd "Adding forward rule (to container network)" sudo iptables -A FORWARD -d 172.31.0.0/24 -j ACCEPT run_cmd "Adding forward rule (to container network)" iptables -A FORWARD -d 172.31.0.0/24 -j ACCEPT
else else
log DEBUG "Forward rule (to container network) already exists" log DEBUG "Forward rule (to container network) already exists"
fi fi
# Cisco VPN chain bypass (insert at top if chain exists) # Cisco VPN chain bypass (insert at top if chain exists)
if sudo iptables -L ciscovpn -n &>/dev/null; then if iptables -L ciscovpn -n &>/dev/null; then
if ! sudo iptables -C ciscovpn -o "$vpn_iface" -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then if ! iptables -C ciscovpn -o "$vpn_iface" -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then
run_cmd "Adding ciscovpn bypass (outbound)" sudo iptables -I ciscovpn 1 -o "$vpn_iface" -d "$TARGET_IP" -j ACCEPT run_cmd "Adding ciscovpn bypass (outbound)" iptables -I ciscovpn 1 -o "$vpn_iface" -d "$TARGET_IP" -j ACCEPT
else else
log DEBUG "Ciscovpn bypass (outbound) already exists" log DEBUG "Ciscovpn bypass (outbound) already exists"
fi fi
if ! sudo iptables -C ciscovpn -i "$vpn_iface" -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then if ! iptables -C ciscovpn -i "$vpn_iface" -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then
run_cmd "Adding ciscovpn bypass (inbound)" sudo iptables -I ciscovpn 2 -i "$vpn_iface" -s "$TARGET_IP" -j ACCEPT run_cmd "Adding ciscovpn bypass (inbound)" iptables -I ciscovpn 2 -i "$vpn_iface" -s "$TARGET_IP" -j ACCEPT
else else
log DEBUG "Ciscovpn bypass (inbound) already exists" log DEBUG "Ciscovpn bypass (inbound) already exists"
fi fi
# Also allow container network through ciscovpn chain # Also allow container network through ciscovpn chain
if ! sudo iptables -C ciscovpn -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then if ! iptables -C ciscovpn -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
run_cmd "Adding ciscovpn bypass (container network)" sudo iptables -I ciscovpn 3 -s 172.31.0.0/24 -j ACCEPT run_cmd "Adding ciscovpn bypass (container network)" iptables -I ciscovpn 3 -s 172.31.0.0/24 -j ACCEPT
fi fi
else else
log DEBUG "ciscovpn chain does not exist (yet)" log DEBUG "ciscovpn chain does not exist (yet)"
@@ -568,7 +578,7 @@ start_anyconnect() {
# Start vpnagentd if not running # Start vpnagentd if not running
if ! pgrep -x vpnagentd >/dev/null; then if ! pgrep -x vpnagentd >/dev/null; then
log INFO "Starting vpnagentd..." log INFO "Starting vpnagentd..."
sudo /opt/cisco/secureclient/bin/vpnagentd & /opt/cisco/secureclient/bin/vpnagentd &
log DEBUG "Waiting for vpnagentd to initialize..." log DEBUG "Waiting for vpnagentd to initialize..."
sleep 5 sleep 5
fi fi
@@ -706,6 +716,15 @@ parse_args() {
# Main # Main
parse_args "$@" parse_args "$@"
# Log script start
echo "" >> "$LOG_FILE"
echo "========================================" >> "$LOG_FILE"
log INFO "cisco-vpn script started"
log DEBUG "VPN_EMAIL=$EMAIL"
log DEBUG "VPN_HOST=$VPN_HOST"
log DEBUG "TARGET_IP=$TARGET_IP"
log DEBUG "TOTP_SECRET is $([ -n "$TOTP_SECRET" ] && echo 'set' || echo 'NOT SET')"
print_banner print_banner
if [ "$DO_DISCONNECT" = "true" ]; then if [ "$DO_DISCONNECT" = "true" ]; then