cisco-vpn: Remove sudo (running as root) and add file logging
Some checks failed
Test / test (push) Has been cancelled
Some checks failed
Test / test (push) Has been cancelled
- Removed all sudo commands since container runs as root - Added LOG_FILE at /var/log/cisco-vpn.log - Modified log() to write to both console and file - Added startup logging with env var status
This commit is contained in:
@@ -26,6 +26,10 @@ TOTP_SECRET="${VPN_TOTP_SECRET:-}"
|
||||
VPN_HOST="${VPN_HOST:-vpn-ord1.dovercorp.com}"
|
||||
TARGET_IP="${TARGET_IP:-10.35.33.230}"
|
||||
|
||||
# Log file
|
||||
LOG_FILE="/var/log/cisco-vpn.log"
|
||||
mkdir -p "$(dirname "$LOG_FILE")" 2>/dev/null
|
||||
|
||||
# Colors
|
||||
RED='\033[0;31m'
|
||||
GREEN='\033[0;32m'
|
||||
@@ -47,18 +51,24 @@ SKIP_AUTO_LOGIN=false
|
||||
DO_CONNECT=false
|
||||
DO_DISCONNECT=false
|
||||
|
||||
# Logging function with timestamp
|
||||
# Logging function with timestamp - writes to both console and file
|
||||
log() {
|
||||
local level="$1"
|
||||
local msg="$2"
|
||||
local timestamp=$(date '+%H:%M:%S')
|
||||
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
|
||||
local timestamp_short=$(date '+%H:%M:%S')
|
||||
|
||||
# Write to log file (plain text, no colors)
|
||||
echo "[$timestamp] [$level] $msg" >> "$LOG_FILE"
|
||||
|
||||
# Write to console (with colors)
|
||||
case $level in
|
||||
INFO) echo -e "${GRAY}[$timestamp]${NC} ${GREEN}[INFO]${NC} $msg" ;;
|
||||
WARN) echo -e "${GRAY}[$timestamp]${NC} ${YELLOW}[WARN]${NC} $msg" ;;
|
||||
ERROR) echo -e "${GRAY}[$timestamp]${NC} ${RED}[ERROR]${NC} $msg" ;;
|
||||
DEBUG) echo -e "${GRAY}[$timestamp]${NC} ${CYAN}[DEBUG]${NC} $msg" ;;
|
||||
CMD) echo -e "${GRAY}[$timestamp]${NC} ${GRAY}[CMD]${NC} $msg" ;;
|
||||
*) echo -e "${GRAY}[$timestamp]${NC} $msg" ;;
|
||||
INFO) echo -e "${GRAY}[$timestamp_short]${NC} ${GREEN}[INFO]${NC} $msg" ;;
|
||||
WARN) echo -e "${GRAY}[$timestamp_short]${NC} ${YELLOW}[WARN]${NC} $msg" ;;
|
||||
ERROR) echo -e "${GRAY}[$timestamp_short]${NC} ${RED}[ERROR]${NC} $msg" ;;
|
||||
DEBUG) echo -e "${GRAY}[$timestamp_short]${NC} ${CYAN}[DEBUG]${NC} $msg" ;;
|
||||
CMD) echo -e "${GRAY}[$timestamp_short]${NC} ${GRAY}[CMD]${NC} $msg" ;;
|
||||
*) echo -e "${GRAY}[$timestamp_short]${NC} $msg" ;;
|
||||
esac
|
||||
}
|
||||
|
||||
@@ -148,10 +158,10 @@ show_hosts() {
|
||||
edit_hosts() {
|
||||
local editor="${EDITOR:-nano}"
|
||||
if command -v "$editor" &>/dev/null; then
|
||||
sudo "$editor" /etc/hosts
|
||||
"$editor" /etc/hosts
|
||||
else
|
||||
log ERROR "No editor found. Set EDITOR environment variable."
|
||||
log INFO "Try: sudo nano /etc/hosts"
|
||||
log INFO "Try: nano /etc/hosts"
|
||||
fi
|
||||
}
|
||||
|
||||
@@ -233,7 +243,7 @@ kill_cisco_processes() {
|
||||
for pid in $(pgrep -x "vpnui" 2>/dev/null); do
|
||||
if [ "$pid" != "$my_pid" ] && [ "$pid" != "$my_ppid" ]; then
|
||||
log DEBUG "Killing vpnui (PID $pid)"
|
||||
sudo kill -9 "$pid" 2>/dev/null && ((killed++))
|
||||
kill -9 "$pid" 2>/dev/null && ((killed++))
|
||||
fi
|
||||
done
|
||||
|
||||
@@ -242,7 +252,7 @@ kill_cisco_processes() {
|
||||
for pid in $(pgrep -x "vpnagentd" 2>/dev/null); do
|
||||
if [ "$pid" != "$my_pid" ] && [ "$pid" != "$my_ppid" ]; then
|
||||
log DEBUG "Killing vpnagentd (PID $pid)"
|
||||
sudo kill -9 "$pid" 2>/dev/null && ((killed++))
|
||||
kill -9 "$pid" 2>/dev/null && ((killed++))
|
||||
fi
|
||||
done
|
||||
fi
|
||||
@@ -251,14 +261,14 @@ kill_cisco_processes() {
|
||||
for proc in cstub cscan acwebsecagent vpndownloader; do
|
||||
for pid in $(pgrep -x "$proc" 2>/dev/null); do
|
||||
log DEBUG "Killing $proc (PID $pid)"
|
||||
sudo kill -9 "$pid" 2>/dev/null && ((killed++))
|
||||
kill -9 "$pid" 2>/dev/null && ((killed++))
|
||||
done
|
||||
done
|
||||
|
||||
# Kill openconnect (exact match)
|
||||
for pid in $(pgrep -x "openconnect" 2>/dev/null); do
|
||||
log DEBUG "Killing openconnect (PID $pid)"
|
||||
sudo kill -9 "$pid" 2>/dev/null && ((killed++))
|
||||
kill -9 "$pid" 2>/dev/null && ((killed++))
|
||||
done
|
||||
|
||||
if [ $killed -eq 0 ]; then
|
||||
@@ -275,7 +285,7 @@ disconnect_vpn() {
|
||||
|
||||
# If vpncli exists, attempt a clean disconnect first (ignore failures)
|
||||
if [ -x /opt/cisco/secureclient/bin/vpncli ]; then
|
||||
run_cmd "Attempting clean disconnect via vpncli" sudo /opt/cisco/secureclient/bin/vpncli -s <<'EOF' || true
|
||||
run_cmd "Attempting clean disconnect via vpncli" /opt/cisco/secureclient/bin/vpncli -s <<'EOF' || true
|
||||
disconnect
|
||||
exit
|
||||
EOF
|
||||
@@ -314,59 +324,59 @@ setup_forwarding() {
|
||||
log DEBUG "Container gateway: $container_gw"
|
||||
|
||||
# Enable IP forwarding
|
||||
run_cmd "Enabling IP forwarding" sudo sysctl -w net.ipv4.ip_forward=1
|
||||
run_cmd "Enabling IP forwarding" sysctl -w net.ipv4.ip_forward=1
|
||||
|
||||
# NAT masquerade for traffic from container network (172.31.0.0/24) going through VPN
|
||||
# This is the ONLY masquerade rule needed - source-based, not destination-based
|
||||
if ! sudo iptables -t nat -C POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE 2>/dev/null; then
|
||||
run_cmd "Adding NAT masquerade for container network -> VPN" sudo iptables -t nat -A POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE
|
||||
if ! iptables -t nat -C POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE 2>/dev/null; then
|
||||
run_cmd "Adding NAT masquerade for container network -> VPN" iptables -t nat -A POSTROUTING -s 172.31.0.0/24 -o "$vpn_iface" -j MASQUERADE
|
||||
else
|
||||
log DEBUG "NAT masquerade for container network already exists"
|
||||
fi
|
||||
|
||||
# Forward rules
|
||||
if ! sudo iptables -C FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding forward rule (to target)" sudo iptables -A FORWARD -d "$TARGET_IP" -j ACCEPT
|
||||
if ! iptables -C FORWARD -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding forward rule (to target)" iptables -A FORWARD -d "$TARGET_IP" -j ACCEPT
|
||||
else
|
||||
log DEBUG "Forward rule (to target) already exists"
|
||||
fi
|
||||
|
||||
if ! sudo iptables -C FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding forward rule (from target)" sudo iptables -A FORWARD -s "$TARGET_IP" -j ACCEPT
|
||||
if ! iptables -C FORWARD -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding forward rule (from target)" iptables -A FORWARD -s "$TARGET_IP" -j ACCEPT
|
||||
else
|
||||
log DEBUG "Forward rule (from target) already exists"
|
||||
fi
|
||||
|
||||
# Accept forwarding from container network
|
||||
if ! sudo iptables -C FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding forward rule (from container network)" sudo iptables -A FORWARD -s 172.31.0.0/24 -j ACCEPT
|
||||
if ! iptables -C FORWARD -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding forward rule (from container network)" iptables -A FORWARD -s 172.31.0.0/24 -j ACCEPT
|
||||
else
|
||||
log DEBUG "Forward rule (from container network) already exists"
|
||||
fi
|
||||
|
||||
if ! sudo iptables -C FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding forward rule (to container network)" sudo iptables -A FORWARD -d 172.31.0.0/24 -j ACCEPT
|
||||
if ! iptables -C FORWARD -d 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding forward rule (to container network)" iptables -A FORWARD -d 172.31.0.0/24 -j ACCEPT
|
||||
else
|
||||
log DEBUG "Forward rule (to container network) already exists"
|
||||
fi
|
||||
|
||||
# Cisco VPN chain bypass (insert at top if chain exists)
|
||||
if sudo iptables -L ciscovpn -n &>/dev/null; then
|
||||
if ! sudo iptables -C ciscovpn -o "$vpn_iface" -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding ciscovpn bypass (outbound)" sudo iptables -I ciscovpn 1 -o "$vpn_iface" -d "$TARGET_IP" -j ACCEPT
|
||||
if iptables -L ciscovpn -n &>/dev/null; then
|
||||
if ! iptables -C ciscovpn -o "$vpn_iface" -d "$TARGET_IP" -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding ciscovpn bypass (outbound)" iptables -I ciscovpn 1 -o "$vpn_iface" -d "$TARGET_IP" -j ACCEPT
|
||||
else
|
||||
log DEBUG "Ciscovpn bypass (outbound) already exists"
|
||||
fi
|
||||
|
||||
if ! sudo iptables -C ciscovpn -i "$vpn_iface" -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding ciscovpn bypass (inbound)" sudo iptables -I ciscovpn 2 -i "$vpn_iface" -s "$TARGET_IP" -j ACCEPT
|
||||
if ! iptables -C ciscovpn -i "$vpn_iface" -s "$TARGET_IP" -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding ciscovpn bypass (inbound)" iptables -I ciscovpn 2 -i "$vpn_iface" -s "$TARGET_IP" -j ACCEPT
|
||||
else
|
||||
log DEBUG "Ciscovpn bypass (inbound) already exists"
|
||||
fi
|
||||
|
||||
# Also allow container network through ciscovpn chain
|
||||
if ! sudo iptables -C ciscovpn -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding ciscovpn bypass (container network)" sudo iptables -I ciscovpn 3 -s 172.31.0.0/24 -j ACCEPT
|
||||
if ! iptables -C ciscovpn -s 172.31.0.0/24 -j ACCEPT 2>/dev/null; then
|
||||
run_cmd "Adding ciscovpn bypass (container network)" iptables -I ciscovpn 3 -s 172.31.0.0/24 -j ACCEPT
|
||||
fi
|
||||
else
|
||||
log DEBUG "ciscovpn chain does not exist (yet)"
|
||||
@@ -568,7 +578,7 @@ start_anyconnect() {
|
||||
# Start vpnagentd if not running
|
||||
if ! pgrep -x vpnagentd >/dev/null; then
|
||||
log INFO "Starting vpnagentd..."
|
||||
sudo /opt/cisco/secureclient/bin/vpnagentd &
|
||||
/opt/cisco/secureclient/bin/vpnagentd &
|
||||
log DEBUG "Waiting for vpnagentd to initialize..."
|
||||
sleep 5
|
||||
fi
|
||||
@@ -706,6 +716,15 @@ parse_args() {
|
||||
# Main
|
||||
parse_args "$@"
|
||||
|
||||
# Log script start
|
||||
echo "" >> "$LOG_FILE"
|
||||
echo "========================================" >> "$LOG_FILE"
|
||||
log INFO "cisco-vpn script started"
|
||||
log DEBUG "VPN_EMAIL=$EMAIL"
|
||||
log DEBUG "VPN_HOST=$VPN_HOST"
|
||||
log DEBUG "TARGET_IP=$TARGET_IP"
|
||||
log DEBUG "TOTP_SECRET is $([ -n "$TOTP_SECRET" ] && echo 'set' || echo 'NOT SET')"
|
||||
|
||||
print_banner
|
||||
|
||||
if [ "$DO_DISCONNECT" = "true" ]; then
|
||||
|
||||
Reference in New Issue
Block a user