alexz/runtipi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

revert(cistech-tunnel): restore to original working state at a7691b1
Some checks failed
Test / test (push) Has been cancelled
Details

Browse Source 
- Removed shared/ folder (host routing scripts)
- Restored original config.json, docker-compose.json
- Restored original Dockerfile and entrypoint.sh

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Alex Zaw
2026-01-17 11:30:34 +00:00
parent f410510a7f
commit 4fd8688685
7 changed files with 34 additions and 296 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
apps/cistech-tunnel/config.json
View File

@@ -24,30 +24,26 @@
"required": true, "required": true,
"default": "https://vpn.cistech.net/Employees" "default": "https://vpn.cistech.net/Employees"
}, },
{
"label": "Username (email)",
"type": "text",
"env_variable": "OC_USER",
"required": true
},
{
"label": "VPN Password",
"type": "password",
"env_variable": "OC_PASSWORD",
"required": true
},
{
"label": "TOTP Secret",
"type": "password",
"env_variable": "OC_TOTP_SECRET",
"required": false,
"hint": "Base32 TOTP secret for auto-login"
},
{ {
"label": "VNC Password", "label": "VNC Password",
"type": "password", "type": "password",
"env_variable": "VNC_PASSWORD", "env_variable": "VNC_PASSWORD",
"required": true "required": true,
"default": "Az@83278327$$@@"
},
{
"label": "Server Certificate",
"type": "text",
"env_variable": "OC_SERVERCERT",
"required": true,
"default": "pin-sha256:HyHob3LiVmIp8ch9AzHJ9jMYqI43tO5N13oWeBLiZ/0="
},
{
"label": "Username",
"type": "text",
"env_variable": "OC_USER",
"required": true,
"default": "alex.zaw@cistech.net"
} }
], ],
"supported_architectures": [ "supported_architectures": [

24
apps/cistech-tunnel/docker-compose.json
View File

@@ -1,26 +1,22 @@
{ {
"schemaVersion": 2,
"services": [ "services": [
{ {
"name": "cistech-tunnel", "name": "cistech-tunnel",
"image": "git.alexzaw.dev/alexz/cistech-vpn:latest", "image": "cistech-vpn:latest",
"isMain": true, "isMain": true,
"internalPort": 6902, "internalPort": 6902,
"privileged": true, "privileged": true,
"capAdd": ["NET_ADMIN"], "capAdd": ["NET_ADMIN"],
"devices": ["/dev/net/tun"], "devices": ["/dev/net/tun:/dev/net/tun"],
"environment": [ "environment": {
{ "key": "OC_URL", "value": "${OC_URL}" }, "OC_URL": "${OC_URL}",
{ "key": "OC_USER", "value": "${OC_USER}" }, "OC_SERVERCERT": "${OC_SERVERCERT}",
{ "key": "OC_PASSWORD", "value": "${OC_PASSWORD}" }, "OC_USER": "${OC_USER}",
{ "key": "OC_TOTP_SECRET", "value": "${OC_TOTP_SECRET}" }, "VNC_PASSWORD": "${VNC_PASSWORD}",
{ "key": "VNC_PASSWORD", "value": "${VNC_PASSWORD}" }, "NOVNC_PORT": "6902"
{ "key": "NOVNC_PORT", "value": "6902" } },
],
"volumes": [ "volumes": [
{ "hostPath": "${APP_DATA_DIR}/data", "containerPath": "/root" }, { "hostPath": "${APP_DATA_DIR}/data", "containerPath": "/root" }
{ "hostPath": "${APP_DATA_DIR}", "containerPath": "/runtime" },
{ "hostPath": "/etc/runtipi/repos/runtipi/apps/cistech-tunnel/shared", "containerPath": "/shared" }
] ]
} }
] ]

123
apps/cistech-tunnel/shared/host-routing.sh
View File

@@ -1,123 +0,0 @@
#!/usr/bin/env bash
#
# Host routing script for cistech-tunnel
# Routes target subnets through the VPN container
#
set -euo pipefail
ACTION="${1:-start}"
# Fixed configuration
CONTAINER_IP="172.30.0.10"
BRIDGE_NAME="br-vpn-static"
TARGET_SUBNETS="10.3.1.0/24 10.255.255.0/24"
LAN_SUBNET="192.168.0.0/23"
LAN_INTERFACES="eth0 eth1 wlan0"
LOG_FILE="/var/log/cistech-routing.log"
log() {
local msg="[$(date '+%Y-%m-%d %H:%M:%S')] [cistech-routing] $*"
echo "$msg" | tee -a "$LOG_FILE" >&2
}
get_lan_interface() {
ip route show default | awk '/default/ {for(i=1;i<=NF;i++) if($i=="dev") print $(i+1)}' | head -1
}
remove_routes() {
log "Removing stale routes..."
for subnet in $TARGET_SUBNETS; do
ip route del "$subnet" 2>/dev/null || true
done
log "Stale routes removed"
}
apply_routes() {
local lan_if
lan_if="$(get_lan_interface)"
log "Applying host routing rules..."
log " Container IP: $CONTAINER_IP"
log " Bridge: $BRIDGE_NAME"
log " Target subnets: $TARGET_SUBNETS"
log " LAN interface: ${lan_if:-unknown}"
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
log "IP forwarding enabled"
# Add routes to target subnets via container
for subnet in $TARGET_SUBNETS; do
ip route replace "$subnet" via "$CONTAINER_IP" dev "$BRIDGE_NAME"
log "Route added: $subnet via $CONTAINER_IP dev $BRIDGE_NAME"
done
# Allow forwarding in DOCKER-USER chain for all LAN interfaces
for lan_if in $LAN_INTERFACES; do
if ip link show "$lan_if" &>/dev/null; then
# Allow traffic from LAN to container bridge
iptables -C DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -j ACCEPT 2>/dev/null || \
iptables -I DOCKER-USER 1 -i "$lan_if" -o "$BRIDGE_NAME" -j ACCEPT
# Allow return traffic
iptables -C DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || \
iptables -I DOCKER-USER 1 -i "$BRIDGE_NAME" -o "$lan_if" -m state --state RELATED,ESTABLISHED -j ACCEPT
log "DOCKER-USER iptables rules added for $lan_if <-> $BRIDGE_NAME"
fi
done
# Masquerade traffic from LAN subnet to VPN bridge (using nft)
if ! nft list chain ip nat POSTROUTING 2>/dev/null | grep -q "saddr $LAN_SUBNET.*oifname.*$BRIDGE_NAME.*masquerade"; then
nft add rule ip nat POSTROUTING ip saddr "$LAN_SUBNET" oifname "$BRIDGE_NAME" counter masquerade
log "NAT masquerade rule added for $LAN_SUBNET -> $BRIDGE_NAME"
else
log "NAT masquerade rule already exists for $LAN_SUBNET -> $BRIDGE_NAME"
fi
log "OK: Host routing applied"
}
remove_all() {
log "Removing all routing rules..."
# Remove routes
for subnet in $TARGET_SUBNETS; do
ip route del "$subnet" via "$CONTAINER_IP" dev "$BRIDGE_NAME" 2>/dev/null || true
done
# Remove iptables rules for all LAN interfaces
for lan_if in $LAN_INTERFACES; do
iptables -D DOCKER-USER -i "$lan_if" -o "$BRIDGE_NAME" -j ACCEPT 2>/dev/null || true
iptables -D DOCKER-USER -i "$BRIDGE_NAME" -o "$lan_if" -m state --state RELATED,ESTABLISHED -j ACCEPT 2>/dev/null || true
done
# Remove masquerade rule (using nft)
local handle
handle=$(nft -a list chain ip nat POSTROUTING 2>/dev/null | grep "saddr $LAN_SUBNET.*oifname.*$BRIDGE_NAME.*masquerade" | grep -oP 'handle \K\d+' | head -1)
if [ -n "$handle" ]; then
nft delete rule ip nat POSTROUTING handle "$handle" 2>/dev/null || true
fi
log "All routing rules removed"
}
case "$ACTION" in
start)
remove_routes
apply_routes
;;
stop)
remove_all
;;
restart)
remove_all
sleep 1
remove_routes
apply_routes
;;
*)
echo "Usage: $0 {start|stop|restart}" >&2
exit 2
;;
esac

68
apps/cistech-tunnel/shared/install-host-services.sh
View File

@@ -1,68 +0,0 @@
#!/usr/bin/env bash
#
# Install host-side systemd services for cistech-tunnel
# Run this ONCE on the host after app install
#
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
APP_DATA_DIR="/etc/runtipi/app-data/runtipi/cistech-tunnel"
echo "Installing cistech-tunnel host services..."
# Create app-data directory for trigger file
sudo mkdir -p "$APP_DATA_DIR"
# Create the path unit (watches for trigger file)
sudo tee /etc/systemd/system/cistech-routing-watcher.path > /dev/null << EOF
[Unit]
Description=Watch for cistech-tunnel routing trigger
[Path]
PathExists=$APP_DATA_DIR/restart-routing
Unit=cistech-routing-watcher.service
[Install]
WantedBy=multi-user.target
EOF
# Create the service unit (applies routes when triggered)
sudo tee /etc/systemd/system/cistech-routing-watcher.service > /dev/null << EOF
[Unit]
Description=Apply cistech-tunnel routing rules
After=docker.service
[Service]
Type=oneshot
ExecStart=$SCRIPT_DIR/host-routing.sh restart
ExecStartPost=/bin/rm -f $APP_DATA_DIR/restart-routing
ExecStartPost=/bin/bash -c 'echo "trigger cleared at \$(date)" >> $APP_DATA_DIR/watcher.log'
EOF
# Make host-routing.sh executable
chmod +x "$SCRIPT_DIR/host-routing.sh"
# Reload systemd and enable the watcher
sudo systemctl daemon-reload
sudo systemctl enable cistech-routing-watcher.path
sudo systemctl start cistech-routing-watcher.path
# Disable the old boot-only service if it exists
if systemctl is-enabled cistech-routing.service &>/dev/null; then
echo "Disabling old cistech-routing.service (replaced by watcher)..."
sudo systemctl stop cistech-routing.service 2>/dev/null || true
sudo systemctl disable cistech-routing.service 2>/dev/null || true
fi
# Apply routes now
echo "Applying initial routes..."
sudo "$SCRIPT_DIR/host-routing.sh" start
echo ""
echo "Done! Watcher installed and routes applied."
echo ""
echo "To trigger route refresh from container:"
echo " touch /runtime/restart-routing"
echo ""
echo "To check watcher status:"
echo " systemctl status cistech-routing-watcher.path"

24
apps/cistech-tunnel/shared/uninstall-host-services.sh
View File

@@ -1,24 +0,0 @@
#!/usr/bin/env bash
#
# Uninstall host-side systemd services for cistech-tunnel
#
set -euo pipefail
echo "Removing cistech-tunnel host services..."
# Stop and disable the watcher
sudo systemctl stop cistech-routing-watcher.path 2>/dev/null || true
sudo systemctl disable cistech-routing-watcher.path 2>/dev/null || true
# Remove routing rules
/etc/runtipi/repos/runtipi/apps/cistech-tunnel/shared/host-routing.sh stop 2>/dev/null || true
# Remove systemd units
sudo rm -f /etc/systemd/system/cistech-routing-watcher.path
sudo rm -f /etc/systemd/system/cistech-routing-watcher.service
# Reload systemd
sudo systemctl daemon-reload
echo ""
echo "Done! Host services removed."

9
apps/cistech-tunnel/source/Dockerfile
View File

@@ -4,9 +4,12 @@ ENV DEBIAN_FRONTEND=noninteractive \
VIRTUAL_ENV=/opt/venv \ VIRTUAL_ENV=/opt/venv \
PATH=/opt/venv/bin:$PATH \ PATH=/opt/venv/bin:$PATH \
QTWEBENGINE_DISABLE_SANDBOX=1 \ QTWEBENGINE_DISABLE_SANDBOX=1 \
QTWEBENGINE_CHROMIUM_FLAGS="--no-sandbox --disable-gpu" QTWEBENGINE_CHROMIUM_FLAGS="--no-sandbox --disable-gpu" \
# Credentials come from environment variables at runtime: OC_URL="https://vpn.cistech.net/Employees" \
# OC_URL, OC_SERVERCERT, OC_USER, OC_TOTP_SECRET, VNC_PASSWORD OC_SERVERCERT="pin-sha256:HyHob3LiVmIp8ch9AzHJ9jMYqI43tO5N13oWeBLiZ/0=" \
OC_USER="alex.zaw@cistech.net" \
OC_TOTP_SECRET="t6ypnjqvyx2yvw2l" \
VNC_PASSWORD="Az@83278327\$\$@@"
RUN apt-get update && apt-get install -y \ RUN apt-get update && apt-get install -y \
openconnect iproute2 iptables ca-certificates \ openconnect iproute2 iptables ca-certificates \

46
apps/cistech-tunnel/source/entrypoint.sh
View File

@@ -2,42 +2,13 @@
set -euo pipefail set -euo pipefail
: "${OC_URL:?OC_URL required}" : "${OC_URL:?OC_URL required}"
: "${OC_SERVERCERT:?OC_SERVERCERT required}"
# Auto-fetch server certificate pin if not provided
get_server_cert_pin() {
local url="$1"
local host=$(echo "$url" | sed -E 's|https?://([^/:]+).*|\1|')
local port=443
echo "Fetching certificate pin from $host:$port..." >&2
# Get certificate and compute pin-sha256
local pin=$(echo | openssl s_client -connect "$host:$port" -servername "$host" 2>/dev/null | \
openssl x509 -pubkey -noout 2>/dev/null | \
openssl pkey -pubin -outform DER 2>/dev/null | \
openssl dgst -sha256 -binary | \
base64)
if [[ -n "$pin" ]]; then
echo "pin-sha256:$pin"
else
echo "ERROR: Failed to fetch certificate from $host" >&2
return 1
fi
}
# Get or fetch OC_SERVERCERT
if [[ -z "${OC_SERVERCERT:-}" ]]; then
OC_SERVERCERT=$(get_server_cert_pin "$OC_URL")
echo "Auto-detected server cert: $OC_SERVERCERT"
fi
NOVNC_PORT="${NOVNC_PORT:-6901}" NOVNC_PORT="${NOVNC_PORT:-6901}"
VNC_PASSWORD="${VNC_PASSWORD:-changeme}" VNC_PASSWORD="${VNC_PASSWORD:-changeme}"
DISPLAY_ADDR="${DISPLAY:-:1}" DISPLAY_ADDR="${DISPLAY:-:1}"
OC_INTERFACE="${OC_INTERFACE:-tun0}" OC_INTERFACE="${OC_INTERFACE:-tun0}"
OC_USER="${OC_USER:-}" OC_USER="${OC_USER:-}"
OC_PASSWORD="${OC_PASSWORD:-}"
OC_TOTP_SECRET="${OC_TOTP_SECRET:-}" OC_TOTP_SECRET="${OC_TOTP_SECRET:-}"
# Default to hidden browser if OC_USER is set # Default to hidden browser if OC_USER is set
@@ -74,7 +45,6 @@ export OC_URL="$OC_URL"
export OC_SERVERCERT="$OC_SERVERCERT" export OC_SERVERCERT="$OC_SERVERCERT"
export OC_INTERFACE="$OC_INTERFACE" export OC_INTERFACE="$OC_INTERFACE"
export OC_USER="$OC_USER" export OC_USER="$OC_USER"
export OC_PASSWORD="$OC_PASSWORD"
export OC_SSO_ARGS_DEFAULT="$OC_SSO_ARGS_DEFAULT" export OC_SSO_ARGS_DEFAULT="$OC_SSO_ARGS_DEFAULT"
export OC_SSO_ARGS="${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT}" export OC_SSO_ARGS="${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT}"
export OC_AUTHGROUP="${OC_AUTHGROUP:-}" export OC_AUTHGROUP="${OC_AUTHGROUP:-}"
@@ -96,14 +66,8 @@ ENVFILE
source /etc/vpn.env source /etc/vpn.env
echo "[$(date)] Starting VPN connection..." echo "[$(date)] Starting VPN connection..."
# Set password for openconnect
export OPENCONNECT_PASSWORD="$OC_PASSWORD"
# openconnect-sso reads TOTP from keyring automatically # openconnect-sso reads TOTP from keyring automatically
# Pass password via stdin for SSO form if needed if [[ -n "$OC_USER" ]]; then
if [[ -n "$OC_USER" && -n "$OC_PASSWORD" ]]; then
echo "$OC_PASSWORD" | openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD
elif [[ -n "$OC_USER" ]]; then
echo "" | openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD echo "" | openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD
else else
openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD
@@ -196,12 +160,6 @@ setup_nat() {
iptables -t nat -C POSTROUTING -o "$OC_INTERFACE" -j MASQUERADE 2>/dev/null || \ iptables -t nat -C POSTROUTING -o "$OC_INTERFACE" -j MASQUERADE 2>/dev/null || \
iptables -t nat -A POSTROUTING -o "$OC_INTERFACE" -j MASQUERADE iptables -t nat -A POSTROUTING -o "$OC_INTERFACE" -j MASQUERADE
echo "NAT enabled on $OC_INTERFACE" echo "NAT enabled on $OC_INTERFACE"
# Trigger host routing service
if [ -d /runtime ]; then
touch /runtime/restart-routing
echo "Host routing trigger sent"
fi
break break
fi fi
sleep 2 sleep 2