From a7653d881c0d6480a235185bd444a5a8b0abacd8 Mon Sep 17 00:00:00 2001 From: alexz Date: Sun, 14 Dec 2025 13:06:51 +0000 Subject: [PATCH] upload current sources --- apps/cistech-tunnel/README.md | 49 ++++- .../cistech-tunnel/config.json.bak.1765310779 | 25 --- .../cistech-tunnel/config.json.bak.1765311179 | 67 ------- .../docker-compose.json.bak.1765312176 | 39 ---- apps/cistech-tunnel/source/Dockerfile | 46 +++++ apps/cistech-tunnel/source/entrypoint.sh | 182 ++++++++++++++++++ .../vpn-openconnect-sso/Dockerfile | 33 ---- .../vpn-openconnect-sso/entrypoint.sh | 36 ---- 8 files changed, 268 insertions(+), 209 deletions(-) delete mode 100755 apps/cistech-tunnel/config.json.bak.1765310779 delete mode 100755 apps/cistech-tunnel/config.json.bak.1765311179 delete mode 100755 apps/cistech-tunnel/docker-compose.json.bak.1765312176 create mode 100644 apps/cistech-tunnel/source/Dockerfile create mode 100755 apps/cistech-tunnel/source/entrypoint.sh delete mode 100755 apps/cistech-tunnel/vpn-openconnect-sso/Dockerfile delete mode 100755 apps/cistech-tunnel/vpn-openconnect-sso/entrypoint.sh diff --git a/apps/cistech-tunnel/README.md b/apps/cistech-tunnel/README.md index 4e52db3..46cddcd 100755 --- a/apps/cistech-tunnel/README.md +++ b/apps/cistech-tunnel/README.md @@ -1,11 +1,42 @@ -# Cistech Tunnel (VPN + SSH) +# Cistech Tunnel -- VPN: OpenConnect-SSO with noVNC for first-time SSO (port 6901) -- SSH tunnels: forwards to 10.3.1.201 inside the VPN namespace +OpenConnect-SSO VPN client running in a container with noVNC for browser-based access. -Usage -- Copy `.env.example` to `.env` and adjust values. -- Build and start: - docker compose build - docker compose up -d vpn ssh_tunnel -- First-time SSO: open http://:6901 and complete login; then set `OC_SSO_ARGS=--browser-display-mode hidden` and restart `vpn`. +## Features + +- **OpenConnect-SSO**: Cisco AnyConnect VPN with SSO/SAML authentication +- **TOTP Support**: Automatic 2FA via keyring integration +- **Auto-reconnect**: Automatically reconnects on disconnection +- **noVNC**: Browser-based VNC access on port 6902 +- **NAT/Masquerade**: Routes traffic through VPN tunnel +- **Cloudflared**: Optional Cloudflare tunnel support +- **SSH Tunnels**: Optional SSH port forwarding + +## Runtipi Installation + +1. Install from the app store or custom repo +2. Configure the required environment variables +3. Start the app via Runtipi dashboard + +## First-time SSO Login + +1. Open noVNC at `http://:6902` +2. Enter VNC password +3. Complete SSO login in the browser window +4. VPN will connect and auto-reconnect on disconnect + +## Source Files + +- `source/Dockerfile`: Container build file +- `source/entrypoint.sh`: Container entrypoint with auto-reconnect + +## Environment Variables + +| Variable | Required | Description | +|----------|----------|-------------| +| OC_URL | Yes | VPN server URL | +| OC_SERVERCERT | Yes | Server certificate pin | +| OC_USER | No | Username (enables hidden browser mode) | +| VNC_PASSWORD | Yes | noVNC access password | +| OC_TOTP_SECRET | No | TOTP secret for auto 2FA | +| NOVNC_PORT | No | noVNC port (default: 6901) | diff --git a/apps/cistech-tunnel/config.json.bak.1765310779 b/apps/cistech-tunnel/config.json.bak.1765310779 deleted file mode 100755 index 4327992..0000000 --- a/apps/cistech-tunnel/config.json.bak.1765310779 +++ /dev/null @@ -1,25 +0,0 @@ -{ - "name": "Cistech Tunnel", - "id": "cistech-tunnel", - "available": true, - "short_desc": "OpenConnect-SSO VPN + SSH forwards (noVNC)", - "author": "alexz", - "port": 6901, - "categories": ["networking", "utilities"], - "description": "OpenConnect-SSO VPN running in an isolated namespace with noVNC for first-time SSO and an SSH tunnel service for local forwards.", - "tipi_version": 1, - "version": "1.0.0", - "source": "https://git.alexzaw.dev/alexz/cistech-tunnel", - "exposable": true, - "dynamic_config": true, - "no_gui": false, - "form_fields": [ - { "label": "VPN URL", "type": "text", "env_variable": "OC_URL_A", "required": true, "default": "https://vpn.cistech.net/Employees" }, - { "label": "Server Cert Pin", "type": "text", "env_variable": "OC_SERVERCERT_A", "required": true, "default": "pin-sha256:HyHob3LiVmIp8ch9AzHJ9jMYqI43tO5N13oWeBLiZ/0=" }, - { "label": "Auth Group", "type": "text", "env_variable": "OC_AUTHGROUP_A", "required": false, "default": "" }, - { "label": "SSO Mode", "type": "text", "env_variable": "OC_SSO_ARGS_A", "required": true, "default": "--browser-display-mode shown" }, - { "label": "VNC Password", "type": "password", "env_variable": "VNC_PASS_A", "required": true, "default": "vpnSSO12" }, - { "label": "SSH Key Path", "type": "text", "env_variable": "SSH_KEY_PATH", "required": true, "default": "/home/alexz/.ssh/id_ed25519-lenovo" } - ], - "supported_architectures": ["arm64", "amd64"] -} diff --git a/apps/cistech-tunnel/config.json.bak.1765311179 b/apps/cistech-tunnel/config.json.bak.1765311179 deleted file mode 100755 index db98587..0000000 --- a/apps/cistech-tunnel/config.json.bak.1765311179 +++ /dev/null @@ -1,67 +0,0 @@ -{ - "name": "Cistech Tunnel", - "id": "cistech-tunnel", - "available": true, - "short_desc": "OpenConnect-SSO VPN + SSH forwards (noVNC)", - "author": "alexz", - "port": 6901, - "categories": [ - "utilities", - "network" - ], - "description": "OpenConnect-SSO VPN running in an isolated namespace with noVNC for first-time SSO and an SSH tunnel service for local forwards.", - "tipi_version": 1, - "version": "1.0.0", - "source": "https://git.alexzaw.dev/alexz/cistech-tunnel", - "exposable": true, - "dynamic_config": true, - "no_gui": false, - "form_fields": [ - { - "label": "VPN URL", - "type": "text", - "env_variable": "OC_URL", - "required": true, - "default": "https://vpn.cistech.net/Employees" - }, - { - "label": "Server Cert Pin", - "type": "text", - "env_variable": "OC_SERVERCERT", - "required": true, - "default": "pin-sha256:HyHob3LiVmIp8ch9AzHJ9jMYqI43tO5N13oWeBLiZ/0=" - }, - { - "label": "Auth Group", - "type": "text", - "env_variable": "OC_AUTHGROUP", - "required": false, - "default": "" - }, - { - "label": "SSO Mode", - "type": "text", - "env_variable": "OC_SSO_ARGS", - "required": true, - "default": "--browser-display-mode shown" - }, - { - "label": "VNC Password", - "type": "password", - "env_variable": "VNC_PASSWORD", - "required": true, - "default": "vpnSSO12" - }, - { - "label": "SSH Key Path", - "type": "text", - "env_variable": "SSH_KEY_PATH", - "required": true, - "default": "/home/alexz/.ssh/id_ed25519-lenovo" - } - ], - "supported_architectures": [ - "arm64", - "amd64" - ] -} \ No newline at end of file diff --git a/apps/cistech-tunnel/docker-compose.json.bak.1765312176 b/apps/cistech-tunnel/docker-compose.json.bak.1765312176 deleted file mode 100755 index e53cf36..0000000 --- a/apps/cistech-tunnel/docker-compose.json.bak.1765312176 +++ /dev/null @@ -1,39 +0,0 @@ -{ - "$schema": "https://schemas.runtipi.io/v2/dynamic-compose.json", - "schemaVersion": 2, - "services": [ - { - "name": "vpn_a", - "image": "vpn-openconnect-sso:latest", - "isMain": true, - "internalPort": 6901, - "capAdd": ["NET_ADMIN"], - "devices": [ - { "hostPath": "/dev/net/tun", "containerPath": "/dev/net/tun" } - ], - "environment": [ - { "key": "OC_URL", "value": "${OC_URL_A}" }, - { "key": "OC_SERVERCERT", "value": "${OC_SERVERCERT_A}" }, - { "key": "OC_AUTHGROUP", "value": "${OC_AUTHGROUP_A}" }, - { "key": "OC_INTERFACE", "value": "tun0" }, - { "key": "OC_SSO_ARGS", "value": "${OC_SSO_ARGS_A}" }, - { "key": "VNC_PASSWORD", "value": "${VNC_PASS_A}" }, - { "key": "NOVNC_PORT", "value": "6901" } - ], - "volumes": [ - { "hostPath": "${APP_DATA_DIR}/data/vpn_a_state", "containerPath": "/root" } - ], - "restartPolicy": "unless-stopped" - }, - { - "name": "ssh_tunnel", - "image": "alpine:3.20", - "networkMode": "service:vpn_a", - "volumes": [ - { "hostPath": "${SSH_KEY_PATH}", "containerPath": "/root/.ssh/id_ed25519-lenovo", "readOnly": true } - ], - "command": "sh -lc \"apk add --no-cache openssh-client && exec ssh -N -i /root/.ssh/id_ed25519-lenovo -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ExitOnForwardFailure=yes -L 127.0.0.1:8090:localhost:8090 -L 127.0.0.1:2001:localhost:2001 -L 127.0.0.1:36001:localhost:36001 zawa@10.3.1.201\"", - "restartPolicy": "unless-stopped" - } - ] -} diff --git a/apps/cistech-tunnel/source/Dockerfile b/apps/cistech-tunnel/source/Dockerfile new file mode 100644 index 0000000..28111e1 --- /dev/null +++ b/apps/cistech-tunnel/source/Dockerfile @@ -0,0 +1,46 @@ +FROM ubuntu:24.04 +ENV DEBIAN_FRONTEND=noninteractive \ + PLAYWRIGHT_BROWSERS_PATH=/ms-playwright \ + VIRTUAL_ENV=/opt/venv \ + PATH=/opt/venv/bin:$PATH \ + QTWEBENGINE_DISABLE_SANDBOX=1 \ + QTWEBENGINE_CHROMIUM_FLAGS="--no-sandbox --disable-gpu" \ + OC_URL="https://vpn.cistech.net/Employees" \ + OC_SERVERCERT="pin-sha256:HyHob3LiVmIp8ch9AzHJ9jMYqI43tO5N13oWeBLiZ/0=" \ + OC_USER="alex.zaw@cistech.net" \ + OC_TOTP_SECRET="t6ypnjqvyx2yvw2l" \ + VNC_PASSWORD="Az@83278327\$\$@@" + +RUN apt-get update && apt-get install -y \ + openconnect iproute2 iptables ca-certificates \ + python3 python3-pip python3-venv \ + vpnc-scripts curl wget openssh-client \ + x11vnc xvfb fluxbox novnc websockify xterm nano oathtool \ + xauth libnss3 libatk1.0-0 libatk-bridge2.0-0 \ + libx11-6 libx11-xcb1 libxcomposite1 libxrandr2 libgbm1 libxdamage1 \ + libpango-1.0-0 fonts-liberation \ + libegl1 libgl1 libopengl0 libdbus-1-3 libglib2.0-0 \ + libxkbcommon0 libxkbcommon-x11-0 \ + libxcb1 libxcb-cursor0 libxcb-icccm4 libxcb-image0 libxcb-keysyms1 libxcb-render0 libxcb-render-util0 libxcb-shm0 libxcb-xfixes0 libxcb-xinerama0 libxcb-randr0 libxcb-glx0 \ + sudo && rm -rf /var/lib/apt/lists/* + +RUN apt-get update && (apt-get install -y libasound2t64 || apt-get install -y libasound2) && rm -rf /var/lib/apt/lists/* + +# Python venv + Playwright + openconnect-sso +RUN python3 -m venv "$VIRTUAL_ENV" +RUN pip install --no-cache-dir openconnect-sso playwright keyring keyrings.alt && \ + python -m playwright install --with-deps chromium + +# Cloudflared (amd64) +RUN arch=$(dpkg --print-architecture) && \ + if [ "$arch" = "amd64" ]; then \ + curl -fsSL https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64.deb -o /tmp/cloudflared.deb && \ + apt-get update && apt-get install -y /tmp/cloudflared.deb && rm -f /tmp/cloudflared.deb ; \ + else \ + echo "Install cloudflared manually for arch=$arch" && exit 1 ; \ + fi + +COPY entrypoint.sh /entrypoint.sh +RUN chmod +x /entrypoint.sh +EXPOSE 6901 +ENTRYPOINT ["/entrypoint.sh"] diff --git a/apps/cistech-tunnel/source/entrypoint.sh b/apps/cistech-tunnel/source/entrypoint.sh new file mode 100755 index 0000000..30540fb --- /dev/null +++ b/apps/cistech-tunnel/source/entrypoint.sh @@ -0,0 +1,182 @@ +#!/usr/bin/env bash +set -euo pipefail + +: "${OC_URL:?OC_URL required}" +: "${OC_SERVERCERT:?OC_SERVERCERT required}" + +NOVNC_PORT="${NOVNC_PORT:-6901}" +VNC_PASSWORD="${VNC_PASSWORD:-changeme}" +DISPLAY_ADDR="${DISPLAY:-:1}" +OC_INTERFACE="${OC_INTERFACE:-tun0}" +OC_USER="${OC_USER:-}" +OC_TOTP_SECRET="${OC_TOTP_SECRET:-}" + +# Default to hidden browser if OC_USER is set +if [[ -n "$OC_USER" ]]; then + OC_SSO_ARGS_DEFAULT="--browser-display-mode hidden -u $OC_USER" +else + OC_SSO_ARGS_DEFAULT="--browser-display-mode shown" +fi + +CLOUDFLARED_MODE="${CLOUDFLARED_MODE:-off}" # off|token|config +CLOUDFLARED_TOKEN="${CLOUDFLARED_TOKEN:-}" +SSH_TUNNEL_ENABLE="${SSH_TUNNEL_ENABLE:-0}" +SSH_DEST="${SSH_DEST:-zawa@10.3.1.201}" +SSH_FORWARDS="${SSH_FORWARDS:-0.0.0.0:8090:localhost:8090}" + +pids=() + +# Setup keyring with TOTP secret if provided +setup_keyring() { + if [[ -n "$OC_TOTP_SECRET" && -n "$OC_USER" ]]; then + python3 -c " +import keyring +keyring.set_password('openconnect-sso', 'totp/$OC_USER', '$OC_TOTP_SECRET'.upper()) +print('TOTP secret stored in keyring for $OC_USER') +" + fi +} + +# Create vpn_connect command in PATH and save environment +create_vpn_command() { + # Save environment variables to a file + cat > /etc/vpn.env << ENVFILE +export OC_URL="$OC_URL" +export OC_SERVERCERT="$OC_SERVERCERT" +export OC_INTERFACE="$OC_INTERFACE" +export OC_USER="$OC_USER" +export OC_SSO_ARGS_DEFAULT="$OC_SSO_ARGS_DEFAULT" +export OC_SSO_ARGS="${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT}" +export OC_AUTHGROUP="${OC_AUTHGROUP:-}" +export OC_USERAGENT="${OC_USERAGENT:-}" +export OC_EXTRA_ARGS="${OC_EXTRA_ARGS:-}" +export OC_TOTP_SECRET="$OC_TOTP_SECRET" +export DISPLAY=":1" +ENVFILE + + # Build openconnect command + OPENCONNECT_CMD="/usr/sbin/openconnect --protocol=anyconnect --servercert $OC_SERVERCERT --interface $OC_INTERFACE --script /usr/share/vpnc-scripts/vpnc-script" + [[ -n "${OC_AUTHGROUP:-}" ]] && OPENCONNECT_CMD+=" --authgroup $OC_AUTHGROUP" + [[ -n "${OC_USERAGENT:-}" ]] && OPENCONNECT_CMD+=" --useragent $OC_USERAGENT" + [[ -n "${OC_EXTRA_ARGS:-}" ]] && OPENCONNECT_CMD+=" ${OC_EXTRA_ARGS}" + echo "export OPENCONNECT_CMD=\"$OPENCONNECT_CMD\"" >> /etc/vpn.env + + cat > /usr/local/bin/vpn_connect << 'VPNCMD' +#!/usr/bin/env bash +source /etc/vpn.env +echo "[$(date)] Starting VPN connection..." + +# openconnect-sso reads TOTP from keyring automatically +if [[ -n "$OC_USER" ]]; then + echo "" | openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD +else + openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- $OPENCONNECT_CMD +fi +VPNCMD + chmod +x /usr/local/bin/vpn_connect +} + +# Create VPN runner script that keeps shell open +create_vpn_script() { + cat > /tmp/vpn-runner.sh << 'VPNSCRIPT' +#!/usr/bin/env bash +cd /root + +echo "============================================" +echo " Cistech VPN Container" +echo "============================================" +echo "" +echo "Commands:" +echo " vpn_connect - Start/restart VPN connection" +echo " Ctrl+C - Stop auto-reconnect and drop to shell" +echo "" +echo "Starting VPN with auto-reconnect..." +echo "" + +while true; do + vpn_connect + echo "" + echo "[$(date)] VPN disconnected. Reconnecting in 10 seconds..." + echo "(Press Ctrl+C to stop auto-reconnect)" + sleep 10 +done +VPNSCRIPT + chmod +x /tmp/vpn-runner.sh +} + +start_gui() { + mkdir -p /root/.vnc + x11vnc -storepasswd "$VNC_PASSWORD" /root/.vnc/pass >/dev/null 2>&1 || true + rm -f /tmp/.X1-lock /tmp/.X11-unix/X1 2>/dev/null || true + Xvfb "$DISPLAY_ADDR" -screen 0 ${XVFB_WxHxD:-1280x800x24} +extension RANDR & + pids+=($!) + sleep 0.5 + export DISPLAY="$DISPLAY_ADDR" + fluxbox >/tmp/fluxbox.log 2>&1 & + pids+=($!) + x11vnc -display "$DISPLAY_ADDR" -rfbauth /root/.vnc/pass -forever -shared -rfbport 5900 -quiet & + pids+=($!) + websockify --web=/usr/share/novnc/ 0.0.0.0:"$NOVNC_PORT" localhost:5900 >/tmp/websockify.log 2>&1 & + pids+=($!) +} + +start_vpn_terminal() { + # Start xterm with VPN script + sleep 1 + xterm -fa 'Monospace' -fs 11 -bg black -fg white -geometry 120x35+50+50 \ + -T "Cistech VPN" -e /tmp/vpn-runner.sh & + pids+=($!) +} + +start_cloudflared() { + case "$CLOUDFLARED_MODE" in + token) + [ -n "$CLOUDFLARED_TOKEN" ] && cloudflared tunnel run --token "$CLOUDFLARED_TOKEN" >/tmp/cloudflared.log 2>&1 & + pids+=($!) + ;; + config) + cloudflared --no-autoupdate --config /etc/cloudflared/config.yml tunnel run >/tmp/cloudflared.log 2>&1 & + pids+=($!) + ;; + off|*) + ;; + esac +} + +start_ssh_tunnel() { + [ "$SSH_TUNNEL_ENABLE" = "1" ] || return 0 + IFS=',' read -ra LINES <<< "$SSH_FORWARDS" + args=(-N -o StrictHostKeyChecking=no -o ServerAliveInterval=60) + for m in "${LINES[@]}"; do args+=(-L "$m"); done + ssh "${args[@]}" "$SSH_DEST" & + pids+=($!) +} + +setup_nat() { + ( + for i in {1..60}; do + if ip link show "$OC_INTERFACE" >/dev/null 2>&1; then + sysctl -w net.ipv4.ip_forward=1 >/dev/null + iptables -t nat -C POSTROUTING -o "$OC_INTERFACE" -j MASQUERADE 2>/dev/null || \ + iptables -t nat -A POSTROUTING -o "$OC_INTERFACE" -j MASQUERADE + echo "NAT enabled on $OC_INTERFACE" + break + fi + sleep 2 + done + ) & +} + +trap 'kill 0' INT TERM + +# Always start GUI now +setup_keyring +create_vpn_command +create_vpn_script +start_gui +start_vpn_terminal +setup_nat +start_cloudflared +start_ssh_tunnel + +wait diff --git a/apps/cistech-tunnel/vpn-openconnect-sso/Dockerfile b/apps/cistech-tunnel/vpn-openconnect-sso/Dockerfile deleted file mode 100755 index 785cb24..0000000 --- a/apps/cistech-tunnel/vpn-openconnect-sso/Dockerfile +++ /dev/null @@ -1,33 +0,0 @@ -FROM ubuntu:24.04 -ENV QTWEBENGINE_DISABLE_SANDBOX=1 -ENV QTWEBENGINE_CHROMIUM_FLAGS="--no-sandbox --disable-gpu" -ENV DEBIAN_FRONTEND=noninteractive \ - PLAYWRIGHT_BROWSERS_PATH=/ms-playwright \ - VIRTUAL_ENV=/opt/venv \ - PATH=/opt/venv/bin:$PATH - -RUN apt-get update && apt-get install -y \ - openconnect iproute2 iptables ca-certificates \ - python3 python3-pip python3-venv \ - vpnc-scripts curl \ - x11vnc xvfb fluxbox novnc websockify \ - xauth libnss3 libatk1.0-0 libatk-bridge2.0-0 \ - libx11-6 libx11-xcb1 libxcomposite1 libxrandr2 libgbm1 libxdamage1 \ - libpango-1.0-0 fonts-liberation \ - libegl1 libgl1 libopengl0 libdbus-1-3 libglib2.0-0 \ - libxkbcommon0 libxkbcommon-x11-0 \ - libxcb1 libxcb-cursor0 libxcb-icccm4 libxcb-image0 libxcb-keysyms1 libxcb-render0 libxcb-render-util0 libxcb-shm0 libxcb-xfixes0 libxcb-xinerama0 libxcb-randr0 libxcb-glx0 \ - sudo \ - && rm -rf /var/lib/apt/lists/* - -RUN apt-get update && (apt-get install -y libasound2t64 || apt-get install -y libasound2) && rm -rf /var/lib/apt/lists/* - -RUN python3 -m venv "$VIRTUAL_ENV" -RUN pip install --no-cache-dir openconnect-sso playwright \ - && python -m playwright install --with-deps chromium - -COPY entrypoint.sh /entrypoint.sh -RUN chmod +x /entrypoint.sh - -EXPOSE 6901 -ENTRYPOINT ["/entrypoint.sh"] diff --git a/apps/cistech-tunnel/vpn-openconnect-sso/entrypoint.sh b/apps/cistech-tunnel/vpn-openconnect-sso/entrypoint.sh deleted file mode 100755 index 2b699fe..0000000 --- a/apps/cistech-tunnel/vpn-openconnect-sso/entrypoint.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/env bash -set -euo pipefail - -: "${OC_URL:?OC_URL is required}" -: "${OC_SERVERCERT:?OC_SERVERCERT is required}" - -NOVNC_PORT="${NOVNC_PORT:-6901}" -VNC_PASSWORD="${VNC_PASSWORD:-changeme}" -DISPLAY_ADDR="${DISPLAY:-:1}" -OC_INTERFACE="${OC_INTERFACE:-tun0}" -OC_SSO_ARGS_DEFAULT="--browser-display-mode shown" - -if [[ "${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT}" == *"shown"* ]]; then - mkdir -p /root/.vnc - x11vnc -storepasswd "$VNC_PASSWORD" /root/.vnc/pass >/dev/null 2>&1 || true - rm -f /tmp/.X1-lock /tmp/.X11-unix/X1 2>/dev/null || true - Xvfb "$DISPLAY_ADDR" -screen 0 ${XVFB_WxHxD:-1280x800x24} +extension RANDR & - sleep 0.5 - export DISPLAY="$DISPLAY_ADDR" - fluxbox >/tmp/fluxbox.log 2>&1 & - x11vnc -display "$DISPLAY_ADDR" -rfbauth /root/.vnc/pass -forever -shared -rfbport 5900 -quiet & - websockify --web=/usr/share/novnc/ 0.0.0.0:"$NOVNC_PORT" localhost:5900 >/tmp/websockify.log 2>&1 & -fi - -OPENCONNECT_CMD=( - /usr/sbin/openconnect - --protocol=anyconnect - --servercert "$OC_SERVERCERT" - --interface "$OC_INTERFACE" - --script /usr/share/vpnc-scripts/vpnc-script -) -[[ -n "${OC_AUTHGROUP:-}" ]] && OPENCONNECT_CMD+=(--authgroup "$OC_AUTHGROUP") -[[ -n "${OC_USERAGENT:-}" ]] && OPENCONNECT_CMD+=(--useragent "$OC_USERAGENT") -[[ -n "${OC_EXTRA_ARGS:-}" ]] && OPENCONNECT_CMD+=(${OC_EXTRA_ARGS}) - -exec openconnect-sso -s "$OC_URL" ${OC_SSO_ARGS:-$OC_SSO_ARGS_DEFAULT} -- "${OPENCONNECT_CMD[@]}"