@@ -1,20 +1,144 @@
|
||||
# Dockerized OpenConnect-SSO with noVNC and Cloudflared
|
||||
# Rego Tunnel - Cisco Secure Client VPN
|
||||
|
||||
## Setup
|
||||
1) Copy `.env.example` to `.env` and fill values (URLs, servercert pins, VNC passwords, cloudflared tokens).
|
||||
Native Docker container running Cisco Secure Client (AnyConnect) with full GUI support via noVNC. Provides transparent VPN access to protected resources from your LAN.
|
||||
|
||||
2) First-time SSO: leave `OC_SSO_ARGS_*=--browser-display-mode visible`.
|
||||
## Features
|
||||
|
||||
3) Build and start:
|
||||
docker compose build
|
||||
docker compose up -d vpn_a
|
||||
# Open http://localhost:6901, complete SSO.
|
||||
# After success, attach app containers or start cloudflared_a.
|
||||
- **Cisco Secure Client 5.1.14.145** - Full GUI with VPN, DART, and Posture modules
|
||||
- **Web-based access** via noVNC (port 6080)
|
||||
- **Auto-login with TOTP** - Fully automated VPN connection
|
||||
- **LAN routing** - Other machines on your network can reach VPN targets
|
||||
- **Native Docker** - No QEMU/VM overhead
|
||||
|
||||
4) Optional: switch to headless after first login:
|
||||
Set `OC_SSO_ARGS_*=--browser-display-mode hidden` (or `headless`) and restart the vpn service.
|
||||
## Architecture
|
||||
|
||||
## Notes
|
||||
- Each VPN runs in its own net namespace; routes from one cannot affect the other or the host.
|
||||
- DNS from the VPN applies within its container namespace and attached services only.
|
||||
- Persisted state lives in the named volumes mounted at `/root` (Playwright cache, configs).
|
||||
```
|
||||
LAN Devices ──► Linux Host ──► Container (172.31.0.10) ──► VPN Tunnel ──► Target (10.35.33.230)
|
||||
│ │
|
||||
│ └── Cisco Secure Client
|
||||
│ └── noVNC web UI (port 6080)
|
||||
│
|
||||
└── Host routing service
|
||||
(routes VPN traffic through container)
|
||||
```
|
||||
|
||||
## Installation
|
||||
|
||||
### 1. Install the app through Runtipi
|
||||
|
||||
Configure your VPN credentials in app settings:
|
||||
- VPN Email
|
||||
- VPN Password
|
||||
- TOTP Secret (base32)
|
||||
- VPN Host (default: vpn-ord1.dovercorp.com)
|
||||
- Target IP (default: 10.35.33.230)
|
||||
|
||||
### 2. Install host routing service (required for LAN access)
|
||||
|
||||
**Run this ONCE on the host after app install:**
|
||||
|
||||
```bash
|
||||
/etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/install-host-services.sh
|
||||
```
|
||||
|
||||
This creates systemd services that route VPN traffic through the container.
|
||||
|
||||
### 3. Access the VPN GUI
|
||||
|
||||
Open `http://<your-server>:6080/vnc.html`
|
||||
|
||||
The VPN will auto-connect using your configured credentials.
|
||||
|
||||
## Usage
|
||||
|
||||
### Access noVNC
|
||||
|
||||
Navigate to port 6080 on your server. The cisco-vpn script runs automatically and provides a menu:
|
||||
|
||||
```
|
||||
1 - Start Cisco AnyConnect
|
||||
2 - Copy credentials to clipboard
|
||||
3 - Show live TOTP
|
||||
4 - Setup IP forwarding rules
|
||||
5 - Test connection to target
|
||||
6 - Show network status
|
||||
7 - Kill all Cisco processes
|
||||
8 - Show routing table
|
||||
9 - Show /etc/hosts
|
||||
q - Quit
|
||||
```
|
||||
|
||||
### Command line options
|
||||
|
||||
```bash
|
||||
# Inside container
|
||||
cisco-vpn -m # Menu only (skip auto-connect)
|
||||
cisco-vpn -c # Connect and exit
|
||||
cisco-vpn -d # Disconnect and exit
|
||||
cisco-vpn -s # Show status
|
||||
cisco-vpn --help # Show all options
|
||||
```
|
||||
|
||||
### View logs
|
||||
|
||||
```bash
|
||||
# Inside container
|
||||
cat /var/log/cisco-vpn/$(date +%Y-%m-%d).log
|
||||
|
||||
# On host
|
||||
cat /var/log/rego-routing.log
|
||||
```
|
||||
|
||||
## LAN Access
|
||||
|
||||
After the host routing service is installed, any device on your LAN can reach the VPN target:
|
||||
|
||||
1. **From the host:** Works automatically
|
||||
2. **From other LAN devices:** Add a static route pointing to your host
|
||||
|
||||
Example (Windows client):
|
||||
```cmd
|
||||
route add 10.35.33.230 mask 255.255.255.255 192.168.0.150 -p
|
||||
```
|
||||
|
||||
Where `192.168.0.150` is your Linux host IP.
|
||||
|
||||
## Uninstall
|
||||
|
||||
Before removing the app from Runtipi:
|
||||
|
||||
```bash
|
||||
/etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/uninstall-host-services.sh
|
||||
```
|
||||
|
||||
## Troubleshooting
|
||||
|
||||
### noVNC not accessible
|
||||
```bash
|
||||
docker exec rego-tunnel_runtipi-rego-tunnel-1 systemctl status vnc.service
|
||||
```
|
||||
|
||||
### VPN connects but can't reach target
|
||||
```bash
|
||||
# Check routes inside container
|
||||
docker exec rego-tunnel_runtipi-rego-tunnel-1 ip route
|
||||
|
||||
# Check host routing
|
||||
ip route | grep 10.35.33.230
|
||||
```
|
||||
|
||||
### Host routing not working
|
||||
```bash
|
||||
# Check watcher service
|
||||
systemctl status rego-routing-watcher.path
|
||||
|
||||
# Manually trigger routing
|
||||
touch /etc/runtipi/app-data/runtipi/rego-tunnel/restart-routing
|
||||
```
|
||||
|
||||
## Technical Details
|
||||
|
||||
- **Container IP:** 172.31.0.10 (on br-rego-vpn bridge)
|
||||
- **Ports:** 6080 (noVNC), 5901 (VNC)
|
||||
- **Privileges:** `--privileged`, `NET_ADMIN`, `/dev/net/tun`
|
||||
- **Log retention:** 7 days (auto-cleanup)
|
||||
|
||||
Reference in New Issue
Block a user