The elif branch was missing 'echo "" |' which caused openconnect-sso
to hang waiting for stdin input when OC_PASSWORD is not set.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- entrypoint.sh: Auto-fetch pin-sha256 from VPN URL if not provided
- config.json: Remove OC_SERVERCERT (auto-fetched), add OC_PASSWORD
- docker-compose.json: Add OC_PASSWORD env var
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- docker-compose.json: Use git.alexzaw.dev/alexz/cistech-vpn:latest
- config.json: Add OC_TOTP_SECRET field, keep server cert as default
- Dockerfile: Remove hardcoded credentials (come from env at runtime)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add shared/host-routing.sh with nft for NAT masquerade
- Add shared/install-host-services.sh to set up systemd watcher
- Add shared/uninstall-host-services.sh for cleanup
- Add /runtime volume mount for trigger file
- Update entrypoint.sh to trigger host routing when VPN connects
Run install-host-services.sh on host after app install.
Requires image rebuild for entrypoint changes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add disown after vpnui & to suppress "killed" messages
- Ignore empty/whitespace input in menu loop
- Remove "Invalid choice" error (just ignore silently)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
After VPN reconnects, Cisco agent creates its chains asynchronously,
pushing our ACCEPT rules down where they're ineffective. Fix:
1. Wait up to 30s for ciscovpn chain to exist
2. Delete any existing rules (they may be in wrong position)
3. Insert fresh rules at position 1
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- host-routing.sh: Use nft instead of iptables for NAT masquerade
(iptables-nft backend doesn't support iptables -t nat commands)
- cisco-vpn: Use -I FORWARD 1 instead of -A FORWARD to insert rules
BEFORE Cisco VPN chains (which have catch-all DROP rules)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added start_watchdog() function that:
- Checks VPN every 60 seconds
- Sends keepalive ping every 5 minutes to prevent idle timeout
- Auto-reconnects up to 3 times if VPN drops
- Disabled screen blanking in xstartup and after VPN connects
- Removed useless monitor loop that only logged
- Rewrote description.md with current architecture
- Removed README.md (outdated Windows VM docs)
- Added install/uninstall instructions for host services
- install-host-services.sh: Creates watcher path/service units
- uninstall-host-services.sh: Removes units and cleans up
- Run once on host after app install
- Removed get_vm_bridge_ip() and get_container_gateway()
- Added get_container_ip() for eth0 (172.31.0.x network)
- Updated setup_forwarding() and show_network_status()
- No more ens3/VM references
- Hardcoded container IP (172.31.0.10) and bridge (br-rego-vpn)
- Simple start/stop/restart actions
- Removes stale routes before applying new ones
- Logs to /var/log/rego-routing.log
- Removed: redsocks, nft, VM subnet, container_apply
- Removed all sudo commands since container runs as root
- Added LOG_FILE at /var/log/cisco-vpn.log
- Modified log() to write to both console and file
- Added startup logging with env var status
- Delete init-vpn.sh, vpn-connect.sh, xstartup from build/scripts
- Change cisco-vpn monitor to background process so menu shows after connect
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
These two files cannot be overridden at runtime, so they're now
baked directly into the Dockerfile using heredocs.
Remaining scripts (can be overridden at runtime):
- init-vpn.sh
- xstartup
- vpn-connect.sh
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add init-rego.sh and xstartup to repo's shared folder
- Update docker-compose.json with all volume mounts
- Update docker-compose.yml with cgroup: host
- Mount scripts directly from repo (not user-config)
Now works on fresh install without any user-config overrides.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Includes the pre-extracted Cisco Secure Client 5.1.14.145 installation
for building the Docker image.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
