# Rego Tunnel - Cisco Secure Client VPN Native Docker container running Cisco Secure Client (AnyConnect) with full GUI support via noVNC. Provides transparent VPN access to protected resources from your LAN. ## Features - **Cisco Secure Client 5.1.14.145** - Full GUI with VPN, DART, and Posture modules - **Web-based access** via noVNC (port 6080) - **Auto-login with TOTP** - Fully automated VPN connection - **LAN routing** - Other machines on your network can reach VPN targets - **Native Docker** - No QEMU/VM overhead ## Architecture ``` LAN Devices ──► Linux Host ──► Container (172.31.0.10) ──► VPN Tunnel ──► Target (10.35.33.230) │ │ │ └── Cisco Secure Client │ └── noVNC web UI (port 6080) │ └── Host routing service (routes VPN traffic through container) ``` ## Installation ### 1. Install the app through Runtipi Configure your VPN credentials in app settings: - VPN Email - VPN Password - TOTP Secret (base32) - VPN Host (default: vpn-ord1.dovercorp.com) - Target IP (default: 10.35.33.230) ### 2. Install host routing service (required for LAN access) **Run this ONCE on the host after app install:** ```bash /etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/install-host-services.sh ``` This creates systemd services that route VPN traffic through the container. ### 3. Access the VPN GUI Open `http://:6080/vnc.html` The VPN will auto-connect using your configured credentials. ## Usage ### Access noVNC Navigate to port 6080 on your server. The cisco-vpn script runs automatically and provides a menu: ``` 1 - Start Cisco AnyConnect 2 - Copy credentials to clipboard 3 - Show live TOTP 4 - Setup IP forwarding rules 5 - Test connection to target 6 - Show network status 7 - Kill all Cisco processes 8 - Show routing table 9 - Show /etc/hosts q - Quit ``` ### Command line options ```bash # Inside container cisco-vpn -m # Menu only (skip auto-connect) cisco-vpn -c # Connect and exit cisco-vpn -d # Disconnect and exit cisco-vpn -s # Show status cisco-vpn --help # Show all options ``` ### View logs ```bash # Inside container cat /var/log/cisco-vpn/$(date +%Y-%m-%d).log # On host cat /var/log/rego-routing.log ``` ## LAN Access After the host routing service is installed, any device on your LAN can reach the VPN target: 1. **From the host:** Works automatically 2. **From other LAN devices:** Add a static route pointing to your host Example (Windows client): ```cmd route add 10.35.33.230 mask 255.255.255.255 192.168.0.150 -p ``` Where `192.168.0.150` is your Linux host IP. ## Uninstall Before removing the app from Runtipi: ```bash /etc/runtipi/repos/runtipi/apps/rego-tunnel/shared/uninstall-host-services.sh ``` ## Troubleshooting ### noVNC not accessible ```bash docker exec rego-tunnel_runtipi-rego-tunnel-1 systemctl status vnc.service ``` ### VPN connects but can't reach target ```bash # Check routes inside container docker exec rego-tunnel_runtipi-rego-tunnel-1 ip route # Check host routing ip route | grep 10.35.33.230 ``` ### Host routing not working ```bash # Check watcher service systemctl status rego-routing-watcher.path # Manually trigger routing touch /etc/runtipi/app-data/runtipi/rego-tunnel/restart-routing ``` ## Technical Details - **Container IP:** 172.31.0.10 (on br-rego-vpn bridge) - **Ports:** 6080 (noVNC), 5901 (VNC) - **Privileges:** `--privileged`, `NET_ADMIN`, `/dev/net/tun` - **Log retention:** 7 days (auto-cleanup)