runtipi/apps/rego-tunnel/vpn_scripts/start.sh

#!/usr/bin/env bash
set -Eeuo pipefail

# Startup hook - runs after container starts
# Dynamically detects Windows VM IP and sets up networking

# Install required packages (not persistent across restarts)
echo "[rego-tunnel] Installing required packages..."
apt-get update -qq && apt-get install -y -qq socat openssh-client netcat-openbsd >/dev/null 2>&1 || true

# Setup SSH key for accessing Windows VM
echo "[rego-tunnel] Setting up SSH key..."
mkdir -p /root/.ssh
cp /vpn_scripts/id_ed25519-lenovo /root/.ssh/ 2>/dev/null || true
chmod 600 /root/.ssh/id_ed25519-lenovo 2>/dev/null || true

get_windows_ip() {
  # Method 1: DHCP leases (hostname is "Windows")
  local ip=$(awk '/Windows/ {print $3}' /var/lib/misc/dnsmasq.leases 2>/dev/null | head -1)
  if [[ -n "$ip" ]]; then echo "$ip"; return; fi

  # Method 2: ip neigh (ARP table) - look for 172.30.x.x on docker interface
  ip=$(ip neigh show dev docker 2>/dev/null | grep -oE '172\.30\.[0-9]+\.[0-9]+' | head -1)
  if [[ -n "$ip" ]]; then echo "$ip"; return; fi

  # Method 3: qemu.ip file (if available)
  cat /run/shm/qemu.ip 2>/dev/null || true
}

get_container_ip() {
  # Get container's external IP on 172.31.x.x subnet (vpn_static-rego)
  ip -4 addr 2>/dev/null | grep -oE '172\.31\.[0-9]+\.[0-9]+' | head -1
}

(
  # Wait for Windows VM to boot and get IP
  echo "[rego-tunnel] Waiting for Windows VM..."
  WINDOWS_IP=""
  for i in {1..120}; do
    WINDOWS_IP=$(get_windows_ip)
    if [[ -n "$WINDOWS_IP" ]]; then
      echo "[rego-tunnel] Windows VM IP: $WINDOWS_IP"
      break
    fi
    sleep 2
  done

  if [[ -z "$WINDOWS_IP" ]]; then
    echo "[rego-tunnel] ERROR: Could not detect Windows VM IP"
    exit 1
  fi

  # Wait for SSH to be available on Windows
  echo "[rego-tunnel] Waiting for SSH on Windows..."
  for i in {1..60}; do
    if nc -z "$WINDOWS_IP" 22 2>/dev/null; then
      echo "[rego-tunnel] SSH is available"
      break
    fi
    sleep 2
  done

  CONTAINER_IP=$(get_container_ip)
  echo "[rego-tunnel] Container IP: $CONTAINER_IP"

  # Add MASQUERADE for docker bridge
  iptables -t nat -C POSTROUTING -o docker -j MASQUERADE 2>/dev/null || \
  iptables -t nat -A POSTROUTING -o docker -j MASQUERADE

  # Allow forwarding to Windows VM
  iptables -C FORWARD -d "$WINDOWS_IP" -j ACCEPT 2>/dev/null || \
  iptables -A FORWARD -d "$WINDOWS_IP" -j ACCEPT

  # Start socat to forward SSH from Windows VM
  pkill -f "socat.*:22" 2>/dev/null || true
  socat TCP-LISTEN:22,fork,reuseaddr TCP:"$WINDOWS_IP":22 &
  echo "[rego-tunnel] socat SSH forwarder started on port 22"

  # Start socat to forward SOCKS5 proxy from Windows VM
  pkill -f "socat.*1080" 2>/dev/null || true
  socat TCP-LISTEN:1080,fork,reuseaddr TCP:"$WINDOWS_IP":1080 &
  echo "[rego-tunnel] socat SOCKS5 forwarder started on port 1080"

  # Add DNAT rules for port forwarding
  add_dnat() {
    local port=$1
    iptables -t nat -C PREROUTING -d "$CONTAINER_IP" -p tcp --dport "$port" -j DNAT --to-destination "$WINDOWS_IP:$port" 2>/dev/null || \
    iptables -t nat -A PREROUTING -d "$CONTAINER_IP" -p tcp --dport "$port" -j DNAT --to-destination "$WINDOWS_IP:$port"
  }

  # SSH access
  add_dnat 22

  # IBM i standard ports
  add_dnat 23
  add_dnat 446
  add_dnat 448
  add_dnat 449

  # IBM i data ports
  for port in $(seq 8470 8476); do add_dnat $port; done

  # Additional port ranges
  for port in $(seq 2000 2020); do add_dnat $port; done
  for port in $(seq 3000 3020); do add_dnat $port; done
  for port in $(seq 10000 10020); do add_dnat $port; done
  for port in $(seq 36000 36010); do add_dnat $port; done

  echo "[rego-tunnel] iptables DNAT rules configured"
  echo "[rego-tunnel] SOCKS5 proxy available at $CONTAINER_IP:1080"
) &

return 0