runtipi/apps/rego-tunnel-linux/metadata/README.md

# Rego-Tunnel Linux VPN Bridge

This app runs a Linux VM (Ubuntu) inside a Docker container with Cisco Secure Client VPN, providing transparent access to VPN-protected resources (IBM i at 10.35.33.230) from the local network.

## Architecture

```
┌─────────────────────────────────────────────────────────────────────────┐
│ Linux Host (192.168.0.150)                                              │
│                                                                         │
│   Bridge: br-vpn-linux (172.31.1.1/24)                                 │
└─────────────────────────────────────────────────────────────────────────┘
                                    │
                                    ▼
┌─────────────────────────────────────────────────────────────────────────┐
│ Container: rego-tunnel-linux (172.31.1.10)                             │
│                                                                         │
│   qemux/qemu running Ubuntu VM                                         │
│   Port 8007 → Web console (noVNC)                                      │
│   Port 2222 → SSH to VM                                                │
│                                                                         │
│   Internal bridge: 172.32.1.1/24                                       │
└─────────────────────────────────────────────────────────────────────────┘
                                    │
                                    ▼
┌─────────────────────────────────────────────────────────────────────────┐
│ Ubuntu VM (172.32.1.20)                                                │
│                                                                         │
│   Cisco Secure Client VPN: connected to corporate network             │
│   VPN IP: 10.215.x.x                                                   │
│                                                                         │
│   cisco-vpn.sh:                                                        │
│     - Auto-login to Cisco via xdotool                                  │
│     - TOTP authentication (oathtool)                                   │
│     - iptables forwarding for target IP                                │
└─────────────────────────────────────────────────────────────────────────┘
                                    │
                                    ▼
┌─────────────────────────────────────────────────────────────────────────┐
│ IBM i (10.35.33.230)                                                   │
│   Via Cisco VPN tunnel                                                  │
└─────────────────────────────────────────────────────────────────────────┘
```

## Installation

### Step 1: Install the app via Runtipi

1. Go to Runtipi App Store
2. Install "Rego Tunnel Linux"
3. Configure RAM, CPU, and disk size

### Step 2: Set up the VM

1. Open the web console at port 8007
2. Complete Ubuntu installation (use Ubuntu Server for faster boot)
3. After installation, open a terminal

### Step 3: Install Cisco Secure Client

```bash
# Mount the shared folder (contains Cisco installation)
sudo mkdir -p /mnt/shared
sudo mount -t 9p shared /mnt/shared -o trans=virtio

# Run the install script
sudo bash /mnt/shared/install-cisco.sh
```

### Step 4: Connect VPN

```bash
# Run the VPN automation script
~/cisco-vpn.sh
```

The script will:
1. Start the Cisco VPN agent
2. Launch the VPN UI
3. Auto-type credentials and TOTP
4. Set up IP forwarding for the target

## Files

### vpn_scripts/secureclient/
Complete Cisco Secure Client installation.

### vpn_scripts/cisco-vpn.sh
Automated VPN login script:
- Starts vpnagentd if not running
- Launches vpnui
- Uses xdotool to type credentials
- Generates TOTP codes with oathtool
- Sets up iptables forwarding

### vpn_scripts/install-cisco.sh
One-time setup script to install Cisco Secure Client in the VM.

## Configuration

### VPN Credentials
Edit `~/cisco-vpn.sh` and update:
```bash
EMAIL="your-email@company.com"
PASSWORD="your-password"
TOTP_SECRET="your-totp-secret"
VPN_HOST="vpn.company.com"
TARGET_IP="10.x.x.x"
```

### Network Configuration

Add route on your laptop:
```cmd
route add 172.31.1.0 mask 255.255.255.0 192.168.0.150 -p
```

## User Config

Create `/etc/runtipi/user-config/runtipi/rego-tunnel-linux/docker-compose.yml`:

```yaml
networks:
  vpn_static-linux:
    driver: bridge
    driver_opts:
      com.docker.network.bridge.name: "br-vpn-linux"
    ipam:
      config:
        - subnet: 172.31.1.0/24

services:
  rego-tunnel-linux:
    sysctls:
      - net.ipv4.conf.all.rp_filter=0
      - net.ipv4.conf.default.rp_filter=0
    cap_add:
      - NET_ADMIN
    environment:
      - VM_NET_IP=172.32.1.20
    networks:
      vpn_static-linux:
        ipv4_address: 172.31.1.10
```

## Troubleshooting

### VPN UI doesn't start
- Ensure vpnagentd is running: `systemctl status cisco-vpnagentd`
- Check for missing libraries: `ldd /opt/cisco/secureclient/bin/vpnui`

### TOTP codes failing
- Sync time: `sudo timedatectl set-ntp true`
- Verify TOTP secret is correct

### Can't reach target IP
- Check if VPN is connected: `ip addr show cscotun0`
- Verify iptables rules: `sudo iptables -L -n`

## Comparison: Windows vs Linux

| Feature | Windows VM | Linux VM |
|---------|-----------|----------|
| Image | dockurr/windows | qemux/qemu |
| Boot time | ~3-5 min | ~1-2 min |
| RAM usage | ~2GB min | ~512MB min |
| Disk usage | ~15GB | ~5GB |
| Automation | DevTools/WebSocket | xdotool |