runtipi/apps/rego-tunnel/build/rego/README.md

# Rego VPN Automation - Technical Setup Guide

## Overview

Cisco Secure Client VPN running in Windows VM (dockurr/windows) inside Docker container, with SOCKS5 proxy for transparent routing to IBM i systems.

## Architecture

```
Clients → Host (iptables/redsocks) → Container (socat) → Windows VM (SOCKS5) → VPN → 10.35.33.x
```

## Components

### 1. Windows VM (inside container)
- **Container**: `rego-tunnel_runtipi-rego-tunnel-1`
- **Windows VM IP**: `172.30.0.16` or `172.30.0.17` (internal to container)
- **VPN**: Cisco Secure Client with SAML auth (email + password + TOTP)
- **Files on Windows** (`C:\Users\alexz\vpn_scripts`):
  - `vpn.bat` - Startup batch file
  - `vpn-login.js` - Node.js script that automates SAML login via Chrome DevTools Protocol
  - `socks5.js` - Simple SOCKS5 proxy server
  - `node_modules/` - ws, otplib packages

### 2. Container
- **External IPs**: `10.128.16.2` or similar
- **Internal bridge**: `172.30.0.1/24` (Windows VM at .16 or .17)
- **socat**: Forwards port 1080 from container to Windows VM SOCKS5
- **start.sh**: Mounted at `/run/start.sh` - sets up iptables DNAT rules

### 3. Host
- **redsocks**: Transparent SOCKS5 redirector (optional)
- **iptables**: Redirects traffic to VPN network through container

## VPN Credentials

Located in `vpn-login.js`:
```javascript
const CONFIG = {
  email: "c-azaw@regoproducts.com",
  password: "Fuckyou4suhail",
  totpSecret: "RZQTQSKDWKHZ6ZYR",
  devtoolsPort: 9222,
  vpnTestIp: "10.35.33.230"
};
```

## Windows Setup Steps

### 1. Install Node.js
Run PowerShell as Administrator:
```powershell
# Option A: Run the install script
.\install-nodejs.ps1

# Option B: Manual download from https://nodejs.org/
```

### 2. Install Cisco Secure Client
- Download from company VPN portal or Cisco
- Install with default options
- Path: `C:\Program Files (x86)\Cisco\Cisco Secure Client\`

### 3. Setup VPN Scripts
```cmd
mkdir C:\Users\alexz\vpn_scripts
copy \\TSCLIENT\shared\vpn-scripts\*.js C:\Users\alexz\vpn_scripts\
copy \\TSCLIENT\shared\vpn-scripts\vpn.bat C:\Users\alexz\vpn_scripts\

cd C:\Users\alexz\vpn_scripts
npm install ws otplib
```

### 4. Add to Windows Startup
```cmd
# Create shortcut to vpn.bat in:
shell:startup
# Or: C:\Users\alexz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
```

### 5. Enable Remote Debugging for Cisco UI
The vpn-login.js script sets this environment variable before launching Cisco:
```
WEBVIEW2_ADDITIONAL_BROWSER_ARGUMENTS=--remote-debugging-port=9222 --remote-debugging-address=0.0.0.0 --remote-allow-origins=*
```

## Container Configuration

### docker-compose.yml (user-config)
```yaml
services:
  rego-tunnel:
    environment:
      USER: alexz
      PASS: Az@83278327$$@@
      VERSION: win10
    entrypoint: ["/bin/bash", "-c", "source /run/start.sh; exec /usr/bin/tini -s /run/entry.sh"]
```

### start.sh (Container Startup Script)
Located at: `/etc/runtipi/user-config/runtipi/rego-tunnel/scripts/start.sh`

Sets up:
- iptables MASQUERADE for docker bridge
- Route to IBM i network via Windows VM
- DNAT rules for port forwarding (SSH, IBM i ports)

## Key Ports

| Port | Service |
|------|---------|
| 22 | SSH |
| 23 | Telnet (IBM i) |
| 446, 448, 449 | IBM i services |
| 1080 | SOCKS5 proxy |
| 8006 | noVNC web console |
| 8470-8476 | IBM i data ports |
| 9222 | Chrome DevTools (for automation) |

## Manual Commands

### Start VPN from host:
```bash
docker exec rego-tunnel_runtipi-rego-tunnel-1 ssh docker@172.30.0.16 'C:\Users\alexz\vpn_scripts\vpn.bat'
```

### Start socat in container:
```bash
docker exec -d rego-tunnel_runtipi-rego-tunnel-1 socat TCP-LISTEN:1080,fork,reuseaddr TCP:172.30.0.16:1080
```

### Test SOCKS5 connectivity:
```bash
nc -zv 10.128.16.2 1080
```

### Check VPN status in Windows:
```cmd
ipconfig | findstr 10\.
```

## Troubleshooting

### VPN not connecting
1. Check time sync: `w32tm /resync /force`
2. Verify Cisco agent: `net start "Cisco Secure Client Agent"`
3. Check DevTools: `http://172.30.0.16:9222/json`

### SOCKS5 not working
1. Verify VPN connected first (ping 10.35.33.230)
2. Check socks5.js running: `tasklist | findstr node`
3. Test locally: `nc -zv 127.0.0.1 1080`

### Container issues
1. Check logs: `docker logs rego-tunnel_runtipi-rego-tunnel-1`
2. Verify start.sh: `docker exec rego-tunnel_runtipi-rego-tunnel-1 cat /run/start.sh`
3. Check Windows VM IP: `docker exec rego-tunnel_runtipi-rego-tunnel-1 cat /run/qemu.pid`

## File Locations

### Host
- `/etc/runtipi/user-config/runtipi/rego-tunnel/docker-compose.yml` - User overrides
- `/etc/runtipi/user-config/runtipi/rego-tunnel/scripts/start.sh` - Container startup
- `/etc/runtipi/repos/runtipi/apps/rego-tunnel/docker-compose.yml` - Base config
- `/etc/runtipi/app-data/runtipi/rego-tunnel/data/storage/` - Windows disk image
- `/etc/runtipi/app-data/runtipi/rego-tunnel/data/shared/` - Shared folder with Windows

### Windows VM
- `C:\Users\alexz\vpn_scripts\vpn-login.js` - Main automation script
- `C:\Users\alexz\vpn_scripts\socks5.js` - SOCKS5 proxy
- `C:\Users\alexz\vpn_scripts\vpn.bat` - Startup batch file
- `C:\Program Files (x86)\Cisco\Cisco Secure Client\` - Cisco installation

## Watchdog Mode

The vpn-login.js script includes a watchdog that:
- Monitors VPN connectivity every 2 minutes
- Auto-reconnects after 2 consecutive failures
- Restarts SOCKS5 proxy after reconnection
- Logs memory usage every hour

## Notes

- Windows VM takes ~2-3 minutes to boot
- VPN login takes ~30 seconds
- TOTP requires accurate system time (script syncs automatically)
- The container uses VERSION=win10 for dockurr/windows compatibility
- noVNC password: `Az@83278327$@@`