alexz/runtipi
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
98f3cc95eb052fcf65cac785d22a609ba6a616f6
runtipi/apps/cistech-tunnel/metadata/description.md
alexz 24594915a9
Some checks failed
Test / test (push) Has been cancelled
Details
.
2026-01-17 14:29:47 +00:00

3.7 KiB
Executable File
Raw Blame History

Cistech Tunnel - OpenConnect-SSO VPN

Docker container running OpenConnect-SSO for Cisco AnyConnect VPN with SSO/SAML authentication support via noVNC. Provides transparent VPN access to protected resources from your LAN.

Features

  • OpenConnect-SSO - Handles SAML/SSO authentication automatically
  • Playwright browser - Headless Chromium for SSO login
  • Web-based access via noVNC (port 6092)
  • Auto-login with TOTP - Credentials stored in keyring
  • LAN routing - Other machines on your network can reach VPN targets
  • Lightweight - No systemd, no Cisco bloat

Architecture

LAN Devices ──► Linux Host ──► Container (172.30.0.10) ──► VPN Tunnel ──► Target
                   │                    │
                   │                    └── openconnect-sso + openconnect
                   │                    └── noVNC web UI (port 6092)
                   │
                   └── Host routing service
                       (routes VPN traffic through container)

Installation

1. Install the app through Runtipi

Configure your VPN credentials in app settings:

  • VPN Email
  • VPN Password
  • TOTP Secret (base32)
  • VPN Host (e.g., https://vpn.cistech.net/Employees)
  • Target IP (for connectivity testing)

2. Install host routing service (required for LAN access)

Run this ONCE on the host after app install:

/etc/runtipi/repos/runtipi/apps/cistech-tunnel/shared/install-host-services.sh

This creates systemd services that route VPN traffic through the container.

3. Access the VPN GUI

Open http://<your-server>:6092/vnc.html

The VPN will auto-connect using your configured credentials.

Usage

Access noVNC

Navigate to port 6092 on your server. The openconnect-vpn script runs automatically and provides a menu:

1 - Connect VPN
2 - Disconnect VPN
3 - Show VPN status
4 - Setup IP forwarding
5 - Test connection
6 - Show network status
7 - Show routing table
8 - Setup keyring
q - Quit

Command line options

# Inside container
openconnect-vpn -c          # Connect and exit
openconnect-vpn -d          # Disconnect and exit
openconnect-vpn -s          # Show status
openconnect-vpn --help      # Show all options

View logs

# Inside container
cat /var/log/openconnect-vpn/$(date +%Y-%m-%d).log

# On host
cat /var/log/cistech-routing.log

LAN Access

After the host routing service is installed, any device on your LAN can reach the VPN target:

  1. From the host: Works automatically
  2. From other LAN devices: Add a static route pointing to your host

Example (Windows client):

route add 10.3.1.0 mask 255.255.255.0 192.168.0.150 -p

Where 192.168.0.150 is your Linux host IP.

Uninstall

Before removing the app from Runtipi:

/etc/runtipi/repos/runtipi/apps/cistech-tunnel/shared/uninstall-host-services.sh

Troubleshooting

VPN not connecting

# Check logs
docker exec cistech-tunnel cat /var/log/openconnect-vpn/$(date +%Y-%m-%d).log

# Try manual connect
docker exec -it cistech-tunnel /shared/openconnect-vpn -c

VPN connects but can't reach target

# Check routes inside container
docker exec cistech-tunnel ip route

# Check host routing
ip route | grep <target-ip>

Host routing not working

# Check watcher service
systemctl status cistech-routing-watcher.path

# Manually trigger routing
touch /etc/runtipi/app-data/runtipi/cistech-tunnel/restart-routing

Technical Details

  • Container IP: 172.30.0.10 (on br-cistech-vpn bridge)
  • Ports: 6092 (noVNC), 5901 (VNC)
  • Capabilities: NET_ADMIN, /dev/net/tun
  • Log retention: 7 days (auto-cleanup)
Reference in New Issue View Git Blame Copy Permalink