Skip to content

markfalk/openconnect-squid

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
.github/workflows
.github/workflows
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
entrypoint.sh
entrypoint.sh
 
 
squid.conf
squid.conf
 
 

Repository files navigation

openconnect-squid

A container to allow an OpenConnect VPN connection to be used via a squid proxy as well as a socks5 proxy.

Supported variables:

  • ANYCONNECT_SERVER = Server to connect to

  • ADDITIONAL_OC_ARGS = Allow additional arguments to be passed to the OpenConnect command

    • Useful for passing options such as alternate user-agents

      Example: -e ADDITIONAL_OC_ARGS="--useragent=AnyConnect"

  • ADDITIONAL_ROUTE_CIDR = Allow additional routes to be added to the VPN connection. This became necessary when the VPN server was not providing the correct routes to the container which occurred when docker desktop moved off of VPNKit.

    Example: -e ADDITIONAL_ROUTE_CIDR=192.168.65.0/24

  • KEEP_ALIVE_URL = URL for keep alive (defaults to $ANYCONNECT_SERVER)

  • KEEP_ALIVE_TIMEOUT = Seconds to sleep between Keep Alive URL requests (defaults to 300 seconds)

  • LOG_STDOUT = set to true to enable logs to the terminal

  • LOG_STDOUT = set to true to enable logs to the terminal

  • LOG_STDOUT = set to true to enable logs to the terminal

A typical invocation:

>docker run --privileged -p 4128:3128/tcp -p 1081:1080/tcp -e LOG_STDOUT=true -e ANYCONNECT_SERVER=https://<VPN_URL> \
   -e ADDITIONAL_OC_ARGS="--useragent=AnyConnect" -e ADDITIONAL_ROUTE_CIDR=192.168.65.0/24 \
   -i -t mfalk/openconnect-squid:latest
[2020-10-14 22:43:09] POST https://<VPN_URL>/
[2020-10-14 22:43:09] Connected to X.X.X.X:443
[2020-10-14 22:43:09] SSL negotiation with <VPN_URL>
[2020-10-14 22:43:09] Connected to HTTPS on <VPN_URL> with ciphersuite TLSv1.2-ECDHE-RSA-AES256-GCM-SHA384
[2020-10-14 22:43:09] Got HTTP response: HTTP/1.0 302 Object Moved
[2020-10-14 22:43:09] GET https://<VPN_URL>/
[2020-10-14 22:43:09] Connected to X.X.X.X:443
[2020-10-14 22:43:09] SSL negotiation with <VPN_URL>
[2020-10-14 22:43:09] Connected to HTTPS on <VPN_URL> with ciphersuite TLSv1.2-ECDHE-RSA-AES256-GCM-SHA384
[2020-10-14 22:43:09] Got HTTP response: HTTP/1.0 302 Object Moved
[2020-10-14 22:43:09] GET https://<VPN_URL>/+webvpn+/index.html
[2020-10-14 22:43:09] SSL negotiation with <VPN_URL>
[2020-10-14 22:43:09] Connected to HTTPS on <VPN_URL> with ciphersuite TLSv1.2-ECDHE-RSA-AES256-GCM-SHA384
Please enter your username and password.
GROUP: [XX]:XX
Please enter your username and password.
Username:
Password:
[2020-10-14 22:43:16] POST https://<VPN_URL>/+webvpn+/index.html
Please select your second authentication method [num]:
1 - Okta Verify.
2 - Okta Verify Push.
3 - SMS Authentication.
4 - Google Authenticator.
Enter '0' to abort.

Response:
[2020-10-14 22:43:24] POST https://<VPN_URL>/+webvpn+/login/challenge.html
Enter the code for Google Authenticator.
Enter '0' to abort.

Response:
[2020-10-14 22:43:27] POST https://<VPN_URL>/+webvpn+/login/challenge.html
[2020-10-14 22:43:28] Got CONNECT response: HTTP/1.1 200 OK
[2020-10-14 22:43:28] CSTP connected. DPD 30, Keepalive 20
[2020-10-14 22:43:28] Connected as X.X.X.X, using SSL, with DTLS in progress
[2020-10-14 22:43:28] Continuing in background; pid 12
[2020-10-14 22:43:29] Established DTLS connection (using OpenSSL). Ciphersuite DTLSv1.2-ECDHE-ECDSA-AES256-GCM-SHA384.
2020/10/14 22:43:32| WARNING: BCP 177 violation. Detected non-functional IPv6 loopback.
WARNING: Cannot write log file: stdio:/dev/stderr
stdio:/dev/stderr: Permission denied
         messages will be sent to 'stderr'.
2020/10/14 22:43:32| Created PID file (/var/run/squid.pid)
2020/10/14 22:43:33| Set Current Directory to /var/cache/squid
WARNING: Cannot write log file: stdio:/dev/stderr
stdio:/dev/stderr: Permission denied
         messages will be sent to 'stderr'.
2020/10/14 22:43:33| Starting Squid Cache version 4.12 for x86_64-alpine-linux-musl...
2020/10/14 22:43:33| Service Name: squid
2020/10/14 22:43:33| Process ID 54
2020/10/14 22:43:33| Process Roles: master worker
2020/10/14 22:43:33| With 1048576 file descriptors available
2020/10/14 22:43:33| Initializing IP Cache...
2020/10/14 22:43:33| DNS Socket created at X.X.X.X, FD 7
2020/10/14 22:43:33| Adding nameserver X.X.X.X from /etc/resolv.conf
2020/10/14 22:43:33| Adding nameserver X.X.X.X from /etc/resolv.conf
2020/10/14 22:43:33| Logfile: opening log stdio:/dev/stderr
2020/10/14 22:43:33| Local cache digest enabled; rebuild/rewrite every 3600/3600 sec
2020/10/14 22:43:33| Logfile: opening log stdio:/dev/stderr
2020/10/14 22:43:33| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2020/10/14 22:43:33| Target number of buckets: 1008
2020/10/14 22:43:33| Using 8192 Store buckets
2020/10/14 22:43:33| Max Mem  size: 262144 KB
2020/10/14 22:43:33| Max Swap size: 0 KB
2020/10/14 22:43:33| Using Least Load store dir selection
2020/10/14 22:43:33| Set Current Directory to /var/cache/squid
2020/10/14 22:43:33| Finished loading MIME types and icons.
2020/10/14 22:43:33| HTCP Disabled.
2020/10/14 22:43:33| Squid plugin modules loaded: 0
2020/10/14 22:43:33| Adaptation support is off.
2020/10/14 22:43:33| Accepting HTTP Socket connections at local=X.X.X.X:3128 remote=[::] FD 10 flags=9
2020/10/14 22:43:34| storeLateRelease: released 0 objects

This will forward local port 4128 to the standard squid proxy of 3128. This will forward local port 1081 to the standard socks proxy of 1080.

Note:

  • System will send a curl of the $ANYCONNECT_SERVER URL every $KEEP_ALIVE_TIMEOUT as a keep-alive
  • Terminal will be tied up as the squid session is not placed in the background
  • Terminal must be closed in order to establish a new connection

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases 6

v1.0.5 Latest
Jan 4, 2024
+ 5 releases

Packages

No packages published

Languages