docker-openconnect-passlogic

Dockernized openconnect with PassLogic

configure

cat >> ~/.passlogic <<_EOT_ 
USERID=0123456789@vdi.example.net
PASSLOGIC=[[0,0],[1,0],[2,0],[3,0],[0,10],[0,11],[0,12],[0,13]]
PASSLOGIC_URL=https://vpn.example.net/passlogic/ui/keyreq.php?id=0123456%40vdi.example.net&kn=9999
VPN_HOST=vpn.example.net
_EOT_

configure routing entries

The wrapper-script will configure nexthop on 10.0.0.0/8 as the VPN tunnel interface by default.
If you want to change the routing entry of the VPN, define the following environment variable CISCO_SPLIT_INC*.

cat >> ~/.passlogic <<_EOT_ 
CISCO_SPLIT_INC_USER=1
CISCO_SPLIT_INC_0_ADDR=192.168.100.0
CISCO_SPLIT_INC_0_MASK=255.255.255.0
CISCO_SPLIT_INC_0_MASKLEN=24
_EOT_

cat >> ~/.passlogic <<_EOT_ 
CISCO_SPLIT_INC_USER=3
CISCO_SPLIT_INC_0_ADDR=192.168.100.0
CISCO_SPLIT_INC_0_MASK=255.255.255.0
CISCO_SPLIT_INC_0_MASKLEN=24
CISCO_SPLIT_INC_1_ADDR=172.31.0.0
CISCO_SPLIT_INC_1_MASK=255.255.0.0
CISCO_SPLIT_INC_1_MASKLEN=16
CISCO_SPLIT_INC_2_ADDR=192.0.2.0
CISCO_SPLIT_INC_2_MASK=255.255.255.0
CISCO_SPLIT_INC_2_MASKLEN=24
_EOT_

see https://www.infradead.org/openconnect/vpnc-script.html,
http://git.infradead.org/users/dwmw2/vpnc-scripts.git/blob_plain/HEAD:/vpnc-script
and https://gitlab.com/openconnect/vpnc-scripts/-/blob/master/vpnc-script.

PassLogic JSON

A PassLogic JSON is an array of XY coordinates.
For example, if PassLogic password is 65686825 as shown in the figure,
PassLogic JSON is [[0,13],[3,13],[3,10],[0,10],[0,8],[3,8],[3,5],[0,5]].
Set the PassLogic JSON generated by the above procedure to the PASSLOGIC variable.

PassLogic URL

Go to the PassLogic web page in your browser and view the authentication pattern.
Set the URL of the authentication pattern page to the variable PASSLOGIC_URL.

run with

Normally, it is recommended to configure other containers to connect to the VPN through a VPN container (kyokuheki/openconnect-passlogic) that connects to the vpn.

Run the VPN container

docker run --rm -it --name=openconnect --cap-add=NET_ADMIN --env-file ~/.passlogic \
  kyokuheki/openconnect-passlogic

Run other containers

docker run -it --rm --name=other-container1 --net=container:openconnect \
  --dns=10.1.1.1 \
  alpine ping sv1.vdi.example.net

If you know the IP address of the server, you can set the hostname and IP address in the docker command options.

docker run -it --rm --name=other-container2 --net=container:openconnect \
  --add-host sv1.vdi.example.net:10.2.3.1 \
   alpine ping sv1.vdi.example.net

run with host's network namespace

The container will be deployed in the network namespace of the host.
The default route of the host will not be changed, but wrapper-script will set nexthop of 10.0.0.0/8 to VPN.
Use this configuration if you want to hack.

If openconnect specifies DNS resolvers at the time of negotiation, you have to inform systemd-resolved of those DNS resolvers.

docker run --rm -it --name=openconnect --cap-add=NET_ADMIN --env-file ~/.passlogic \
  --net=host \
  kyokuheki/openconnect-passlogic

# set interface resolvconf if want to resolve *.example.net *.example.com
sudo systemd-resolve --interface tun0 --set-dns=10.1.1.1 --set-dns=10.1.1.2 \
  --set-domain=example.net \
  --set-domain=example.com

If you know the IP address of the server, you can set the hostname and IP address in the docker command options.

# example of vmware-horizon-client
docker run --rm -it ... \
  --add-host sv1.vdi.example.net:10.2.3.1 \
  --add-host sv2.vdi.example.net:10.2.3.2 \
  --add-host sv3.vdi.example.net:10.2.3.3 \
  kyokuheki/vmware-horizon-client

kyokuheki/docker-openconnect-passlogic