Neil
Neil
Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.

100% easy Open-source VPN and Proxy with podman

- Advertisement -

Introduction

OpenConnect VPN is not officially supported by or associated in any way with Cisco Systems, Juniper Networks, Pulse Secure, Palo Alto Networks, F5, Fortinet, or any of the companies whose protocols we may support in the future. It just happens to interoperate with their equipment. Trademarks belong to their owners in a somewhat tautological and obvious fashion.

An openconnect VPN server (ocserv), which implements an improved version of the Cisco AnyConnect protocol, was also written.

OpenConnect VPN server is an SSL VPN server that is secure, small, fast, and configurable. It implements the OpenConnect SSL VPN protocol and has also (currently experimental) compatibility with clients using the AnyConnect SSL VPN protocol. The OpenConnect protocol provides a dual TCP/UDP VPN channel and uses the standard IETF security protocols to secure it. The OpenConnect client is multi-platform and available here. Alternatively, you can try connecting using the official Cisco AnyConnect client (Confirmed working on Android). For the HAproxy tutorial, you can try the link.

OpenConnect is released under the GNU Lesser Public License, version 2.1.

Development

OpenConnect was started after a trial of the Cisco AnyConnect client under Linux found it to have many deficiencies:

  • Inability to use SSL certificates from a TPM or PKCS#11 smartcard, or even use a passphrase.
  • Lack of support for Linux platforms other than i386.
  • Lack of integration with NetworkManager on the Linux desktop.
  • Lack of proper (RPM/DEB) packaging for Linux distributions.
  • “Stealth” use of libraries with dlopen(), even using the development-only symlinks such as libz.so — making it hard to properly discover the dependencies which proper packaging would have expressed
  • Tempfile races allowing unprivileged users to trick it into overwriting arbitrary files, as root.
  • Unable to run as an unprivileged user, which would have reduced the severity of the above bug.
  • Inability to audit the source code for further such “Security 101” bugs.

Basic image features

  • Base: Alpine
  • Latest OpenConnect Server 8.04
  • Size: 20MB
  • Modification of the listening port for more networking versatility
  • Customizing the DNS servers used for queries over the VPN
  • Supports tunneling all traffic over the VPN or tunneling only specific routes via split-include
  • Config directory can be mounted to a host directory for persistence
  • Create certs automatically using default or provided values, or drop your own certs in /config/certs
  • Advanced manual configuration for power users
  • FREE VPN server can be connected from the link

Basic Configuration

Without customizing cert variables

#  podman run --privileged --name openconnect-server -d \
> -p 8888:8888 -p 8889:8889 -e OPENCONNECT_URL=vpn.gateway.com \
> wazum/openconnect-proxy:latest

With customizing cert variables

# podman run --privileged --name openconnect-server -d \ 
-p 8888:8888 -p 8889:8889 -e OPENCONNECT_URL=vpn.gateway.com \ 
-e OPENCONNECT_USER=unixcop -e OPENCONNECT_PASSWORD=unixcop wazum/openconnect-proxy:latest

Use container with docker-compose

vpn:
  container_name: openconnect_vpn
  image: wazum/openconnect-proxy:latest
  privileged: true
  env_file:
    - .env
  ports:
    - 8888:8888
    - 8889:8889
  cap_add:
    - NET_ADMIN
  networks:
    - mynetwork

Set the environment variables for openconnect in the .env file again (or specify another file) and map the configured ports in the container to your local ports if you want to access the VPN on the host when running your containers. Otherwise, only the docker containers in the same network have access to the proxy ports.

Route traffic through VPN container

- Advertisement -

Let’s say you have a vpn the container defined as above, then add network_mode option to your other containers:

depends_on:
  - vpn
network_mode: "service:vpn"

Keep in mind that networksextra_hosts, etc. and network_mode are mutually exclusive.

Configure proxy

The container is connected via openconnect, and now you can configure your browser and other software to use one of the proxies (8888 for HTTP/HTTPS or 8889 for socks).

For example, FoxyProxy (available for Firefox, Chrome) is a suitable browser extension.

You may also set environment variables:

# export http_proxy="http://127.0.0.1:8888/"
# export https_proxy="http://127.0.0.1:8888/"

Open browser and configure the vpn/proxy

We have a secured vpn and proxy

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

Join us on Facebook

x