-
Notifications
You must be signed in to change notification settings - Fork 3
/
start-vpn
executable file
·126 lines (105 loc) · 3.64 KB
/
start-vpn
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/bin/bash
DOCKER=docker
if podman --version >/dev/null 2>&1; then
echo "Using Podman as Docker client"
DOCKER=podman
fi
if [[ $EUID -ne 0 ]]; then
echo "Please run the start-vpn script as as root" 1>&2
exit 1
fi
DIR=$(cd -P -- "$(dirname -- "$(readlink -f "$0")")" && pwd -P)
cd "$DIR"
if [ ! -f packages/anyconnect.tar.gz ]; then
echo "Please place your anyconnect linux packages in packages/anyconnect.tar.gz"
exit 1
fi
if [ ! -f packages/cortex.deb ]; then
echo "Please place your cortex/traps installer in packages/cortex.deb"
exit 1
fi
if systemctl -q is-active systemd-resolved.service 2>/dev/null; then
if [ ! -f config/systemd-resolved.template ]; then
echo "Please create a systemd-resolved config template and place it in file config/systemd-resolved.template"
exit 1
fi
USE_SYSTEMD_RESOLVED=true
elif [ ! -f config/resolv.template ]; then
echo "Please create a resolve.conf template and place it in file config/resolv.template"
exit 1
fi
if [ -f config/response.txt ]; then
if ! grep -q '\$VPN_PASSWORD' config/response.txt; then
echo 'Please make sure to reference VPN_PASSWORD in config/response.txt'
exit 1
fi
while [ -z "$VPN_PASSWORD" ]; do
echo -n 'VPN password: '
read -sr VPN_PASSWORD
echo
done
export VPN_PASSWORD
if grep -q '\$VPN_TOTP' config/response.txt; then
while [ -z "$VPN_TOTP" ]; do
echo -n '[MFA] Enter a time-based one-time password: '
read -sr VPN_TOTP
echo
done
export VPN_TOTP
fi
MOUNT_RESPONSE_FILE="-e VPN_PASSWORD -e VPN_TOTP -v $(pwd)/config/response.txt:/response.txt"
else
MOUNT_RESPONSE_FILE=''
fi
if [ -f config/AnyConnectProfile.xml ]; then
MOUNT_ANYCONNECT_PROFILE="-v $(pwd)/config/AnyConnectProfile.xml:/opt/cisco/anyconnect/profile/AnyConnectProfile.xml"
else
MOUNT_ANYCONNECT_PROFILE=''
fi
. config/routes
"$DOCKER" network ls | grep vpn-network > /dev/null
HAS_NETWORK=$?
if [ $HAS_NETWORK -ne 0 ]; then
echo "Creating docker network for VPN"
"$DOCKER" network create --subnet=10.200.64.0/24 vpn-network
fi
echo "Enabling cross-docker bridge communications with VPN"
NETWORK_ID=br-`"$DOCKER" network ls | grep vpn-network | cut -f 1 -d' '`
iptables -F DOCKER-USER
iptables -A DOCKER-USER -o $NETWORK_ID -j ACCEPT
iptables -A DOCKER-USER -i $NETWORK_ID -j ACCEPT
"$DOCKER" image ls | grep vpn-anyconnect > /dev/null
HAS_IMAGE=$?
if [ $HAS_IMAGE -ne 0 ]; then
echo "Creating docker image for VPN"
"$DOCKER" build --tag vpn-anyconnect .
else
echo 'Updating Docker image...'
"$DOCKER" build -q --tag vpn-anyconnect . >/dev/null || exit 1
fi
echo "Starting VPN"
if [ -z $USE_SYSTEMD_RESOLVED ]; then
mv /etc/resolv.conf /etc/resolv.conf.vpn-orig
sed -i 's/172\.19\.0\.2/10.200.64.2/' config/resolv.template
cp config/resolv.template /etc/resolv.conf
chmod a+r /etc/resolv.conf
else
mkdir -p /etc/systemd/resolved.conf.d/
sed -i 's/172\.19\.0\.2/10.200.64.2/' config/systemd-resolved.template
cp config/systemd-resolved.template /etc/systemd/resolved.conf.d/anyconnect-dns-settings.conf
systemctl restart systemd-resolved.service
fi
for r in ${routes[@]}; do
ip route add $r via 10.200.64.2
done
"$DOCKER" run --name vpn-anyconnect --hostname $(hostname) --privileged --cap-add NET_ADMIN --cap-add SYS_ADMIN -ti $MOUNT_RESPONSE_FILE $MOUNT_ANYCONNECT_PROFILE --net vpn-network --ip 10.200.64.2 --rm vpn-anyconnect
echo "Restoring original configuration"
for r in ${routes[@]}; do
ip route del $r via 10.200.64.2
done
if [ -z $USE_SYSTEMD_RESOLVED ]; then
mv /etc/resolv.conf.vpn-orig /etc/resolv.conf
else
rm /etc/systemd/resolved.conf.d/anyconnect-dns-settings.conf
systemctl restart systemd-resolved.service
fi