This provides a way to connect to a Corporate VPN and expose HTTP(S), SOCKS5, and DNS proxies. It supports two approaches:
- Proxy Using Host's VPN: The container leverages the host's existing VPN connection.
- Self-Contained VPN: The container connects to the VPN using
openconnect, creating a self-contained setup.
Both approaches provide proxy services (http(s), socks5, dns) with privoxy, microsocks, dnsmasq for clients to reach services within the VPN. Choose an approach based on your requirements and VPN server capabilities.
To help you get started creating a container from this image you can use docker-compose or the docker cli.
---
version: "3.3"
services:
corpvpn:
image: tdharris/corpvpn:latest
container_name: corpvpn
cap_add:
- NET_ADMIN
volumes:
- /etc/localtime:/etc/localtime:ro
environment:
- DEFAULT_PUID=1000
- DEFAULT_PGID=1000
- ENABLE_VPN=false # Optional
- ENABLE_DNS=true # Optional
- AUTOHEAL_ENABLED=false # Optional
- LAN_NETWORK=192.168.1.0/24 # Optional
- VPN_SERVER= # Optional
- VPN_USER= # Optional
- VPN_PASS= # Optional
- VPN_PROTOCOL=pulse # Optional
- VPN_AUTH_GROUP="Smartphone Push" # Optional
# env_file:
# - .env # Optional alternative to environment (see .env.sample)
ports:
- 8118:8118 # PRIVOXY_PORT
- 9118:9118 # SOCKS_PORT
- 5354:53/tcp # DNS_PORT
- 5354:53/udp # DNS_PORT
sysctls:
- net.ipv6.conf.all.disable_ipv6=0
- net.ipv6.conf.default.disable_ipv6=0
- net.ipv6.conf.lo.disable_ipv6=0
- net.ipv4.tcp_keepalive_intvl=1
- net.ipv4.tcp_keepalive_probes=3
- net.ipv4.tcp_keepalive_time=30
logging:
driver: "json-file"
options:
max-size: "10M"
max-file: "10"
healthcheck:
test: /app/healthcheck.sh || exit 1
timeout: 30s
interval: 60s
start_period: 60s
retries: 3- See .env.sample for Environment Variables. Review usage approaches below for additional information.
- See Docker Hub tdharris/corpvpn for more information on the image. You can also build the image locally with the provided Dockerfile.
In this approach, the Docker container acts as a proxy that leverages the host's network connection to the Corporate VPN. This is a simpler setup where the host machine is already connected to the Corporate VPN, and the Docker container simply provides proxy services (http(s), socks5, dns) to other clients to reach services within the VPN.
To use this approach, you would run the docker-compose setup as usual, without needing to provide VPN connection details. The container will use the host's VPN connection to access the corporate network.
-
Pre-requisites:
- The host machine is already connected to the Corporate VPN.
- Docker
- Docker-Compose
-
Update the following Environment Variables:
- ENABLE_VPN=false - LAN_NETWORK=<lan ipv4 network>/<cidr notation>
-
See Common Steps for Both Approaches below.
In this approach, the Docker container connects to the Corporate VPN using openconnect and with a configurable protocol. This creates a self-contained setup where the VPN connection is managed within the Docker container itself. This approach is more complex and requires the VPN server to support connections from openconnect with the possibility of using MFA methods like Smartphone Push.
To use this approach, you would need to provide the VPN connection details (VPN_SERVER, VPN_USER, VPN_PASS, VPN_PROTOCOL, VPN_AUTH_GROUP). The container will use these details to establish its own VPN connection.
Please note that not all VPN servers support connections from openconnect. Check with your IT department or VPN provider to see if this approach is permitted.
-
Pre-requisites:
Smartphone PushMFA Method has been configured for theVPN_USERaccount. (Configurable withVPN_AUTH_GROUP)- Docker
- Docker-Compose
-
Update the following Environment Variables:
- ENABLE_VPN=true - VPN_SERVER=<vpn server address> - VPN_USER=<vpn username> - VPN_PASS=<vpn password> - LAN_NETWORK=<lan ipv4 network>/<cidr notation>
-
See Common Steps for Both Approaches below.
After setting up the pre-requisites and environment variables above, follow these steps to run the docker-compose setup:
-
Run with
docker-compose:docker-compose up -d-
(optional) Approve MFA request via
Smartphone Push. -
To monitor container logs:
docker logs -f --tail 10 corpvpn
-
To stop the vpn, simply stop the container:
docker stop corpvpn
-
-
Setup clients to connect via proxy provided by the container:
:8118forhttp(s)or:9118forsocks. See Configure Clients for more details. -
(optional) Validate proxy and vpn connectivity:
To validate the
http(s):8118andsocks:9118proxies, the following commands should be successful and return the vpn ip address, not your public ip address:curl -sSf --socks5 127.0.0.1:9118 ifconfig.co/ip curl -sSf --proxy 127.0.0.1:8118 ifconfig.co/ip
Note : Replace
127.0.0.1with the host ip address where the container is running if not localhost.
Configure clients as an opt-in approach to forward requests in through the proxy to the corporate network.
The following are options for other client-based approaches:
For terminal or shell-based environments, most approaches include forwarding into the proxy with a tool like ncat, netcat, nc, or optionally corkscrew on mac OS. There are various versions of these tools, which are similar, but likely have different arguments or syntaxes.
Recommend installing the following with brew which includes ncat, which is referenced in the below examples or install directly as needed:
brew install nmapncat --version
Ncat: Version 7.93 ( https://nmap.org/ncat )The http_proxy and https_proxy environment variables are used to specify proxy settings to various client programs such as curl, wget, etc.
export {http,https}_proxy=http://127.0.0.1:8118To setup permanently, use /etc/environment:
echo "http_proxy=http://127.0.0.1:8118" >> /etc/environment
echo "https_proxy=http://127.0.0.1:8118" >> /etc/environmentTo setup dynamically based on pwd, consider using direnv to create an .envrc file at the base directory where vpn connections should occur by default. This will then load and unload these env vars automatically depending on the working directory.
# .envrc
export {http,https}_proxy=http://127.0.0.1:8118To verify the configuration is working with these env vars set, the following should return the vpn ip address and not your public ip address:
curl ifconfig.co/ip
<corpvpn ip address>To ssh through the proxy, or for git operations that may rely on ssh, consider the following manual example:
# via http
ssh -o "ProxyCommand=ncat --proxy 127.0.0.1:8118 --proxy-type http %h %p" user@host
# via socks5
ssh -o "ProxyCommand=ncat --proxy 127.0.0.1:9118 --proxy-type socks5 %h %p" user@hostTo automate these connections based on the host or domain, define with ProxyCommand within ~/.ssh/config:
Host <hostname>
ProxyCommand ncat --proxy 127.0.0.1:8118 --proxy-type http %h %p
# ProxyCommand ncat --proxy 127.0.0.1:9118 --proxy-type socks5 %h %p# wildcard
Host *.<hostname>
ProxyCommand ncat --proxy 127.0.0.1:8118 --proxy-type http %h %p
# ProxyCommand ncat --proxy 127.0.0.1:9118 --proxy-type socks5 %h %pTo configure connections for git through the proxy:
-
For
sshconnectivity, see SSH above. -
For
http(s)connectivity:Global proxy:
git config --global http.proxy http://127.0.0.1:8118 git config --global https.proxy https://127.0.0.1:8118
URL specific proxy:
git config --global http.http://domain.com.proxy http://127.0.0.1:8118 git config --global https.https://domain.com.proxy https://127.0.0.1:8118
Note : The above url-specific syntax is a bit strange, but generates the following in
~/.gitconfig:[http] [http "http://domain.com"] proxy = http://127.0.0.1:8118 [https "https://domain.com"] proxy = https://127.0.0.1:8118
- OpenConnect - Multi-protocol VPN client, for Cisco AnyConnect VPNs and others.
- Privoxy - non-caching web proxy.
- MicroSocks - multithreaded, small, efficient SOCKS5 server.
- Dnsmasq - local dns server.
- direnv - shell extension that can load and unload environment variables.
- ssh_config - linux manual page.