Openconnect-SSO in Docker: Difference between revisions
(Created page with "= VPN via openconnect-sso (Docker) = This guide describes how to connect to a Cisco AnyConnect-compatible VPN using openconnect-sso running inside a Docker container, with automatic DNS configuration on connect. == Prerequisites == * Docker installed and running * doas configured * The <code>openconnect-sso</code> Docker image built (see below) * A VPN-specific <code>resolv.conf</code> saved at <code>~/.local/resolv.conf</code> == Building the Docker imag...") |
(1. Added 'See also' section: 'Docker image example on hub.docker.com', 'An openconnect-sso Docker implementation for X11', 'openconnect-sso GitHub repository'; 2. Added categories: Networking, VPN, Virtualization, Authentication.) |
||
| (10 intermediate revisions by one other user not shown) | |||
| Line 1: | Line 1: | ||
= VPN via openconnect-sso (Docker) = | = VPN via openconnect-sso (Docker) = | ||
This guide describes how to connect to a Cisco AnyConnect-compatible VPN using | This guide describes how to connect to a Cisco AnyConnect-compatible VPN using openconnect-sso running inside a Docker container, with automatic DNS configuration on connect. It is assumed the WM / compositor of the client is Wayland. | ||
== Prerequisites == | == Prerequisites == | ||
* [[Docker]] installed and running | * [[Docker]] installed and running | ||
* | * doas configured | ||
* The <code>openconnect-sso</code> Docker image built (see below) | * The <code>openconnect-sso</code> Docker image built (see below) | ||
* A VPN-specific <code>resolv.conf</code> saved at <code>~/.local/resolv.conf</code> | * A VPN-specific <code>resolv.conf</code> saved at <code>~/.local/resolv.conf</code> | ||
If you don't know the DNS for <code>resolv.conf</code>, you can remove that part and connect via IP(s) directly, not DNS. | |||
== Building the Docker image == | == Building the Docker image == | ||
| Line 61: | Line 63: | ||
<pre> | <pre> | ||
docker build -f Dockerfile.openconnect-sso -t openconnect-sso . | docker build -f Dockerfile.openconnect-sso -t openconnect-sso . | ||
docker create --name openconnect-sso \ | doas docker create -it \ | ||
-- | --name openconnect-sso \ | ||
--privileged \ | |||
--net=host \ | |||
-v /etc/ssl/certs:/etc/ssl/certs:ro \ | |||
-e WAYLAND_DISPLAY=$WAYLAND_DISPLAY \ | |||
-e XDG_RUNTIME_DIR=/tmp \ | |||
-e QT_QPA_PLATFORM=wayland \ | |||
-v $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:rw \ | |||
--device /dev/net/tun \ | --device /dev/net/tun \ | ||
openconnect-sso \ | openconnect-sso:latest \ | ||
--server your-vpn-gateway \ | --server your-vpn-gateway \ | ||
--user your-username | --user your-username | ||
| Line 77: | Line 85: | ||
== Connecting == | == Connecting == | ||
Save the following script (e.g. <code>~/vpn | Save the following script (e.g. <code>~/.local/bin/vpn-connect.sh</code>) and make it executable: | ||
<pre> | <pre> | ||
| Line 93: | Line 101: | ||
<pre> | <pre> | ||
chmod +x ~/vpn | chmod +x ~/.local/bin/vpn-connect.sh | ||
</pre> | </pre> | ||
| Line 99: | Line 107: | ||
<pre> | <pre> | ||
~/vpn | ~/.local/bin/vpn-connect.sh | ||
</pre> | </pre> | ||
| Line 117: | Line 125: | ||
You may also want to restore your original <code>/etc/resolv.conf</code> afterwards if it is not managed by another service. | You may also want to restore your original <code>/etc/resolv.conf</code> afterwards if it is not managed by another service. | ||
== Why use Docker? == | |||
System updates broke the bare metal openconnect-sso install. Docker keeps things static. Another way would be pyenv - please add steps below if you succeed with it. | |||
== See also == | == See also == | ||
* [https://hub.docker.com/r/morgan404/openconnect-client Docker image example on hub.docker.com] - Uses an Alpine Linux-based container using OpenConnect and OpenSSH Docker. Also enables automatic server certificate handling, which simplifies configuration. | |||
* [https://github.com/tuapuikia/openconnect-sso-docker An openconnect-sso Docker implementation for X11] - Includes host networking. | |||
* [https://github.com/vlaci/openconnect-sso openconnect-sso GitHub repository] - Installation, authentication logic, usage (without Docker), authentication logic and for updates upstream. | |||
[[Category:Networking]] | |||
[[Category:VPN]] | |||
[[Category:Virtualization]] | |||
[[Category:Authentication]] | |||
Latest revision as of 00:54, 26 February 2026
VPN via openconnect-sso (Docker)
This guide describes how to connect to a Cisco AnyConnect-compatible VPN using openconnect-sso running inside a Docker container, with automatic DNS configuration on connect. It is assumed the WM / compositor of the client is Wayland.
Prerequisites
- Docker installed and running
- doas configured
- The
openconnect-ssoDocker image built (see below) - A VPN-specific
resolv.confsaved at~/.local/resolv.conf
If you don't know the DNS for resolv.conf, you can remove that part and connect via IP(s) directly, not DNS.
Building the Docker image
Save the following as Dockerfile.openconnect-sso:
FROM python:3.11-slim
RUN apt-get update && \
apt-get install -y \
openconnect \
sudo \
libqt6gui6 \
libqt6widgets6 \
libqt6webenginecore6 \
libqt6webenginewidgets6 \
qt6-wayland \
libgl1 \
libxkbcommon0 \
libdbus-1-3 \
libegl1 \
libnss3 \
libnspr4 \
libxcomposite1 \
libxdamage1 \
libxrandr2 \
libxtst6 \
libxslt1.1 \
libglib2.0-0 \
libasound2 \
libxcursor1 \
fonts-liberation && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
RUN pip install --no-cache-dir openconnect-sso
RUN useradd -m -s /bin/bash vpnuser && \
echo "vpnuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
USER vpnuser
WORKDIR /home/vpnuser
ENV QT_QPA_PLATFORM=wayland
ENV XDG_RUNTIME_DIR=/tmp
ENTRYPOINT ["openconnect-sso"]
Build and create the container:
docker build -f Dockerfile.openconnect-sso -t openconnect-sso . doas docker create -it \ --name openconnect-sso \ --privileged \ --net=host \ -v /etc/ssl/certs:/etc/ssl/certs:ro \ -e WAYLAND_DISPLAY=$WAYLAND_DISPLAY \ -e XDG_RUNTIME_DIR=/tmp \ -e QT_QPA_PLATFORM=wayland \ -v $XDG_RUNTIME_DIR/$WAYLAND_DISPLAY:/tmp/$WAYLAND_DISPLAY:rw \ --device /dev/net/tun \ openconnect-sso:latest \ --server your-vpn-gateway \ --user your-username
DNS configuration
When the VPN connects, a tun0 interface is created but the system DNS is not automatically updated. To resolve internal hostnames, save your VPN network's DNS settings to ~/.local/resolv.conf. This file will be copied to /etc/resolv.conf once the tunnel is up.
Connecting
Save the following script (e.g. ~/.local/bin/vpn-connect.sh) and make it executable:
#!/bin/sh
# Wait for tun interface, then set DNS
(
while ! ip addr show tun0 2>/dev/null | grep -q inet; do
sleep 1
done
doas cp ~/.local/resolv.conf /etc/
) &
# Start VPN in foreground
doas docker start -ai openconnect-sso
chmod +x ~/.local/bin/vpn-connect.sh
Run it:
~/.local/bin/vpn-connect.sh
A browser window will open for SSO authentication. After completing login, the VPN tunnel will establish and DNS will be updated automatically.
How it works
The script starts a background subshell that polls for the tun0 interface. Once the interface has an IP address assigned (meaning the tunnel is up), it copies the VPN-specific resolv.conf into place. Meanwhile, the Docker container runs in the foreground so its output and the SSO browser window remain accessible.
Disconnecting
Close the foreground process with Ctrl or stop the container:
doas docker stop openconnect-sso
You may also want to restore your original /etc/resolv.conf afterwards if it is not managed by another service.
Why use Docker?
System updates broke the bare metal openconnect-sso install. Docker keeps things static. Another way would be pyenv - please add steps below if you succeed with it.
See also
- Docker image example on hub.docker.com - Uses an Alpine Linux-based container using OpenConnect and OpenSSH Docker. Also enables automatic server certificate handling, which simplifies configuration.
- An openconnect-sso Docker implementation for X11 - Includes host networking.
- openconnect-sso GitHub repository - Installation, authentication logic, usage (without Docker), authentication logic and for updates upstream.