Openconnect-SSO in Docker: Difference between revisions
No edit summary |
No edit summary |
||
| Line 77: | Line 77: | ||
== Connecting == | == Connecting == | ||
Save the following script (e.g. <code>~/vpn | Save the following script (e.g. <code>~/.local/bin/vpn-connect.sh</code>) and make it executable: | ||
<pre> | <pre> | ||
| Line 93: | Line 93: | ||
<pre> | <pre> | ||
chmod +x ~/vpn | chmod +x ~/.local/bin/vpn-connect.sh | ||
</pre> | </pre> | ||
| Line 99: | Line 99: | ||
<pre> | <pre> | ||
~/vpn | ~/.local/bin/vpn-connect.sh | ||
</pre> | </pre> | ||
Revision as of 10:06, 25 February 2026
VPN via openconnect-sso (Docker)
This guide describes how to connect to a Cisco AnyConnect-compatible VPN using openconnect-sso running inside a Docker container, with automatic DNS configuration on connect.
Prerequisites
- Docker installed and running
- doas configured
- The
openconnect-ssoDocker image built (see below) - A VPN-specific
resolv.confsaved at~/.local/resolv.conf
Building the Docker image
Save the following as Dockerfile.openconnect-sso:
FROM python:3.11-slim
RUN apt-get update && \
apt-get install -y \
openconnect \
sudo \
libqt6gui6 \
libqt6widgets6 \
libqt6webenginecore6 \
libqt6webenginewidgets6 \
qt6-wayland \
libgl1 \
libxkbcommon0 \
libdbus-1-3 \
libegl1 \
libnss3 \
libnspr4 \
libxcomposite1 \
libxdamage1 \
libxrandr2 \
libxtst6 \
libxslt1.1 \
libglib2.0-0 \
libasound2 \
libxcursor1 \
fonts-liberation && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
RUN pip install --no-cache-dir openconnect-sso
RUN useradd -m -s /bin/bash vpnuser && \
echo "vpnuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
USER vpnuser
WORKDIR /home/vpnuser
ENV QT_QPA_PLATFORM=wayland
ENV XDG_RUNTIME_DIR=/tmp
ENTRYPOINT ["openconnect-sso"]
Build and create the container:
cd ~/vpn docker build -f Dockerfile.openconnect-sso -t openconnect-sso . docker create --name openconnect-sso \ --cap-add NET_ADMIN \ --device /dev/net/tun \ openconnect-sso \ --server your-vpn-gateway \ --user your-username
DNS configuration
When the VPN connects, a tun0 interface is created but the system DNS is not automatically updated. To resolve internal hostnames, save your VPN network's DNS settings to ~/.local/resolv.conf. This file will be copied to /etc/resolv.conf once the tunnel is up.
Connecting
Save the following script (e.g. ~/.local/bin/vpn-connect.sh) and make it executable:
#!/bin/sh
# Wait for tun interface, then set DNS
(
while ! ip addr show tun0 2>/dev/null | grep -q inet; do
sleep 1
done
doas cp ~/.local/resolv.conf /etc/
) &
# Start VPN in foreground
doas docker start -ai openconnect-sso
chmod +x ~/.local/bin/vpn-connect.sh
Run it:
~/.local/bin/vpn-connect.sh
A browser window will open for SSO authentication. After completing login, the VPN tunnel will establish and DNS will be updated automatically.
How it works
The script starts a background subshell that polls for the tun0 interface. Once the interface has an IP address assigned (meaning the tunnel is up), it copies the VPN-specific resolv.conf into place. Meanwhile, the Docker container runs in the foreground so its output and the SSO browser window remain accessible.
Disconnecting
Close the foreground process with Ctrl or stop the container:
doas docker stop openconnect-sso
You may also want to restore your original /etc/resolv.conf afterwards if it is not managed by another service.