NOTE: This is provided for educational purposes only. Please ensure that this is allowed by your IT organization before using.
This image creates a Docker container that:
- Connects to your personal or corporate VPN through your or your company's VPN server, and
- Creates a HTTP/HTTPS/SOCK proxy that browsers on your host can use to forward traffic through.
Inspired by wazum/openconnect-proxy and matinrco/openconnect-proxy.
Use this if you want to use VPN but don't want it taking over all traffic on your machine.
- Cisco Anyconnect (if configured),
- GlobalProtect
- Juniper VPNs
- Private Internet Access
- NordVPN
- Other major VPN providers
- Citrix Netscaler (no open-source tool available for it)
First, create an .env file containing the following:
OPENCONNECT_URL=<Gateway URL>
OPENCONNECT_USER=<Username>
OPENCONNECT_PASSWORD=<Password>
OPENCONNECT_OPTIONS=--authgroup <VPN Group> \
--servercert <VPN Server Certificate> --protocol=<Protocol> \
--reconnect-timeout 86400
Optionally set a multi factor authentication code:
OPENCONNECT_MFA_CODE=<Multi factor authentication code>
See the openconnect documentation for available options.
OPENVPN_CONFIG_FILE=/path/to/config/file
OPENVPN_USERNAME=admin
OPENVPN_PASSWORD=supersecret
You can specify additional --up or --down scripts by setting
OPENVPN_UP_SCRIPTS and/or OPENVPN_DOWN_SCRIPTS to a comma-separated
list of scripts on your machine and then adding the following to your config
defined by OPENVPN_CONFIG_FILE:
up /additional_up_scripts
down /additional_down_scripts
If your OpenVPN server advertises a nameserver, add this to your config:
up /etc/openvpn/update-systemd-resolve.sh
up /etc/openvpn/update-systemd-network.sh
An update to date example is provided at .env.example. Don't use quotes around the values!
Next, start the VPN: ./start_vpn.sh. You will not see any output if successful.
NOTE: If your .env file is not in your current working directory, use this instead:
ENV_FILE=/path/to/env ./start_vpn.sh
Finally, configure your browser to use the proxy by setting its HTTP proxy to localhost:8118
and SOCKS proxy to localhost:8889.
To stop the VPN, simply run: ./stop_vpn.sh.
NOTE: If your .env file is not in your current working directory, use this instead:
ENV_FILE=/path/to/env ./stop_vpn.sh
Prefix ./{start,stop}_vpn.sh with VPN_DOCKER_SOCK=[PATH].
If so and you are using openconnect, add this to your ENV_FILE:
OPENCONNECT_CERT_PATH=/path/to/cert
OPENCONNECT_CERT_KEY=/path/to/keyIf you are using OpenVPN, embed the certificate in <ca>, <cert>, and <key>
statements as needed.
If so, choose the VPN server corresponding to the gateway that you would like to connect to. For more info on why you need to do this, visit this GitHub issue.
✅ If you need to run command-line applications that do not support SOCKS5 or HTTP proxies, use
docker cpto copy them into/mnt/extras, then run the command withdocker exec.
Some GlobalProtect VPNs require you to log in via a web browser to finish authenticating.
If that's the case for your VPN, do the following:
-
Download a VNC client, like TigerVNC or RealVNC.
-
Add the following to your
.envfile:GP_ENABLE_OIDC_LOGIN=true VNC_PASSWORD=enter-password-here
If your VPN gateway is using an untrusted root CA, add this as well:
GP_ENABLE_INSECURE_OIDC_LOGIN=true
-
Afterwards, run
start_vpn.shlike normal. When it finishes, open your VNC client and connect tolocalhost:59000.You should be greeted with a small browser window that you can use to complete the authentication process. The VPN connection should be established once this completes.
⚠️ If you have$OPENCONNECT_OPTIONSdefined in your.env, do not configure the following flags:
--username, -u--portal--gateway
Create a separate Firefox profile.
Configure its HTTP proxy to localhost:8118, its SOCKS5 proxy to localhost:8443 and enable
"Proxy DNS request through SOCKS". Boom! You now have a dedicated web browser that goes through
the proxy.
proxychains is a tool that tunnels all network traffic
from any libc-compiled application through SOCKS or HTTP proxies. Unlike the HTTP_PROXY
variables, it also supports resolving DNS records through the proxy.
Installing it is easy:
git clone https://github.com/haad/proxychains &&
cd proxychains &&
./configure && make && make installUsing it is easy too:
PROXYCHAINS_SOCKS5=8889 proxychains4 curl foo.comIf you need to access a resource through the proxy, simply export these environment variables:
export HTTP_PROXY=localhost:8118
export HTTPS_PROXY=localhost:8118
export SOCKS_PROXY=localhost:8889or you can put them before your command to use them for one-off processes:
HTTP_PROXY=localhost:8118 HTTPS_PROXY=localhost:8118 SOCKS_PROXY=localhost:8889 curl [options]Most VPN slowness can be resolved by restarting the VPN container. Run this to do that:
./restart_vpn.sh.
NOTE: If your .env file is not in your current working directory, use this instead:
ENV_FILE=/path/to/env ./restart_vpn.sh
This Docker image downloads the Openconnect "trojan" scripts into the /trojans directory.
If you need to use one (like hipreport.sh for GlobalProtect VPNs), add
--csd-wrapper=/trojans/hipreport.sh to the OPENCONNECT_OPTIONS environment variable.
Run docker-proxy like this:
PLATFORM=amd64 ./start_vpn.shRemove any docker_vpn images before doing this.
Check your username and password. If you're connecting to a GlobalProtect
VPN that is SSO enabled, make sure that you don't have the arguments
outlined in the warning above in your $OPENCONNECT_OPTIONS.