Skip to content

Latest commit

 

History

History
142 lines (115 loc) · 4.08 KB

README.md

File metadata and controls

142 lines (115 loc) · 4.08 KB

openfortivpn-socat

This docker image proxies tcp ports across a Fortinet VPN to remote host using openfortivpn and socat.

Originally created by: https://github.com/jeffre/openfortivpn-socat

Create docker image

  1. Clone this repository

     git clone https://github.com/innobraingmbh/openfortivpn-socat
    
  2. Build the image

     docker build ./openfortivpn-socat \
         -t "innobraingmbh/openfortivpn-socat:latest"
    

    Alternatively, you may specify the openfortivpn version using --build-arg

     docker build ./openfortivpn-socat \
         -t "innobraingmbh/openfortivpn-socat:v1.17.1" \
         --build-arg OPENFORTIVPN_VERSION=v1.17.1
    

Deploy docker container

Configure forwarded ports

To configure forwarded ports, use environment variables with names that start with PORT_FORWARD and contain a special string (outlined below). More than one port can be forwarded by using a unique variable name (PORT_FORWARD1, PORT_FORWARD2, etc). The variable should contain a string that is formatted like one of the following:

  • REMOTE_HOST:REMOTE_PORT
  • LOCAL_PORT:REMOTE_HOST:REMOTE_PORT
  • PROTOCOL:LOCAL_PORT:REMOTE_HOST:REMOTE_PORT

REMOTE_HOST is a public hostname or ip address (note that a current limitations prevents the hostname from being resolved within the VPN)
REMOTE_PORT an integer between 1-65535
LOCAL_PORT an integer between 1-65535. If omitted, port 1111 is used.
PROTOCOL either tcp or udp. If omitted, tcp is used.

Configure openfortivpn

Openfortivpn configuration can be provided as command-line arguments to this image, as a mounted config file, or a combination of both. For details about openfortivpn configuration run

docker run --rm innobraingmbh/openfortivpn-socat:latest -h

Examples

Expose a remote RDP server

docker run --rm -it \
    --device=/dev/ppp \
    --cap-add=NET_ADMIN \
    -p 127.0.0.1:3389:3389 \
    -e PORT_FORWARD="3389:10.0.0.1:3389" \
    innobraingmbh/openfortivpn-socat:latest \
    fortinet.example.com:8443 \
    --username=foo \
    --password=bar \
    --otp=123456

Once connected, rdp://127.0.0.1 will be reachable.

Expose 2 remote services (RDP, SSH)

docker run --rm -it \
    --device=/dev/ppp \
    --cap-add=NET_ADMIN \
    -p 127.0.0.1:3389:1111 \
    -e PORT_FORWARD1="1111:10.0.0.1:3389" \
    -p 127.0.0.1:2222:2222 \
    -e PORT_FORWARD2="2222:10.0.0.2:22" \
    innobraingmbh/openfortivpn-socat:latest \
    fortinet.example.com:8443 \
    --username=foo \
    --password=bar \
    --otp=123456

Once connected, rdp://localhost:1111 and ssh://localhost:2222 will be reachable.

Use both a config file and command-line parameters for openfortivpn

Contents of ./config:

host = fortinet.example.com
port = 8443
username = foo
password = bar
docker run --rm -it \
    --device=/dev/ppp \
    --cap-add=NET_ADMIN \
    -p "1111:1111" \
    -e PORT_FORWARD="1111:10.0.0.1:3389" \
    -v "$(pwd)/config:/etc/openfortivpn/config" \
    innobraingmbh/openfortivpn-socat:latest \
    --otp=123456

Running on MacOS

Since /dev/ppp does not exist on MacOS, we will not attempt to bring it in with the --device flag. However, in order to create a ppp device inside the container, we will instead need the --privileged flag:

docker run --rm -it \
    --privileged \
    -p "1111:1111" \
    -e PORT_FORWARD="3389:10.0.0.1:3389" \
    innobraingmbh/openfortivpn-socat:latest \
    fortinet.example.com:8443

Example docker-compose

To use this, add the VPN as a service. Set all needed env vars, start once. Then add the thrown cert sha into the TRUSTED_CERT env var.

  vpn:
    build:
      context: .
      dockerfile: Dockerfile
    image: innobraingmbh/openfortivpn-socat:latest
    environment:
      - PORT_FORWARD
    command: ${VPNADDR} --username=${VPNUSER} --password=${VPNPASS} --trusted-cert=${TRUSTED_CERT}
    labels:
      - container-type=vpnclient
      - vpn-type=openfortivpn
    privileged: true
    networks:
      - default
    restart: unless-stopped