This is a Docker image to run OpenConnect. https://www.infradead.org/openconnect/index.html
OpenConnect is an SSL VPN client initially created to support Cisco's AnyConnect SSL VPN. It has since been ported to support the Juniper SSL VPN (which is now known as Pulse Connect Secure), and to the Palo Alto Networks GlobalProtect SSL VPN.
https://www.infradead.org/openconnect/nonroot.html has instructions if you want to run it without root access.
To use the pre-made Docker image use registry.gitlab.com/jeffcook/openconnect:latest.
All environment variables that start with OPENCONNECT_ will be converted into command line options.
Except...
OPENCONNECT_PASSWORD_FILEIf this files exists it will be directing into stdin.OPENCONNECT_SERVERThis is the variable for OpenConnect to use as server.
A /etc/openconnect/openconnect.conf file has been created and will be used.
It is blank so it will need to be updated if you want to use it.
Use a mount or config.
If you want to use a different config file location update the OPENCONNECT_CONFIG variable.
- The container needs to run with
privilegedor--cap-add NET_ADMINto be able to create the tunnel device on the host. - If you are using the tunnel device you will also need to run the container as root.
--user root
Docker allows the use of a running container to be the network for a container. https://docs.docker.com/compose/compose-file/#network_mode
services:
vpn:
uses_vpn:
network_mode: "service:vpn"Or reverse that and attach the VPN to the one container that will use it.
I was looking for an openconnect image that was light weight and minimal. I needed it to run on a local Docker install for a jump host.
Why is there is no Docker HEALTHCHECK?
- OpenConnect should close and fail if the VPN tunnel is closed already.
- Any health check should be used to verify the tunnel is up add passing traffic.
- This is very specific to each environment.
- A side affect of a good health check would be to keep the tunnel open even when not in use.