Some questions

[jonashaag]

Hi! Thanks for making this!

First, I've had to make a few changes for it to work for me:

• Add this to the Dockerfile to fix issues with old crypto.

  RUN echo > /openssl.conf $'openssl_conf = openssl_init\n\
  [openssl_init]\n\
  ssl_conf = ssl_sect\n\
  [ssl_sect]\n\
  system_default = system_default_sect\n\
  [system_default_sect]\n\
  Options = UnsafeLegacyRenegotiation'
  RUN sed -i 's@bash@bash\nexport OPENSSL_CONF=/openssl.conf@' /etc/services.d/openconnect/run

• Set the vpntoken file to the "group name" of the VPN (with DYNAMIC_TOKEN=false).
• Change ports= 5353 to 53531 because it seems like 5353 is already used on macOS.

Question: Do you know what's the best way to set up the network so that only some IPs are routed through the Docker network, like with a typical corporate VPN? Another option would be to have the Docker network forward those requests. Right now I have to chose between being able to access VPN/intranet IPs and internet IPs.

[ducmthai]

@jonashaag I thought it was only my corporate VPN has that LegacyRenegotiation issue. You can create an openssl.conf, then mount it to your container and put OPEN_SSL=/inside/container/path/to/openssl.conf in environment list or .env.

Depends on your corporate VPN setup, you may need to change certain configurations to make it works. My setup is just a starter pack :)

For you question, you may need additional route manipulation. For example, in my case:

# Make tun0 a non-default interface
ip route del default dev tun0 scope link
# Make eth0 (inside the container) a default interface, 10.29.0.1 here is just the IP subnet of you docker network
ip route add default via 10.29.0.1 dev eth0
# Corporate DNS lookups through tun0, you must get all DNS servers in /ect/resolve.conf and figure out the subnet. In my example 172.17.0.1 and 172.17.0.2 to make 172.17.0.1/30 subnet.
ip route add 172.17.0.1/30 dev tun0 scope link

Add those commands to 3proxy/run before starting 3proxy but after tun0 is available.

[jonashaag]

Thanks a lot! Do you think adding a mode that makes the socks proxy behave like that by default would be valuable? I guess we should be able to infer the route table automatically somehow, since if you use AnyConnect you get exactly that

[ducmthai]

The socks proxy itself is not able (or expected) to do network level routing, but it is bound to the tun0 interface to avoid IP leaks. It's possible to infer the routes automatically or you can look at split tunnel here, but the vpnc-scripts is expected to replicate routing directives from the VPN server.

[jonashaag]

Thanks a lot! I'll have a look into those.