matthiaslohr / docker-f5fpc Goto Github PK

View Code? Open in Web Editor NEW

52.0 3.0 25.0 41 KB

F5 VPN Client Docker Router

Makefile 1.04% Shell 87.76% Dockerfile 11.20%

docker f5networks f5 f5-bigip

docker-f5fpc's People

Contributors

Stargazers

Watchers

docker-f5fpc's Issues

Support for custom CA certificate

We need support for custom CA certificates to give the possibility to use CAs except the ones delivered with the ca-certificates package.

(requests.packages.urllib3.connectionpool) Connection pool is full, discarding connection: localhost

2017-06-09 11:07:29,404 WARNING (requests.packages.urllib3.connectionpool) Connection pool is full, discarding connection: localhost
Traceback (most recent call last):
  File "./f5fpc-client.py", line 134, in <module>
    sys.exit(main())
  File "./f5fpc-client.py", line 43, in main
    container = docker_client.containers.get(container_name)
  File "/home/mlohr/.local/lib/python2.7/site-packages/docker/models/containers.py", line 757, in get
    resp = self.client.api.inspect_container(container_id)
  File "/home/mlohr/.local/lib/python2.7/site-packages/docker/utils/decorators.py", line 21, in wrapped
    return f(self, resource_id, *args, **kwargs)
  File "/home/mlohr/.local/lib/python2.7/site-packages/docker/api/container.py", line 750, in inspect_container
    self._get(self._url("/containers/{0}/json", container)), True
  File "/home/mlohr/.local/lib/python2.7/site-packages/docker/utils/decorators.py", line 47, in inner
    return f(self, *args, **kwargs)
  File "/home/mlohr/.local/lib/python2.7/site-packages/docker/api/client.py", line 183, in _get
    return self.get(url, **self._set_request_timeout(kwargs))
  File "/home/mlohr/.local/lib/python2.7/site-packages/requests/sessions.py", line 526, in get
    return self.request('GET', url, **kwargs)
  File "/home/mlohr/.local/lib/python2.7/site-packages/requests/sessions.py", line 513, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/mlohr/.local/lib/python2.7/site-packages/requests/sessions.py", line 623, in send
    r = adapter.send(request, **kwargs)
  File "/home/mlohr/.local/lib/python2.7/site-packages/requests/adapters.py", line 440, in send
    timeout=timeout
  File "/home/mlohr/.local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 587, in urlopen
    timeout_obj = self._get_timeout(timeout)
  File "/home/mlohr/.local/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 302, in _get_timeout
    return Timeout.from_float(timeout)
  File "/home/mlohr/.local/lib/python2.7/site-packages/requests/packages/urllib3/util/timeout.py", line 154, in from_float
    return Timeout(read=timeout, connect=timeout)
  File "/home/mlohr/.local/lib/python2.7/site-packages/requests/packages/urllib3/util/timeout.py", line 94, in __init__
    self._connect = self._validate_timeout(connect, 'connect')
  File "/home/mlohr/.local/lib/python2.7/site-packages/requests/packages/urllib3/util/timeout.py", line 127, in _validate_timeout
    "int, float or None." % (name, value))
ValueError: Timeout value connect was Timeout(connect=None, read=None, total=None), but it must be an int, float or None.

Inform about image downloading

Invoking the script which runs the docker container could trigger the image download if not locally available. This may take a long time. So inform the user about the download action.

set network routes

Automatically add and remove provided networks to/from the routing table.

LookupError: 'hex' is not a text encoding; use codecs.encode()

I pulled the latest in the linux vm.

-> % git pull
Updating 20e9888..5332123
Fast-forward
 f5fpc-client.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
antouank@antergos-vm [09:53:26] [~/_REPOS_/docker-f5fpc] [master]
-> % sudo ./f5fpc-client.py connect.xxxxxx.com xxxxxxx
Enter your VPN password: 
Traceback (most recent call last):
  File "./f5fpc-client.py", line 155, in <module>
    sys.exit(main())
  File "./f5fpc-client.py", line 63, in main
    'HEXPASSWORD': password.encode('hex')
LookupError: 'hex' is not a text encoding; use codecs.encode() to handle arbitrary codecs

python version

antouank@antergos-vm [09:57:04] [~/_REPOS_/docker-f5fpc] [master]
-> % python --version
Python 3.6.0
antouank@antergos-vm [09:57:08] [~/_REPOS_/docker-f5fpc] [master]
-> % python2 --version
Python 2.7.13
antouank@antergos-vm [09:57:11] [~/_REPOS_/docker-f5fpc] [master]
-> % sudo pip install -r requirements.txt

/usr/lib/python3.6/site-packages/requests/packages/urllib3/contrib/socks.py:31: DependencyWarning: SOCKS support in urllib3 requires the installation of optional dependencies: specifically, PySocks.  For more information, see https://urllib3.readthedocs.io/en/latest/contrib.html#socks-proxies
  DependencyWarning
Requirement already satisfied: docker==2.2.1 in /usr/lib/python3.6/site-packages (from -r requirements.txt (line 1)) (2.2.1)
Requirement already satisfied: requests==2.11.1 in /usr/lib/python3.6/site-packages (from -r requirements.txt (line 2)) (2.11.1)
Requirement already satisfied: websocket-client>=0.32.0 in /usr/lib/python3.6/site-packages (from docker==2.2.1->-r requirements.txt (line 1)) (0.48.0)
Requirement already satisfied: six>=1.4.0 in /usr/lib/python3.6/site-packages (from docker==2.2.1->-r requirements.txt (line 1)) (1.10.0)
Requirement already satisfied: docker-pycreds>=0.2.1 in /usr/lib/python3.6/site-packages (from docker==2.2.1->-r requirements.txt (line 1)) (0.3.0)

detect and reconnect on VPN forced logout

The VPN client may be forced to logout after a specific period by the VPN-server. It would be nice if this event could be detected and lead to a reconnect with the original parameters.

I followed the instructions and when I run the wrapper script I get: Connection established. Welcome to <some_network> network. After this message the container just hangs there. Is that the expected behaviour?
In any case, even though it says "connection established", in practice I am not connected to the VPN. When I run ifconfig I still see my original IP, and not the VPN's IP.

I am running the docker from MacOS. When using a linux PC, I can successfully connect directly from linux_sslvpn F5 client (which doesn't work on Mac, that's why I wanted to try this docker). After connecting on the linux PC, I see that my IP is changed as expected when I run ifconfig.
I didn't try running this docker from the linux PC (should I?)

When I run with the debug flag, I get the following "suspicious" lines:
2018-08-29 14:09:48,702 DEBUG (docker.auth) Couldn't find 'auths' or 'HttpHeaders' sections
2018-08-29 14:09:48,702 DEBUG (docker.auth) Config entry for key stackOrchestrator is not auth config

Any ideas?

Thanks,
Alex

module dependency check

Check if required dependencies are provided:

docker
ip (including privileges adding routes)

Detect network error

Currently, i receive the error message "Login denied" on network problems (when the VPN server could not be reached). That should be a more meaningful error message.

Error loading shared library ld-linux-x86-64.so.2

Seems to be a problem regarding alpine or the installations
Error loading shared library ld-linux-x86-64.so.2: No such file or directory (needed by /usr/local/bin/f5fpc)

give status feedback

Give status feedback from f5fpc -i command.

Possible code are here: https://support.f5.com/content/kb/en-us/products/big-ip_apm/manuals/product/apm-client-configuration-11-4-0/_jcr_content/pdfAttach/download/file.res/BIG-IP_Access_Policy_Manager__Edge_Client_and_Application_Configuration.pdf

Command status	hex value	shell value	description
CLI_ERROR_SUCCESS	0x0	0	The command line operation was successful.
CLI_ERROR_USERS_DISCONNECT	0x150	80	The user was disconnected
CLI_ERROR_LOGON_FAILURE	0x151	81	Login failed due to incorrect authenticaion information or login errors.
CLI_ERROR_ATTENTION_REQUIRED	0x154	84	The user's attention is required.
CLI_ERROR_GENERIC_FAILURE	0x155	85	An error occurred in the system API.
CLI_ERROR_UNKNOWN_PARAMETER	0x156	86	An incorrect or unknown parameter was passed to the command line.
CLI_ERROR_WRONG_VALUE	0x157	87	This is an undefined error.
CLI_ERROR_UNKNOWN_SESSION_ID	0x158	88	An unknown session ID was encountered. The user should reconnect to the server.
CLI_ERROR_NO_PROFILE	0x15B	91	No such profile exists.
CLI_ERROR_MSGQ_OPEN_FAILURE	0x15D	93	The system failed to open the message queue.
CLI_ERROR_OPERATION_IN_PROGRESS	0x15F	95	An operation is in progress, please retry.
kss_Initialized	1	1	The session is initialized.
kss_LogonInProgress	2	2	The user login is in progress.
kss_Idle	3	3	The session is idle.
kss_Established	5	5	The session is established.
kss_AttentionReq	6	6	The session requires the user's attention.
kss_LogonDenied	7	7	Login was denied.
kss_LoggedOut	8	8	The user is logged out of the server

Connection Status: logon failed

Additional information:
Connection Status: logon failed
Server certificate verification failed.
Unknown result code: 7
Please create an issue with this code here:
https://github.com/MatthiasLohr/docker-f5fpc/issues/new

Reduce image size!

E.g. use alpine linux.

RUN apk update && apk add bash file iproute2 iptables iputils libc6-compat libgcc libstdc++ net-tools wget
RUN mkdir -p /lib64 && ln -s /lib/ld-linux-x86-64.so.2 /lib64/ld-linux-x86-64.so.2

Unknown result code: 4

As requested:

Please enter your VPN password: 
Waiting...
Unknown result code: 4
Please create an issue with this code here:
https://github.com/MatthiasLohr/docker-f5fpc/issues/new

Additional information:
Connection Status: retrieving favorites list
Favorites Information:
______________________
fav-Id   fav-Type  fav-Status       fav-Name
Connection established successfully

Force split tunnel

When connecting via the CLI on f5fpc is there a way to force split tunneling?

Error relocating /usr/local/bin/f5fpc: __strftime_l: symbol not found

Seems to be a problem regarding alpine libc6, how I can fix it?

Status code check: 9

Unknown result code: 9
Please create an issue with this code here:
https://github.com/MatthiasLohr/docker-f5fpc/issues/new

Additional information:
Connection Status: Session timed out
Favorites Information:

fav-Id fav-Type fav-Status fav-Name
245 vpn disconnected /Common/corp_ft_network
619 vpn available /Common/corp_split_network

This might be an unavoidable timeout, I haven't tried very hard to keep this thing alive over long periods.

Upgrade to newest alpine linux

no-check-certificate option ( -x)

From F5 support
Known Issue
Server certificate verification may fail with the BIG-IP Edge Client command line for Linux.
Connection Status: logon failed
Server certificate verification failed.

F5 Workaround
To work around this issue, you can disable certificate verification using the -x option to the f5fpc command.
For example:
f5fpc -s -x -t https://apm1.example.com

But seems that the -x option is not recevied by the docker-f5fpc
./f5fpc-vpn.sh client -x -t https://sslvpn-xxx.xxx.it
Please enter your VPN username: xxx
Please enter your VPN password:
Logon denied
Connection Status: logon failed
Server certificate verification failed.

It is possible to add this option?

"No such file or directory" error

Hi there.

I'm trying to use that script in my macbook, but I get this error:

➜  docker-f5fpc git:(master) sudo ./f5fpc-client.py connect.something.com someUser
Enter your VPN password:
2018-06-27 11:26:38,028 INFO (root) Connecting to connect.something.com...
Traceback (most recent call last):
  File "./f5fpc-client.py", line 155, in <module>
    sys.exit(main())
  File "./f5fpc-client.py", line 68, in main
    container_exec(container_name, '/opt/connect.sh')
  File "./f5fpc-client.py", line 132, in container_exec
    process = subprocess.Popen(command_splitted, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
  File "/usr/local/Cellar/python@2/2.7.15_1/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 394, in __init__
    errread, errwrite)
  File "/usr/local/Cellar/python@2/2.7.15_1/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 1047, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory

I did pip install, and I have python 2.7 installed ( I used brew to install that if I remember correctly ).
Trying a wrong password or removing sudo yields the same error.

Any ideas what's wrong?

set DNS environment

Apply DNS settings from /etc/resolv.conf.fp-tmp and restore old after disconnecting.

2FA RSA code support

Btw, I made an ubuntu vm, and tried the script from in there.
I get no errors, but my login is denied.
Could it be that it doesn't ask for the RSA code? ( the 2FA part )

From the same vm, using the f5vpn "app", I can get connected.

matthiaslohr / docker-f5fpc Goto Github PK

docker-f5fpc's People

Contributors

Stargazers

Watchers

Forkers

docker-f5fpc's Issues

Recommend Projects

Recommend Topics

Recommend Org