This docker image proxies tcp ports across a Fortinet VPN to remote host using openfortivpn and socat.
Originally created by: https://github.com/jeffre/openfortivpn-socat
-
Clone this repository
git clone https://github.com/innobraingmbh/openfortivpn-socat
-
Build the image
docker build ./openfortivpn-socat \ -t "innobraingmbh/openfortivpn-socat:latest"
Alternatively, you may specify the openfortivpn version using
--build-arg
docker build ./openfortivpn-socat \ -t "innobraingmbh/openfortivpn-socat:v1.17.1" \ --build-arg OPENFORTIVPN_VERSION=v1.17.1
To configure forwarded ports, use environment variables with names that start
with PORT_FORWARD
and contain a special string (outlined below). More than
one port can be forwarded by using a unique variable name (PORT_FORWARD1
,
PORT_FORWARD2
, etc). The variable should contain a string that is formatted
like one of the following:
REMOTE_HOST
:REMOTE_PORT
LOCAL_PORT
:REMOTE_HOST
:REMOTE_PORT
PROTOCOL
:LOCAL_PORT
:REMOTE_HOST
:REMOTE_PORT
REMOTE_HOST
is a public hostname or ip address (note that a current limitations prevents the hostname from being resolved within the VPN)
REMOTE_PORT
an integer between 1-65535
LOCAL_PORT
an integer between 1-65535. If omitted, port 1111 is used.
PROTOCOL
either tcp or udp. If omitted, tcp is used.
Openfortivpn configuration can be provided as command-line arguments to this image, as a mounted config file, or a combination of both. For details about openfortivpn configuration run
docker run --rm innobraingmbh/openfortivpn-socat:latest -h
docker run --rm -it \
--device=/dev/ppp \
--cap-add=NET_ADMIN \
-p 127.0.0.1:3389:3389 \
-e PORT_FORWARD="3389:10.0.0.1:3389" \
innobraingmbh/openfortivpn-socat:latest \
fortinet.example.com:8443 \
--username=foo \
--password=bar \
--otp=123456
Once connected, rdp://127.0.0.1 will be reachable.
docker run --rm -it \
--device=/dev/ppp \
--cap-add=NET_ADMIN \
-p 127.0.0.1:3389:1111 \
-e PORT_FORWARD1="1111:10.0.0.1:3389" \
-p 127.0.0.1:2222:2222 \
-e PORT_FORWARD2="2222:10.0.0.2:22" \
innobraingmbh/openfortivpn-socat:latest \
fortinet.example.com:8443 \
--username=foo \
--password=bar \
--otp=123456
Once connected, rdp://localhost:1111 and ssh://localhost:2222 will be reachable.
Contents of ./config:
host = fortinet.example.com
port = 8443
username = foo
password = bar
docker run --rm -it \
--device=/dev/ppp \
--cap-add=NET_ADMIN \
-p "1111:1111" \
-e PORT_FORWARD="1111:10.0.0.1:3389" \
-v "$(pwd)/config:/etc/openfortivpn/config" \
innobraingmbh/openfortivpn-socat:latest \
--otp=123456
Since /dev/ppp does not exist on MacOS, we will not attempt to bring it in with
the --device
flag. However, in order to create a ppp device inside the
container, we will instead need the --privileged
flag:
docker run --rm -it \
--privileged \
-p "1111:1111" \
-e PORT_FORWARD="3389:10.0.0.1:3389" \
innobraingmbh/openfortivpn-socat:latest \
fortinet.example.com:8443
To use this, add the VPN as a service. Set all needed env vars, start once. Then add the thrown cert sha into the TRUSTED_CERT
env var.
vpn:
build:
context: .
dockerfile: Dockerfile
image: innobraingmbh/openfortivpn-socat:latest
environment:
- PORT_FORWARD
command: ${VPNADDR} --username=${VPNUSER} --password=${VPNPASS} --trusted-cert=${TRUSTED_CERT}
labels:
- container-type=vpnclient
- vpn-type=openfortivpn
privileged: true
networks:
- default
restart: unless-stopped