TakashiSasaki · May 22, 2019 09:14
diff --git a/.gitignore b/.gitignore
 id_rsa.pem
 openconnect.conf
 password.enc
 password.txt
diff --git a/README b/README
 Running OpenConnect by systemd.

diff --git a/Makefile b/Makefile
 .PHONY: help clean show-password

 CONFDIR=/usr/local/etc/
 BINDIR=/usr/local/bin/
 CONFFILE=openconnect.conf
 SCRIPTFILE=openconnect.sh
 SERVICEDIR=/etc/systemd/system/
 SERVICEFILE=openconnect.service
 RESOLVCONFDIR=/etc/
 RESOLVCONFFILE=resolv.conf
 IP_FORWARD=/proc/sys/net/ipv4/ip_forward
 TUNNELDEVICE=tun0

 all: openconnect.conf
 	cat $<

 install: $(SCRIPTFILE) $(CONFFILE)
 	sudo cp $(SCRIPTFILE) $(BINDIR)$(SCRIPTFILE)
 	sudo cp $(CONFFILE) $(CONFDIR)$(CONFFILE)
 	sudo cp $(SERVICEFILE) $(SERVICEDIR)$(SERVICEFILE)
 	sudo systemctl daemon-reload
 	sudo systemctl enable openconnect
 	sleep 1
 	-sudo systemctl -a | grep openconnect

 start:
 	if [ ! -e $(RESOLVCONFDIR) ]; then cp $(RESOLVCONFDIR)$(RESOLVCONFFILE) $(RESOLVCONFFILE); fi
 	sudo service openconnect start
 	-sudo systemctl -a | grep openconnect
 	sleep 1
 	ps aux | grep openconnect
 	cat $(RESOLVCONFDIR)$(RESOLVCONFFILE)

 stop:
 	sudo service openconnect stop
 	-sudo systemctl -a | grep openconnect
 	ps aux | grep openconnect
 	route -n

 enable-napt:
 	cat $(IP_FORWARD)
 	sudo sh -c "echo 1 > ip_forward"
 	cat $(IP_FORWARD)
 	sudo iptables -t nat -F
 	sudo iptables -t nat -A POSTROUTING -o $(TUNNELDEVICE) -j MASQUERADE
 	sudo iptables -t nat -L
diff --git a/openconnect.conf.sample b/openconnect.conf.sample
 SERVER=vpnserver.example.com
 USER=nobodynobody
 PASSWORD=secret_secret

diff --git a/openconnect.service b/openconnect.service
 [Unit]
 After=network.target auditd.service
 Description=openconnect.sh

 [Service]
 ExecStart=/usr/local/bin/openconnect.sh
 KillMode=mixed
 Restart=always
 Type=simple

 [Install]
 WantedBy=multi-user.target

diff --git a/openconnect.sh b/openconnect.sh
 #!/bin/sh
 . /usr/local/etc/openconnect.conf
 echo ${PASSWORD} | /usr/sbin/openconnect -u ${USER} --passwd-on-stdin --no-dtls --reconnect-timeout 30 ${SERVER}
	.PHONY: help clean show-password

	CONFDIR=/usr/local/etc/
	BINDIR=/usr/local/bin/
	CONFFILE=openconnect.conf
	SCRIPTFILE=openconnect.sh
	SERVICEDIR=/etc/systemd/system/
	SERVICEFILE=openconnect.service
	RESOLVCONFDIR=/etc/
	RESOLVCONFFILE=resolv.conf
	IP_FORWARD=/proc/sys/net/ipv4/ip_forward
	TUNNELDEVICE=tun0

	all: openconnect.conf
	cat $<

	install: $(SCRIPTFILE) $(CONFFILE)
	sudo cp $(SCRIPTFILE) $(BINDIR)$(SCRIPTFILE)
	sudo cp $(CONFFILE) $(CONFDIR)$(CONFFILE)
	sudo cp $(SERVICEFILE) $(SERVICEDIR)$(SERVICEFILE)
	sudo systemctl daemon-reload
	sudo systemctl enable openconnect
	sleep 1
	-sudo systemctl -a \| grep openconnect

	start:
	if [ ! -e $(RESOLVCONFDIR) ]; then cp $(RESOLVCONFDIR)$(RESOLVCONFFILE) $(RESOLVCONFFILE); fi
	sudo service openconnect start
	-sudo systemctl -a \| grep openconnect
	sleep 1
	ps aux \| grep openconnect
	cat $(RESOLVCONFDIR)$(RESOLVCONFFILE)

	stop:
	sudo service openconnect stop
	-sudo systemctl -a \| grep openconnect
	ps aux \| grep openconnect
	route -n

	enable-napt:
	cat $(IP_FORWARD)
	sudo sh -c "echo 1 > ip_forward"
	cat $(IP_FORWARD)
	sudo iptables -t nat -F
	sudo iptables -t nat -A POSTROUTING -o $(TUNNELDEVICE) -j MASQUERADE
	sudo iptables -t nat -L
	SERVER=vpnserver.example.com
	USER=nobodynobody
	PASSWORD=secret_secret
	[Unit]
	After=network.target auditd.service
	Description=openconnect.sh

	[Service]
	ExecStart=/usr/local/bin/openconnect.sh
	KillMode=mixed
	Restart=always
	Type=simple

	[Install]
	WantedBy=multi-user.target
	#!/bin/sh
	. /usr/local/etc/openconnect.conf
	echo ${PASSWORD} \| /usr/sbin/openconnect -u ${USER} --passwd-on-stdin --no-dtls --reconnect-timeout 30 ${SERVER}