Merge pull request #1 from ddadaal/iptables

Add port forwarding configuration

.env.example

@@ -1,2 +1,13 @@
-PORT=8888
+# The command to connect to the VPN
 CMD=
+
+# HTTP Proxy port
+PORT=8888
+
+# Port forward
+# The port in the host to listen to
+# Even if you don't use port forward, don't comment this line
+PF_PORT=18889
+
+# The destination for the port forwarding
+# PF_DEST=

Dockerfile

@@ -6,10 +6,17 @@ COPY ./apt-sources.list /etc/apt/sources.list
 # Update the sources
 # Install openconnect from buster-backports
 # And ssh
-RUN apt update && apt install -y -t buster-backports openconnect tinyproxy ssh
+RUN apt update && apt install -y -t buster-backports openconnect tinyproxy ssh iptables
 
 # Make tinyproxy accept requests from all hosts
 RUN sed -i "s/^Allow/#Allow/g" /etc/tinyproxy/tinyproxy.conf
 
 # Make tinyproxy accept CONNECT from all ports
-RUN sed -i "s/^ConnectPort/#ConnectPort/g" /etc/tinyproxy/tinyproxy.conf
+RUN sed -i "s/^ConnectPort/#ConnectPort/g" /etc/tinyproxy/tinyproxy.conf
+
+# Copy entry.sh
+COPY ./entry.sh /entry.sh
+
+RUN chmod +x /entry.sh
+
+ENTRYPOINT [ "/entry.sh" ]

README.cn.md

@@ -1,8 +1,12 @@
-# 连接到VPN的HTTP代理
+# 把VPN转换为代理
 
-还支持SSH！
+通过docker，这个项目把VPN连接为代理。特点：
 
-- [连接到VPN的HTTP代理](#连接到vpn的http代理)
+- 支持HTTP/HTTPS, SSH
+- 支持配置端口转发，可用于远程桌面等
+- 可运行于Docker支持的任何平台，包括Windows, Linux和macOS！
+
+- [把VPN转换为代理](#把vpn转换为代理)
 - [如何使用？](#如何使用)
 	- [1. 配置](#1-配置)
 	- [2. 运行代理](#2-运行代理)
@@ -13,6 +17,7 @@
 - [SSH](#ssh)
 	- [1. 配置SSH客户端使其使用本代理](#1-配置ssh客户端使其使用本代理)
 	- [2. 使用镜像中的SSH客户端](#2-使用镜像中的ssh客户端)
+- [端口转发](#端口转发)
 - [原理](#原理)
 - [实现](#实现)
 
@@ -25,8 +30,15 @@
 3. 按以下格式修改`.env`文件
 
 ```env
-PORT=监听的端口，默认为8888
-CMD=在容器内连接VPN的命令
+# 在容器内连接VPN的命令
+CMD=
+
+# HTTP代理监听的端口
+PORT=8888
+
+# 端口转发配置
+# 本地监听端口。即使你不用端口转发，也不要注释掉这一行
+PF_PORT=18889
 ```
 
 `configs`文件夹下放了一些大学的`CMD`值的示例。
@@ -156,6 +168,24 @@ pwsh bash.sh
 ssh username@ip
 ```
 
+# 端口转发
+
+你还可以使用此代理来进行本地端口到远程地址的某个端口的转发，可用于Windows远程桌面等非HTTP场景。
+
+通过如下`.env`配置来配置此功能：
+
+```env
+# 在本机监听的端口
+PF_PORT=18889
+
+# 转发目标
+PF_DEST=10.2.3.4:3389
+```
+
+程序启动后，您对所有`localhost:18889`端口的流量将会被转发到`10.2.3.4:3389`中。
+
+例如，如果您有一台Windows机器开启了RDP协议，且RDP协议在`10.2.3.4:3389`监听，那么现在你可以使用`localhost:18889`来连接到那台远程桌面。
+
 # 原理
 
 ![使用本方案的网络请求流向](docs/arch/cn.png)

README.md

@@ -1,20 +1,25 @@
-# Use VPN as a HTTP proxy server
+# Use VPN as a proxy server
 
 [中文](README.cn.md)
 
-Also support SSH!
+Using docker, this project converts VPN connecting into a proxy. 
 
-- [Use VPN as a HTTP proxy server](#use-vpn-as-a-http-proxy-server)
+- Proxy HTTP/HTTPS, SSH
+- Forward any data via port forwarding (like remote desktop)
+- Runs on any platform Docker supports, including Windows, Linux, and macOS!
+
+- [Use VPN as a proxy server](#use-vpn-as-a-proxy-server)
 - [How to use?](#how-to-use)
 	- [1. Configuration](#1-configuration)
 	- [2. Run Proxy Server](#2-run-proxy-server)
-- [Set proxy server for apps](#set-proxy-server-for-apps)
+- [Set HTTP proxy server for apps](#set-http-proxy-server-for-apps)
 	- [git](#git)
 	- [Most CLI programs](#most-cli-programs)
 	- [Browsers](#browsers)
 - [SSH](#ssh)
 	- [1. Make SSH client use this proxy](#1-make-ssh-client-use-this-proxy)
 	- [2. Using SSH client in this image](#2-using-ssh-client-in-this-image)
+- [Port forwarding](#port-forwarding)
 - [Motivation](#motivation)
 - [Implementation](#implementation)
 
@@ -28,8 +33,20 @@ Also support SSH!
 3. Modify the `.env` file as follows:
 
 ```env
-PORT=the listening port in your host, for example 8888
-CMD=the command to connect to your VPN using openconnect
+# The command to connect to the VPN
+CMD=
+
+# HTTP Proxy port
+PORT=8888
+
+# Port forward
+# The port in the host to listen to
+# Even if you don't use port forwarding, you have to set the port here
+PF_PORT=18889
+
+# The destination for the port forwarding
+# If you don't use port forwarding, leave this commented out
+# PF_DEST=
 ```
 
 Example CMD values of several universities are under the `configs` file. 
@@ -66,7 +83,7 @@ After the `.env` file is configured, you can run the proxy:
 
 It is tested that the VPN connected in one container are isolated with other containers, i.e. the other containers are not connected to the VPN connected by one container.
 
-# Set proxy server for apps
+# Set HTTP proxy server for apps
 
 Set the HTTP/HTTPS proxy server of apps to `http://localhost:{PORT}` (the PORT you set in the `.env` file)
 
@@ -158,6 +175,24 @@ pwsh bash.sh
 ssh username@ip
 ```
 
+# Port forwarding
+
+You can use this proxy to forward a local port to an destination. You can use this feature in non-HTTP scenarios like Windows Remote Desktop.
+
+To configure it, set the following envs in `.env`
+
+```env
+# The port in the host to listen to
+PF_PORT=18889
+
+# The destination for the port forwarding
+PF_DEST=10.2.3.4:3389
+```
+
+When the proxy is up, all data to `localhost:18889` will be forwarded to `10.2.3.4:3389`.
+
+For example, if you have a Windows with RDP service running at `10.2.3.4:3389`, you can now use `localhost:18889` to connect to it!
+
 # Motivation
 
 ![Network flow](docs/arch/en.png)

docker-compose.yml

@@ -4,19 +4,17 @@ services:
     image: ghcr.io/ddadaal/vpn-as-http-proxy:master
     container_name: vpnproxy
     environment: 
+      - CMD=${CMD}
       - PORT=8888
+      - PF_DEST=${PF_DEST}
     build:
       context: .
       dockerfile: ./Dockerfile
     ports:
       - ${PORT}:8888
+      - ${PF_PORT}:18889
     # https://stackoverflow.com/questions/30547484/calling-openconnect-vpn-client-in-docker-container-shows-tunsetiff-failed-opera
     cap_add: 
       - NET_ADMIN
     volumes:
       - ${HOME}/.ssh:/root/.ssh
-    command: bash -c '
-        chmod 400 /root/.ssh/id_rsa &&
-        tinyproxy &&
-        ${CMD}
-      '

entry.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+if [ -f "/root/.ssh/id_rsa" ]; then
+    chmod 400 /root/.ssh/id_rsa
+fi
+
+if [ -n "${PF_DEST}" ]; then
+    iptables -t nat -A PREROUTING -p tcp --dport 18889 -j DNAT --to-destination ${PF_DEST}
+    iptables -t nat -A POSTROUTING -j MASQUERADE
+fi
+
+tinyproxy
+
+eval "${CMD}"