openconnect launchd

openconnect_wrapper

#!/bin/bash
# /etc/openconnect_wrapper

# swap out SIGTERM for openconnect-friendly SIGINT

_term() {
  kill -INT "$child" 2>/dev/null
}
trap _term SIGTERM

cat | /usr/local/bin/openconnect "$@" &
child=$!
wait "$child"

vpn.openconnect.plist

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>Disabled</key>       <true/>
    <key>Label</key>          <string>vpn.openconnect</string>
    <key>StandardInPath</key> <string>/etc/vpn_secret</string>
    <key>RunAtLoad</key>      <true/>
    <key>ProgramArguments</key>
    <array>
        <string>/etc/openconnect_wrapper</string>
        <string>--authgroup=__AUTHGROUP__</string>
        <string>--user=__USER__</string>
        <string>__VPN_URL__</string>
    </array>
</dict>
</plist>

vpn_secret

My_Pa$sW0rd

How to manage openconnect with launchd on OSX. Once set up, you can start and stop the service with sudo launchctl start vpn.openconnect and sudo launchctl stop vpn.openconnect.

openconnect_wrapper and vpn_secret live in /etc/. openconnect_wrapper should be executable, and vpn_secret should be owned by root and have no group or other access (especially read). vpn.openconnect.plist lives in /Library/LaunchDaemons/.