Skip to content

Instantly share code, notes, and snippets.

@darrenpmeyer

darrenpmeyer/openconnect_osx_howto.md

Last active October 18, 2018 17:07
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save darrenpmeyer/bf3bc66e589c8f991ade to your computer and use it in GitHub Desktop.
Save darrenpmeyer/bf3bc66e589c8f991ade to your computer and use it in GitHub Desktop.
Download ZIP
Building OpenConnect for OS X with stoken and GnuTLS
Raw
openconnect_osx_howto.md

This guide helps you build OpenConnect 7.x on OS X. You might want to do this if you want a newer version than the openconnect package in homebrew provides, or if you want to use libstoken support (for having an RSA soft token on your machine be used automatically by OpenConnect).

Shortcut

The version of OpenConnect on Homebrew has been updated, and so this whole guide can now be replaced with:

  1. Install Homebrew from http://brew.sh and make sure it works
  2. brew install openconnect --with-stoken
  3. brew install stoken (See the "Using OpenConnect" section below for information about using stoken to set up soft tokens)

Dependencies and the rest are taken care of for you. I'm leaving the rest in place for people who may wish to build OpenConnect with other options, for educational purposes, etc.

Prerequisites

Preflight

The following commands will install the needed libraries and support tools

brew install gcc vpnc lz4 stoken gnutls
  • gcc is needed for compilation
  • vpnc is required for OpenConnect to run post-connect scripts that establish proper routing (among other things)
  • lz4 is required by some VPN servers. You can compile without it if youre positive your servers do not require it
  • stoken is required to use RSA tokens. If you don't need that feature, you may omit it
  • gnutls is required for establishing the SSL/TLS connection to your AnyConnect server. You may optionally use the openssl package instead, but you'll need to configure the openconnect build with --without-gnutls

Configure, make, install

./configure --with-vpnc-script=/usr/local/etc/vpnc/vpnc-script --disable-nls
make
make install

Note: do not perform any of these steps as root, including the make install. Homebrew expects the correct installation directories to be owned by you, so root is not required and will just mess things up.

Using OpenConnect with stoken support

Import your token

  1. Import your RSA token provisioning string, URL, or file with one of:

    stoken import --file filename.stdid

    stoken import --token token_string_or_url

  2. Enter the token's password if prompted; you may choose a new one or leave it blank.

  3. If prompted for a PIN, use the provisioning PIN; if you don't have one, it's probably 0000

  4. Check to see that ~/.stokenrc was created

Run OpenConnect

sudo /usr/local/sbin/openconnect --token-mode=rsa [options] server.name.tld

You will be prompted for a token password if you set one up, and your token PIN. If no PIN is set, you must enter 0000. Your AnyConnect server may also prompt you for profile, username, and password information depending on the options you use and the configuration of your server.

@filler
Copy link

filler commented Sep 2, 2016

You can brew reinstall openconnect --with-stoken like I did.

Also there is stoken setpin to seed your ~/.stokenrc with your SecurID PIN.

That allows one to sudo openconnect --background --token-mode=rsa --no-dtls --user=${it_me} ${da_vpn} via shell alias and things should 'just work'.

🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment