This guide helps you build OpenConnect 7.x on OS X. You might want to do this if you want a newer version than the openconnect
package in homebrew provides, or if you want to use libstoken
support (for having an RSA soft token on your machine be used automatically by OpenConnect).
The version of OpenConnect on Homebrew has been updated, and so this whole guide can now be replaced with:
- Install Homebrew from http://brew.sh and make sure it works
brew install openconnect --with-stoken
brew install stoken
(See the "Using OpenConnect" section below for information about usingstoken
to set up soft tokens)
Dependencies and the rest are taken care of for you. I'm leaving the rest in place for people who may wish to build OpenConnect with other options, for educational purposes, etc.
- Install Homebrew from http://brew.sh and make sure it works
The following commands will install the needed libraries and support tools
brew install gcc vpnc lz4 stoken gnutls
gcc
is needed for compilationvpnc
is required for OpenConnect to run post-connect scripts that establish proper routing (among other things)lz4
is required by some VPN servers. You can compile without it if youre positive your servers do not require itstoken
is required to use RSA tokens. If you don't need that feature, you may omit itgnutls
is required for establishing the SSL/TLS connection to your AnyConnect server. You may optionally use theopenssl
package instead, but you'll need to configure the openconnect build with--without-gnutls
./configure --with-vpnc-script=/usr/local/etc/vpnc/vpnc-script --disable-nls
make
make install
Note: do not perform any of these steps as root, including the make install
. Homebrew expects the correct installation directories to be owned by you, so root is not required and will just mess things up.
-
Import your RSA token provisioning string, URL, or file with one of:
stoken import --file filename.stdid
stoken import --token token_string_or_url
-
Enter the token's password if prompted; you may choose a new one or leave it blank.
-
If prompted for a PIN, use the provisioning PIN; if you don't have one, it's probably
0000
-
Check to see that
~/.stokenrc
was created
sudo /usr/local/sbin/openconnect --token-mode=rsa [options] server.name.tld
You will be prompted for a token password if you set one up, and your token PIN. If no PIN is set, you must enter 0000
. Your AnyConnect server may also prompt you for profile, username, and password information depending on the options you use and the configuration of your server.
You can
brew reinstall openconnect --with-stoken
like I did.Also there is
stoken setpin
to seed your~/.stokenrc
with your SecurID PIN.That allows one to
sudo openconnect --background --token-mode=rsa --no-dtls --user=${it_me} ${da_vpn}
via shell alias and things should 'just work'.🎉