Instantly share code, notes, and snippets.

Embed
What would you like to do?
OpenConnect VPN on Mac OS X

Unfortunately, the Cisco AnyConnect client for Mac conflicts with Pow. And by "conflicts", I mean it causes a grey-screen-of-death kernel panic anytime you connect to the VPN and Pow is installed.

As an alternative, there is OpenConnect, a command-line client for Cisco's AnyConnect SSL VPN.

Here's how to get it set up on Mac OS X:

  1. OpenConnect can be installed via homebrew:

     brew update
     brew install openconnect
    
  2. Install the Mac OS X TUN/TAP driver

  3. (Optional) Running openconnect requires sudo, presumably because it affects resolution of DNS. So, I added password-less sudo ability for the openconnect command.

     sudo visudo -f /etc/sudoers
    

And added this line:

    %admin  ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect
  1. (Optional) When connecting to your SSL VPN, openconnect may complain about a "self-signed certificate" being in the chain and force you to explicitly accept it every time. The self-signed cert is actually the root certficate and (hopefully) is one with implicit trust (i.e. trusted by browsers), so we can safely trust it by specifying the CA file after exporting it from KeyChain:

  2. Determine the name your root certificate (i.e. visit your SSL VPN in Chrome, click the green lock, click "Certificate Information") Find Certificate Information Observe Root Certificate

  3. Open the Keychain Access App

  4. Search the "System Roots" keychain to find your root certificate and select it Keychain Access

  5. File > Export Items... the certificate as a .pem file somewhere on your hard drive (I put it in ~/.ssh/<certificate name>.pem

  6. Connect!

     sudo openconnect --user=<VPN username> --cafile=<.pem file from step 4.3> <your vpn hostname>
    

    The only thing you should be prompted for is your VPN password. I added the command to my aliases file.

  7. To disconnect, just Ctrl-c in the window where you started the VPN connection.

Note

I had an incident after an unclean VPN exit where later the VPN hostname could not be found. I guess the DNS resolver was messed up. I was forced to reboot to fix it so I could reconnect to the VPN.

@analyticsPierce

This comment has been minimized.

Copy link

analyticsPierce commented May 8, 2013

I am trying to get this working and I am getting the error when I try to connect via:

sudo openconnect --user=my_username --cafile=Users/pierce/my_pem_file.pem vpn-1.domain.com

And I get the following error message:

Failed to open CA file 'Users/pierce/my_pem_file.pem'
73628:error:02001002:system library:fopen:No such file or directory:/SourceCache/OpenSSL098/OpenSSL098-47/src/crypto/bio/bss_file.c:126:fopen('Users/pierce/my_pem_file.pem','r')

Any suggestions to get this fixed?

@vbt101

This comment has been minimized.

Copy link

vbt101 commented May 8, 2013

You forgot the leading slash on the pem file location: sudo openconnect --user=my_username --cafile=/Users/pierce/my_pem_file.pem vpn-1.domain.com

@ugtar

This comment has been minimized.

Copy link

ugtar commented Feb 28, 2014

Have you tried this on Mavericks?

@cecil

This comment has been minimized.

Copy link

cecil commented Mar 18, 2014

Ugtar, I've been using this with Mavericks for a few months now.

@crhan

This comment has been minimized.

Copy link

crhan commented Mar 27, 2014

OpenConnect does not properly set DNS config, still using my local DNS but not VPN's dns. Does anybody meet this problem?

@johnutz-self

This comment has been minimized.

Copy link

johnutz-self commented Jun 6, 2014

Hi crhan, i just fixed this myself this morning on mavericks by using the latest vpnc-script

http://www.infradead.org/openconnect/vpnc-script.html

add this to your open connect command line --script /opt/local/etc/vpnc/vpnc-script

@dlangille

This comment has been minimized.

Copy link

dlangille commented Oct 28, 2014

Worked great in Mavericks. Upgraded to Yosemite:

Failed to open tun device: No such file or directory
Set up tun device failed

@BruceClark

This comment has been minimized.

Copy link

BruceClark commented Oct 29, 2014

@dlangille That's because TunTap (the kernel extention this is based on) is unsigned, and unsigned extentions are no longer allowed on Yosemite.

@leonsyc

This comment has been minimized.

Copy link

leonsyc commented Nov 10, 2014

@BruceClark Is there a way to fix this?

@anderskristo

This comment has been minimized.

Copy link

anderskristo commented Nov 20, 2014

@BruceClark, @leonsyc found a fix for this?

@DrewAPicture

This comment has been minimized.

Copy link

DrewAPicture commented Nov 26, 2014

@leonsyc @anderskristo They've released a binary for installing tuntap via a package. http://sourceforge.net/projects/tuntaposx/files/tuntap/20141104/

@jnierodzik

This comment has been minimized.

Copy link

jnierodzik commented Apr 23, 2015

Running on 10.10.3 I am able to connect, but then loose the ability to resolve hostnames. IP works fine however - any ideas?

@EdHurtig

This comment has been minimized.

Copy link

EdHurtig commented May 5, 2015

Thanks a ton! Worked like a charm... didn't even need tuntap. Possibly because I already have other VPN software (viscosity) installed

@njuaplusplus

This comment has been minimized.

Copy link

njuaplusplus commented May 7, 2015

On 10.10.3, it shows ''DTLS handshake failed: Resource temporarily unavailable, try again.''

@marcosscriven

This comment has been minimized.

Copy link

marcosscriven commented May 26, 2015

I'm also getting an issue with reconnecting not resolving the domain name the second time. Rebooting clears out 'something', and it works again, but not sure what. I've tried dns cache flushing and route flushing to no avail.

@alfrescoo

This comment has been minimized.

Copy link

alfrescoo commented Jun 3, 2015

Does this client support ios? I want to use this for iphone.

@kyze8439690

This comment has been minimized.

Copy link

kyze8439690 commented Sep 9, 2015

@alfrescoo anyconnect in appstore

@jholster

This comment has been minimized.

Copy link

jholster commented Oct 2, 2015

Is OS X El Capitan yet supported?

@ntelementary

This comment has been minimized.

Copy link

ntelementary commented Oct 23, 2015

This works on El Capitan for me (I previously had Homebrew installed before I upgraded, on a fresh computer you'll need to boot into Recovery Mode to disable the Rootless protection, I believe).

Rather than figuring out how to setup the TunTap extensions, I downloaded the Viscosity VPN application (free trial), which installed it for me. No need for the app after the initial setup.

@wyoung

This comment has been minimized.

Copy link

wyoung commented Jan 13, 2016

FYI, tuntap is now in Homebrew: brew install Caskroom/cask/tuntap

(It has to be a cask because modern OS X versions require signed kexts, so building from source will just yield a driver you can't load into your kernel.)

@wyoung

This comment has been minimized.

Copy link

wyoung commented Jan 13, 2016

I had to modify the example openconnect significantly because I'm using a password-based VPN instead of a certificate-based VPN, so I thought I'd share my alternative method:

echo 'P4s$w0rD' | sudo openconnect \
    --user=myusername \
    --authgroup=MY_GROUP \
    --passwd-on-stdin \
    vpn.mysite.example.com

The authgroup bit is another tricky part, because there are two other places to say "group" in the command, neither of which work. (-g and appended to the URL.)

@feldversuch

This comment has been minimized.

Copy link

feldversuch commented Jan 22, 2016

thx wyoung.
For me it works great with alias

echo P4s$w0rD > ~/.ocvpn_secret

alias ocvpn='cat ~/.ocvpn_secret | sudo openconnect -u myusername --passwd-on-stdin https://webvpn.mysite.de'
@dingus9

This comment has been minimized.

Copy link

dingus9 commented Feb 5, 2016

If openconnect bails after making the connection to the vpn it won't run it's cleanup scripts to reset routes and resolv.conf... Instead of rebooting I figured out you can just run

sudo route delete default
sudo route add default $(cat /usr/local/run/vpnc/defaultroute)
sudo cp /var/run/vpnc/resolv.conf-backup /etc/resolv.conf
@andreabedini

This comment has been minimized.

Copy link

andreabedini commented Apr 2, 2016

http://www.infradead.org/openconnect/building.html says openconnect doesn't require tuntap anymore on recent OSXs

Mac OS X users with OS X 10.6 or older, or using OpenConnect 6.00 or older, will also need to install the Mac OS X tun/tap driver. Newer versions of OpenConnect will use the utun device on OS X which does not require additional kernel modules to be installed.

Tested on OSX 10.11.4 and it works indeed.

@southfox

This comment has been minimized.

Copy link

southfox commented Jun 3, 2016

Works very well, and used combined with stoken.

@badcrocodile

This comment has been minimized.

Copy link

badcrocodile commented Jun 6, 2016

Mac 10.11.5 here and all I needed was to install openconnect (via homebrew) and run sudo openconnect https://urlto.vpn.

@BioQwer

This comment has been minimized.

Copy link

BioQwer commented Sep 27, 2016

This FAQ doesn't solve my problem.

Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected as  IP , using SSL
Continuing in background; pid 5707
tv-n00708-01:Downloads bioqwer$ mkdir: /var/run/vpnc: Permission denied
Failed to connect utun unit: Operation not permitted
Failed to open tun device: Operation not permitted
Set up tun device failed
Unknown error; exiting.
@alkos333

This comment has been minimized.

Copy link

alkos333 commented Sep 29, 2016

@marcosscriven,

That's because OSX is relying on its own system configuration tool which doesn't rely on resolv.conf, etc: scuilt

Here's an excellent blog post describing how to fix an unclean shutdown of openconnect: http://diaryproducts.net/about/operating_systems/mac_os_x/overriding_dhcp_or_vpn_assigned_dns_servers_in_mac_os_x_leopard

@jeanfrancoisgratton

This comment has been minimized.

Copy link

jeanfrancoisgratton commented Apr 12, 2017

Before anyone asks, it works just fine on Sierra as well.

@geekcui

This comment has been minimized.

Copy link

geekcui commented Apr 27, 2017

Here is how to fix the broken network caused by openconnect. Tested on macOS Sierra.

#!/bin/bash

PATTERN="State:/Network/Service/utun[0-9]+/DNS"
REMOVE_RECORD_CMD=""
REMOVE_RECORD_MSG="RECORDS TO REMOVE:\n"

sudo pkill openconnect

RECORDS=`scutil <<EOF
list $PATTERN
quit
EOF`

for RECORD in `echo $RECORDS`; do
    if [[ "$RECORD" =~ "State" ]]; then
        REMOVE_RECORD_CMD="${REMOVE_RECORD_CMD}remove $RECORD \n"
        REMOVE_RECORD_MSG="${REMOVE_RECORD_MSG}$RECORD \n"
    fi
done

if [ "x$REMOVE_RECORD_CMD" != "x" ]; then
printf "$REMOVE_RECORD_MSG"
    sudo scutil <<EOF
`printf "$REMOVE_RECORD_CMD"`
quit
EOF
fi

@emicklei

This comment has been minimized.

Copy link

emicklei commented Sep 26, 2017

for editing the sudoers file, I added "EDITOR=vi " in front of "sudo visudo -f /etc/sudoers" because I defined Visual Studio Code to be the default editor and that one does not work with the sudoers file (somehow).

@stevenjmonk

This comment has been minimized.

Copy link

stevenjmonk commented Sep 27, 2017

I keep getting this message:

Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected as 172.23.42.146, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-256-CBC)-(SHA1).
mkdir: /var/run/vpnc: Permission denied
Failed to connect utun unit: Operation not permitted
Failed to open tun device: Operation not permitted
Set up tun device failed
Unknown error; exiting.

I have followed the instructions above, but can't get it working

@rmahangoe

This comment has been minimized.

Copy link

rmahangoe commented Oct 10, 2017

@/stevenjmonk, run openconnect as root or with sudo.

@davesag

This comment has been minimized.

Copy link

davesag commented Oct 24, 2017

I can confirm this all works fine on High Sierra.

@ricardo85x

This comment has been minimized.

Copy link

ricardo85x commented Nov 8, 2017

When I try with GoblalProtect I got a error:

openconnect --protocol=gp vpn.acme.com --dump -vvv

Unknown VPN protocol 'gp'

@orestis46

This comment has been minimized.

Copy link

orestis46 commented Nov 22, 2017

Works fine with High Sierra (running as root or using sudo)

@stevenjmonk

This comment has been minimized.

Copy link

stevenjmonk commented Dec 11, 2017

thanks @rmahangoe that did the trick. I just can't seem to connect to any of my work servers once connected. It all connects up in the terminal dialogue, but when i CMD+K to type in the server address it doesn't find anything.

@nikolaydimitrov

This comment has been minimized.

Copy link

nikolaydimitrov commented Dec 30, 2017

Great, thank you! Cisco AnyConnect doesn't play well with iPhone tethering and this helped.
By the way, I just did brew install openconnect and it all worked OS X 10.11.6 (El Capitan)

@hadifarnoud

This comment has been minimized.

Copy link

hadifarnoud commented Jan 11, 2018

there is just one big issue with openconnect, if you kill the process via "Activity Monitor", it messes up with networking. nothing works! LAN and WiFi.

is there any way to fix the networking issue after killing the process? I'm using Applescript to automate connection. sometimes openconnect stops working and all I can do is killing it via Activity Monitor.

@ralberts

This comment has been minimized.

Copy link

ralberts commented Feb 2, 2018

Thank you!

@AlJohri

This comment has been minimized.

Copy link

AlJohri commented May 28, 2018

In case it helps anyone, I used these bash functions to start and stop the vpn more easily with openconnect and juniper (junos pulse):

vpnsetup() {
    sudo sh -c 'echo "%admin ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect, /bin/kill" > /etc/sudoers.d/openconnect'
}

vpnstart() {
    cat ~/.work_password | sudo openconnect \
        --background \
        --pid-file="$HOME/.openconnect.pid" \
        --juniper \
        --user=$USERNAME \
        --authgroup=$AUTHGROUP $ADDRESS \
        --passwd-on-stdin
}

vpnstop() {
    if [[ -f "$HOME/.openconnect.pid" ]]; then
        sudo kill -2 $(cat "$HOME/.openconnect.pid") && rm -f "$HOME/.openconnect.pid"
    else
        echo "openconnect pid file does not exist, probably not running"
    fi
}

$USERNAME is your username, cat ~/.work_password has your password vpn password, $AUTHGROUP is your authgroup, and $ADDRESS is like address where you connect to the vpn (like ra.blah.com)

@nhajratw

This comment has been minimized.

Copy link

nhajratw commented Sep 14, 2018

Hopefully this can help someone (@hadifarnoud) building on @AlJohri 's functions, I did this in ZSH. My networking also was getting messed up after disconnect, but stopping and starting the WIFI & Ethernet seems to have done the trick:

en0 is my wifi, and en7 is my ethernet:

function vpnstart() {
  echo 'MY_PASSWORD' | sudo openconnect --background --pid-file=$HOME/.openconnect.pid --user=nayan --passwd-on-stdin --protocol=gp vpn.hq.nodalexchange.com
}

function vpnstop() {
  sudo kill -2 `cat "$HOME/.openconnect.pid"` && rm -f "$HOME/.openconnect.pid"
  sleep 3
  sudo ifconfig en7 down
  networksetup -setairportpower en0 off
  sudo ifconfig en7 up
  networksetup -setairportpower en0 on
}
@jankkm

This comment has been minimized.

Copy link

jankkm commented Oct 11, 2018

Thank you so much for this tutorial. It still works on Mohave.
I just had to do 2 steps:

  1. Install openconnect via homebrew
  2. Do sudo openconnect --user=<user> <server>

After typing the password I am already connected.

I did a third step to allow my standard user account to use it:
3. Add user ALL=PASSWD: /usr/local/bin/openconnect to /etc/sudoers with command sudo visudo
with NOPASSWD it can be used without a password if you want to use a script.

@bdarge

This comment has been minimized.

Copy link

bdarge commented Oct 25, 2018

@jankkm I'm using openconnect version v7.08 in Mojave but It is not working for me, the last error is "route: writing to routing socket: Can't assign requested address". It happened after I upgraded OS to Mojave.

The complete command is, sudo openconnect --protocol=nc $VPN_HOST -b -v --pid-file=$PID_FILE --user $user --servercert $cert. What could be the cause?

thanks

@tibraga

This comment has been minimized.

Copy link

tibraga commented Jan 15, 2019

I have same problem of @bdarge :(

@tibraga

This comment has been minimized.

Copy link

tibraga commented Jan 15, 2019

For users mac os:

Create file with content: https://gist.github.com/cattyhouse/f3e2d1621e731ea7e26f

and in comand, add this parameter --script with locale of file

For me, this works in mac Sierra and Mojave.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment