OpenConnect VPN on Mac OS X

openconnect.md

Unfortunately, the Cisco AnyConnect client for Mac conflicts with Pow. And by "conflicts", I mean it causes a grey-screen-of-death kernel panic anytime you connect to the VPN and Pow is installed.

As an alternative, there is OpenConnect, a command-line client for Cisco's AnyConnect SSL VPN.

Here's how to get it set up on Mac OS X:

1. OpenConnect can be installed via homebrew:

    brew update
    brew install openconnect
   

2. Install the Mac OS X TUN/TAP driver

3. (Optional) Running openconnect requires sudo, presumably because it affects resolution of DNS. So, I added password-less sudo ability for the openconnect command.

    sudo visudo -f /etc/sudoers
   

And added this line:

    %admin  ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect

4. (Optional) When connecting to your SSL VPN, openconnect may complain about a "self-signed certificate" being in the chain and force you to explicitly accept it every time. The self-signed cert is actually the root certficate and (hopefully) is one with implicit trust (i.e. trusted by browsers), so we can safely trust it by specifying the CA file after exporting it from KeyChain:

5. Determine the name your root certificate (i.e. visit your SSL VPN in Chrome, click the green lock, click "Certificate Information")

6. Open the Keychain Access App

7. Search the "System Roots" keychain to find your root certificate and select it

8. File > Export Items... the certificate as a .pem file somewhere on your hard drive (I put it in ~/.ssh/<certificate name>.pem

9. Connect!

    sudo openconnect --user=<VPN username> --cafile=<.pem file from step 4.3> <your vpn hostname>
   

   The only thing you should be prompted for is your VPN password. I added the command to my aliases file.

10. To disconnect, just Ctrl-c in the window where you started the VPN connection.

Note

I had an incident after an unclean VPN exit where later the VPN hostname could not be found. I guess the DNS resolver was messed up. I was forced to reboot to fix it so I could reconnect to the VPN.

Guys, did anyone tried to integrate openconnect with a native MacOS VPN interfaces?

+1

OpenConnect (from brew) on Big Sur is giving me a problem:
getaddrinfo failed for host '_host_': nodename nor servname provided, or not known Failed to open HTTPS connection to _host_ Failed to obtain WebVPN cookie

But I can look up the IP address of the host from the command line just fine, ping it etc.

Substituting the IP address in the URL works (though I have to accept the SSL cert identity).

What's going on?

Experiencing this on the macOS 11.0 Big Sur beta.
Was able to get VPN to work by:

1. Uninstalling Cisco AnyConnect
2. Install Homebrew - /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
3. brew install openconnect
4. sudo openconnect {server address}

anyone know how to use user and password from LDAP or SAML?

It's working on MacOS Catalina even with Cisco AnyConnect installed. Route problem solved (Cisco was not allowing me to override some routes that I needed).

Installed openconnect using brew, then the command I used is this:
sudo openconnect -b --pid-file=vpn.pid--user=vpnuser --cafile=vpn-server-cert.pem --servercert pin-sha256:generated-hash vpn-server-hostname

vpnuser = your user
vpn-server-cert.pem - cert file saved while accessing the vpn server hostname in a browser (I used Firefox)
generated-hash - if you try to directly connect to the vpn server, there's a warning about not recognizing the certificate and it's showing a hash. That's the hash I used
vpn-server-hostname - you can use either hostname or the ip of the vpn server (I've used the hostname to get rid of that certificate warning)

Hope it helps!

It's working on MacOS Catalina even with Cisco AnyConnect installed. Route problem solved (Cisco was not allowing me to override some routes that I needed).

Hi, can you please share how you resolved to routing problem? This is something I'm struggling with, trying to have both AnyConnect and openconnect, connected to 2 different VPNs .
Thanks.

It's working on MacOS Catalina even with Cisco AnyConnect installed. Route problem solved (Cisco was not allowing me to override some routes that I needed).

Hi, can you please share how you resolved to routing problem? This is something I'm struggling with, trying to have both AnyConnect and openconnect, connected to 2 different VPNs .
Thanks.

I'm not running AnyConnect and OpenConnect in parallel. I was saying that I've solved the routing issues generated by Cisco AnyConnect. By that I mean that I switched from AnyConnect to OpenConnect.

Using Cisco Anyconnect, I always got a 10. route which was messing up other custom routes I had. Cisco AnyConnect takes over the routing table and it's not allowing you to modify the routes even if I was manually adding a route it was not actually reflecting in the routing table. So I've stopped using Cisco Anyconnect and replace it with openconnect.

I don't have a solution to your problem. I guess you could run 2 openconnect in parallel, one for a VPN and the other open to replace the Cisco AnyConnect. At least this is how I would do it.

Modifying the sudoers file in this manner is a bad idea. Anyone running a configuration like this will open themselves up to a local privilege escalation vulnerability. An attacker that gains unprived access to your system can use openconnect's --script option to run other commands on the box as root.

hi 👋

Maybe someone has faced the situation and can help?
The situation is that recently a second password is required to connect to the VPN.
Is there any way to implement the second password through the command line?

Hi @choodique
The open connect CLI supports two options, token-secret and token-mode which will let you enter a second password assuming it's based around a common method of 2FA. For a typical totp code (like you'd use with google authenticator on your phone), you'd add the following:
--token-mode=totp
--token-secret=base32:$VPN_TOTP_SECRET \

Here, the TOTP_SECRET is not the 6 digit code, but rather the long secret key which the app will use to generate these codes. Here I've encoded it using base32 and stored it securely.

Note: This will completely negate the protection of 2FA if your device is compromised, at the very least you should be storing these credentials somewhere only you can access, preferably using a proper secrets manager.

From the openconnect man page:

       --token-mode=MODE
              Enable one-time password generation using the MODE algorithm.
              --token-mode=rsa will call libstoken to generate an RSA SecurID
              tokencode, --token-mode=totp will call liboath to generate an RFC
              6238 time-based password, and --token-mode=hotp will call liboath
              to generate an RFC 4226 HMAC-based password. Yubikey tokens which
              generate OATH codes in hardware are supported with
              --token-mode=yubioath. --token-mode=oidc will use the provided
              OpenIDConnect token as an RFC 6750 bearer token.

       --token-secret={ SECRET[,COUNTER] | @FILENAME }
              The secret to use when generating one-time passwords/verification
              codes.  Base 32-encoded TOTP/HOTP secrets can be used by
              specifying "base32:" at the beginning of the secret, and for HOTP
              secrets the token counter can be specified following a comma.

              RSA SecurID secrets can be specified as an Android/iPhone URI or a
              raw numeric CTF string (with or without dashes).

              For Yubikey OATH the token secret specifies the name of the
              credential to be used. If not provided, the first OATH credential
              found on the device will be used.

              For OIDC the secret is the bearer token to be used.

              FILENAME, if specified, can contain any of the above strings.  Or,
              it can contain a SecurID XML (SDTID) seed.

              If this option is omitted, and --token-mode is "rsa", libstoken
              will try to use the software token seed saved in ~/.stokenrc by
              the "stoken import" command.

Hi @choodique The open connect CLI supports two options, token-secret and token-mode which will let you enter a second password assuming it's based around a common method of 2FA. For a typical totp code (like you'd use with google authenticator on your phone), you'd add the following: --token-mode=totp --token-secret=base32:$VPN_TOTP_SECRET
...

In my situation, "Password" and "Second password" are identical and must be set at the same time.
Because of this echo MyPassword before openconnect... command doesn't work =(

I've created a shell script (https://github.com/sorinipate/vpn-up-for-openconnect) that automates some of this stuff. I hope it helps!

Use security to store and retrieve passwords from your Keychain if you use that as password manager: https://www.netmeister.org/blog/keychain-passwords.html

I use security find-generic-password -a myuser -s "mydomain" -w | sudo openconnect --passwd-on-stdin ... which removes the extra password prompt.

there is just one big issue with openconnect, if you kill the process via "Activity Monitor", it messes up with networking. nothing works! LAN and WiFi.

is there any way to fix the networking issue after killing the process? I'm using Applescript to automate connection. sometimes openconnect stops working and all I can do is killing it via Activity Monitor.

Did you ever figure this out? I’m in this exact same scenario. It was working then I got disconnected from inactivity then my WiFi doesn’t work anymore