OpenConnect VPN on Mac OS X

openconnect.md

Unfortunately, the Cisco AnyConnect client for Mac conflicts with Pow. And by "conflicts", I mean it causes a grey-screen-of-death kernel panic anytime you connect to the VPN and Pow is installed.

As an alternative, there is OpenConnect, a command-line client for Cisco's AnyConnect SSL VPN.

Here's how to get it set up on Mac OS X:

1. OpenConnect can be installed via homebrew:

    brew update
    brew install openconnect
   

2. Install the Mac OS X TUN/TAP driver

3. (Optional) Running openconnect requires sudo, presumably because it affects resolution of DNS. So, I added password-less sudo ability for the openconnect command.

    sudo visudo -f /etc/sudoers
   

And added this line:

    %admin  ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect

4. (Optional) When connecting to your SSL VPN, openconnect may complain about a "self-signed certificate" being in the chain and force you to explicitly accept it every time. The self-signed cert is actually the root certficate and (hopefully) is one with implicit trust (i.e. trusted by browsers), so we can safely trust it by specifying the CA file after exporting it from KeyChain:

5. Determine the name your root certificate (i.e. visit your SSL VPN in Chrome, click the green lock, click "Certificate Information")

6. Open the Keychain Access App

7. Search the "System Roots" keychain to find your root certificate and select it

8. File > Export Items... the certificate as a .pem file somewhere on your hard drive (I put it in ~/.ssh/<certificate name>.pem

9. Connect!

    sudo openconnect --user=<VPN username> --cafile=<.pem file from step 4.3> <your vpn hostname>
   

   The only thing you should be prompted for is your VPN password. I added the command to my aliases file.

10. To disconnect, just Ctrl-c in the window where you started the VPN connection.

Note

I had an incident after an unclean VPN exit where later the VPN hostname could not be found. I guess the DNS resolver was messed up. I was forced to reboot to fix it so I could reconnect to the VPN.

hi 👋

Maybe someone has faced the situation and can help?
The situation is that recently a second password is required to connect to the VPN.
Is there any way to implement the second password through the command line?

Hi @choodique
The open connect CLI supports two options, token-secret and token-mode which will let you enter a second password assuming it's based around a common method of 2FA. For a typical totp code (like you'd use with google authenticator on your phone), you'd add the following:
--token-mode=totp
--token-secret=base32:$VPN_TOTP_SECRET \

Here, the TOTP_SECRET is not the 6 digit code, but rather the long secret key which the app will use to generate these codes. Here I've encoded it using base32 and stored it securely.

Note: This will completely negate the protection of 2FA if your device is compromised, at the very least you should be storing these credentials somewhere only you can access, preferably using a proper secrets manager.

From the openconnect man page:

       --token-mode=MODE
              Enable one-time password generation using the MODE algorithm.
              --token-mode=rsa will call libstoken to generate an RSA SecurID
              tokencode, --token-mode=totp will call liboath to generate an RFC
              6238 time-based password, and --token-mode=hotp will call liboath
              to generate an RFC 4226 HMAC-based password. Yubikey tokens which
              generate OATH codes in hardware are supported with
              --token-mode=yubioath. --token-mode=oidc will use the provided
              OpenIDConnect token as an RFC 6750 bearer token.

       --token-secret={ SECRET[,COUNTER] | @FILENAME }
              The secret to use when generating one-time passwords/verification
              codes.  Base 32-encoded TOTP/HOTP secrets can be used by
              specifying "base32:" at the beginning of the secret, and for HOTP
              secrets the token counter can be specified following a comma.

              RSA SecurID secrets can be specified as an Android/iPhone URI or a
              raw numeric CTF string (with or without dashes).

              For Yubikey OATH the token secret specifies the name of the
              credential to be used. If not provided, the first OATH credential
              found on the device will be used.

              For OIDC the secret is the bearer token to be used.

              FILENAME, if specified, can contain any of the above strings.  Or,
              it can contain a SecurID XML (SDTID) seed.

              If this option is omitted, and --token-mode is "rsa", libstoken
              will try to use the software token seed saved in ~/.stokenrc by
              the "stoken import" command.

Hi @choodique The open connect CLI supports two options, token-secret and token-mode which will let you enter a second password assuming it's based around a common method of 2FA. For a typical totp code (like you'd use with google authenticator on your phone), you'd add the following: --token-mode=totp --token-secret=base32:$VPN_TOTP_SECRET
...

In my situation, "Password" and "Second password" are identical and must be set at the same time.
Because of this echo MyPassword before openconnect... command doesn't work =(

I've created a shell script (https://github.com/sorinipate/vpn-up-for-openconnect) that automates some of this stuff. I hope it helps!

Use security to store and retrieve passwords from your Keychain if you use that as password manager: https://www.netmeister.org/blog/keychain-passwords.html

I use security find-generic-password -a myuser -s "mydomain" -w | sudo openconnect --passwd-on-stdin ... which removes the extra password prompt.

there is just one big issue with openconnect, if you kill the process via "Activity Monitor", it messes up with networking. nothing works! LAN and WiFi.

is there any way to fix the networking issue after killing the process? I'm using Applescript to automate connection. sometimes openconnect stops working and all I can do is killing it via Activity Monitor.

Did you ever figure this out? I’m in this exact same scenario. It was working then I got disconnected from inactivity then my WiFi doesn’t work anymore

there is just one big issue with openconnect, if you kill the process via "Activity Monitor", it messes up with networking. nothing works! LAN and WiFi.
is there any way to fix the networking issue after killing the process? I'm using Applescript to automate connection. sometimes openconnect stops working and all I can do is killing it via Activity Monitor.

Did you ever figure this out? I’m in this exact same scenario. It was working then I got disconnected from inactivity then my WiFi doesn’t work anymore

Same for me unfortunately. WiFi connects and I can access other resources inside the network, but internet connection is just broken. Rebooting does not fix the issue.
I'm on Sonoma 14.4.1

Only problems I have are usually DNS-settings related. I have a script that clears all DNS-settings on all interfaces. Usually that solves my problems.

Only problems I have are usually DNS-settings related. I have a script that clears all DNS-settings on all interfaces. Usually that solves my problems.

Worked like a charm. Thank you for the quick reply.

why after installing openconnect by brew install, the openconnect is command not found. Do u come across the same issue?

why after installing openconnect by brew install, the openconnect is command not found. Do u come across the same issue?

probably a PATH issue