(For Linux users, make sure you have oathtool and openconnect, then start from Step 6. If you don't have a token secret key, have a friend generate one for you on OSX via steps 3-5)
Get homebrew and install oath-toolkit, openconnect, and tuntap.
And follow the additional tuntap installation instructions!
After the tuntap module is installed, reboot or use kextload to activate it.
Use the VIP Access application to provision a token.
(This happens the first time you run it. The token is saved into the keyring at
/Users/$USER/Library/Keychains/VIPAccess.keychain, and is obfuscated.)
Extract the token's secret key.
(Be sure to use the "v" argument so it prints the key, not just the OTP)
Step 5 (optional)
Get rid of the VIP Access app and its keychain.
(Deleting the VIP Access keychain is also useful if you need to provision a new token - for example on behalf of a friend who wants to use oathtool & openconnect from Linux.)
Grab the vpnc-script file.
Step 7 (optional)
Patch vpnc-script to enable manual split-horizon DNS.
Grab a CA bundle.
Try it out!
oathtool --totp YOUR_SECRET_KEY_HERE (or the above script that reads the VIP Access keychain) to get your second-factor code.
Then quickly run
sudo openconnect --script ./vpnc-script https://YOUR_SERVER_HERE --cafile=cacert.pem and follow the login prompts.
(sudo is needed else the tun/tap interface stuff wonn't work for permission reasons)
Step 10 (optional)
Script your login using Expect or your favorite automation tool so you don't have to enter all that stuff by hand.
(extra credit: store your secret key and passwords in the OSX system keychain rather than hard-coded into your automation script...)