Skip to content

Instantly share code, notes, and snippets.

@p120ph37
Last active December 19, 2021 23:08
Show Gist options
  • Save p120ph37/10999441 to your computer and use it in GitHub Desktop.
Save p120ph37/10999441 to your computer and use it in GitHub Desktop.
Expect script to connect to an AnyConnect VPN server on OSX using only oathtool and openconnect (not the Cisco AnyConnect client)
!/usr/bin/expect -f
set timeout 30
log_user 0
puts stderr "Generating OTP"
spawn oathtool --totp YOUR_SECRET_KEY_HERE
expect -re \\d+
set otp $expect_out(0,string)
puts stderr "Connecting to VPN server $server"
spawn env SPLIT_DNS=YOUR_SPLIT_DNS_DOMAINS_HERE openconnect --script ./vpnc-script https://YOUR_SERVER_HERE --cafile=cacert.pem
expect "GROUP:"
send "YOUR_GROUP_HERE\n"
expect "Username:"
send "YOUR_USERNAME_HERE\n"
expect "Password:"
send "YOUR_PASSWORD_HERE\n"
expect "Password:"
send "$otp\n"
interact
@p120ph37
Copy link
Author

Depending on what exactly your VPN server prompts for, this will probably need to be modified. You should try out the openconnect command directly to see what prompts you need to script. Some servers may not have the "GROUP:" prompt. Some servers may not have the double (two-factor) password prompt. Some servers may actually prompt for an additional dummy username before the second password (in which case, sending "\n" will suffice).

@p120ph37
Copy link
Author

And of course, be sure to replace the YOUR_*_HERE markers with appropriate values for your server!

@p120ph37
Copy link
Author

Remember to use "sudo"!!! (root permission needed for openconnect to work.)

@dkordik
Copy link

dkordik commented Jun 7, 2018

thanks! this script was super handy!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment