Skip to content

Instantly share code, notes, and snippets.

@neurosnap

neurosnap/openconnect.md

Forked from moklett/openconnect.md
Last active October 9, 2018 21:17
Show Gist options
  • Save neurosnap/8470a5c09207a3074593 to your computer and use it in GitHub Desktop.
Save neurosnap/8470a5c09207a3074593 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
openconnect.md

Unfortunately, the Cisco AnyConnect client for Mac conflicts with Pow. And by "conflicts", I mean it causes a grey-screen-of-death kernel panic anytime you connect to the VPN and Pow is installed.

As an alternative, there is OpenConnect, a command-line client for Cisco's AnyConnect SSL VPN.

Here's how to get it set up on Mac OS X:

  1. OpenConnect can be installed via homebrew:

     brew update
 brew install openconnect

  2. Install the Mac OS X TUN/TAP driver

  3. (Optional) Running openconnect requires sudo, presumably because it affects resolution of DNS. So, I added password-less sudo ability for the openconnect command.

     sudo visudo -f /etc/sudoers

And added this line:

    %admin  ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect

  1. (Optional) When connecting to your SSL VPN, openconnect may complain about a "self-signed certificate" being in the chain and force you to explicitly accept it every time. The self-signed cert is actually the root certficate and (hopefully) is one with implicit trust (i.e. trusted by browsers), so we can safely trust it by specifying the CA file after exporting it from KeyChain:

  2. Determine the name your root certificate (i.e. visit your SSL VPN in Chrome, click the green lock, click "Certificate Information") Find Certificate Information Observe Root Certificate

  3. Open the Keychain Access App

  4. Search the "System Roots" keychain to find your root certificate and select it Keychain Access

  5. File > Export Items... the certificate as a .pem file somewhere on your hard drive (I put it in ~/.ssh/<certificate name>.pem

  6. Connect!

     sudo openconnect --user=<VPN username> --cafile=<.pem file from step 4.3> <your vpn hostname>

    The only thing you should be prompted for is your VPN password. I added the command to my aliases file.

  7. To disconnect, just Ctrl-c in the window where you started the VPN connection.

Note

I had an incident after an unclean VPN exit where later the VPN hostname could not be found. I guess the DNS resolver was messed up. I was forced to reboot to fix it so I could reconnect to the VPN.

@neurosnap
Copy link
Author

My company's VPN server also requires Cisco Secure Desktop, in which case openconnect requires the --csd-wrapper, --csd-user, and --no-xmlpost options with a shell script to work properly.

http://blog.yunak.eu/2013/07/19/openconnect/

This blog post coupled with the gist above is how I was able to successfully VPN without using Cisco's AnyCrap application.

The last piece of the puzzle: I was getting a "failed to exec CSD script" when I attempted to connect via openconnect. The script provided by the link above didn't have the correct file permissions, so when I chmod the file to 777 I was able to connect!

@rsindlin
Copy link

rsindlin commented Oct 9, 2018

@neurosnap - I realize I'm commenting on a fairly old post, bit it's worth noting the openconnect man page says regarding the --no-xmlpost option (emphasis added):

This option is a temporary safety net, to work around potential compatibility issues with the code which falls back to
the old method automatically. It causes OpenConnect to behave more like older versions (4.08 and below) did. If you
find that you need to use this option, then you have found a bug in OpenConnect. Please see
http://www.infradead.org/openconnect/mail.html and report this to the developers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment