always-on-openconnect-vpn/README.md

# Always on Openconnect VPN

This script uses Openconnect to automatically connect to Cisco Anyconnect VPN server.

Server address, username, password and 2fa seed is retreived from macOS/Linux keychain. You can skip keychain and provide those details through environment or stdin instead.

Additionaly routing for only specific subnets can be added in `routes.txt`

## Setup

```
git clone this repo
brew install openconnect
brew install vpn-slice
brew install oath-toolkit
brew install swiftbar
brew install terminal-notifier
```

On Macos add server address, username, password and 2fa seed in keychain with these names:
* `Openconnect VPN Server`
* `Openconnect Username`
* `Openconnect Account Password`
* `Openconnect TOTP Seed`

On Linux you can use keychain (gnome-keychain/seahorse), add following entries:
```
secret-tool store --label='openconnect-server' server openconnect
secret-tool store --label='openconnect-username' username openconnect
secret-tool store --label='openconnect-password' password openconnect
secret-tool store --label='openconnect-seed' seed openconnect
```

### Security considerations
_For ease of use you can allow automatic keychain access to some of the attributs, but_ **you shouldn't allow automatic access to password and especially the 2fa seed** (but you can).

On Macos secrets might be available in the environment of the vpn process.

On Linux secrets will be shortly stored in tmpfs (memory) and deleted once they are passed to openconnect.

After setting up, change the run-vpn.sh, routing.sh and hostscan-bypass.sh ownership to root:

```
chown root:root run-vpn.sh
chown root:root hostscan-bypass.sh
chown root:root routing.sh
```

## Defining routes

Rename routes.txt.sample to routes.txt or create an empty routes.txt and add subnets to be routed through VPN there.


## Usage

### Usage from terminal
```
DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS sudo -E ./run-vpn.sh
```
You can stop it by pressing `CTRL+C` or killing the process.

### GUI usage from bitbar/xbar/swaybar/argos

Consult the `bitbar-openconnect` script for sudoers entries needed to run it. Add them to `/etc/sudoers`

**Symlink**(!) the `bitbar-openconnect` script to your bitbar config folder:

```
ln -s ~/Documents/git/always-on-openconnect-vpn.6s.sh ~/.config/argos/
```

### Yubikey

Yubikey can be used for safe storage of TOTP seed. Configure TOTP in Yubikey Authenticator app or `ykman oath` if using command line. Then use `ykman oath list` to get the name of the entry and set that name in `OC_YUBIKEY` environment variable.

For example:

```
OC_YUBIKEY=VPN:organization sudo -E ./run-vpn.sh
```
Initial commit 2020-12-17 18:22:15 +00:00			`# Always on Openconnect VPN`

			`This script uses Openconnect to automatically connect to Cisco Anyconnect VPN server.`

Bitbar support 2023-07-06 07:12:53 +00:00			`Server address, username, password and 2fa seed is retreived from macOS/Linux keychain. You can skip keychain and provide those details through environment or stdin instead.`
Initial commit 2020-12-17 18:22:15 +00:00
Added subnet routing support 2020-12-17 23:05:16 +00:00			Additionaly routing for only specific subnets can be added in `routes.txt`
Initial commit 2020-12-17 18:22:15 +00:00
			`## Setup`

			```
			`git clone this repo`
			`brew install openconnect`
Added subnet routing support 2020-12-17 23:05:16 +00:00			`brew install vpn-slice`
Pass TOTP code on STDIN to hide seed from process list. 2020-12-17 23:59:40 +00:00			`brew install oath-toolkit`
Added bitbar script 2023-07-06 06:44:38 +00:00			`brew install swiftbar`
			`brew install terminal-notifier`
Initial commit 2020-12-17 18:22:15 +00:00			```

Bitbar support 2023-07-06 07:12:53 +00:00			`On Macos add server address, username, password and 2fa seed in keychain with these names:`
Initial commit 2020-12-17 18:22:15 +00:00			* `Openconnect VPN Server`
			* `Openconnect Username`
			* `Openconnect Account Password`
			* `Openconnect TOTP Seed`

Bitbar support 2023-07-06 07:12:53 +00:00			`On Linux you can use keychain (gnome-keychain/seahorse), add following entries:`
			```
			`secret-tool store --label='openconnect-server' server openconnect`
			`secret-tool store --label='openconnect-username' username openconnect`
			`secret-tool store --label='openconnect-password' password openconnect`
			`secret-tool store --label='openconnect-seed' seed openconnect`
			```

			`### Security considerations`
			`_For ease of use you can allow automatic keychain access to some of the attributs, but_ you shouldn't allow automatic access to password and especially the 2fa seed (but you can).`

			`On Macos secrets might be available in the environment of the vpn process.`

			`On Linux secrets will be shortly stored in tmpfs (memory) and deleted once they are passed to openconnect.`

			`After setting up, change the run-vpn.sh, routing.sh and hostscan-bypass.sh ownership to root:`

			```
			`chown root:root run-vpn.sh`
			`chown root:root hostscan-bypass.sh`
			`chown root:root routing.sh`
			```

			`## Defining routes`
Initial commit 2020-12-17 18:22:15 +00:00
Added subnet routing support 2020-12-17 23:05:16 +00:00			`Rename routes.txt.sample to routes.txt or create an empty routes.txt and add subnets to be routed through VPN there.`

Bitbar support 2023-07-06 07:12:53 +00:00
Initial commit 2020-12-17 18:22:15 +00:00			`## Usage`

Bitbar support 2023-07-06 07:12:53 +00:00			`### Usage from terminal`
Initial commit 2020-12-17 18:22:15 +00:00			```
Bitbar support 2023-07-06 07:12:53 +00:00			`DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS sudo -E ./run-vpn.sh`
Initial commit 2020-12-17 18:22:15 +00:00			```
Bitbar support 2023-07-06 07:12:53 +00:00			You can stop it by pressing `CTRL+C` or killing the process.

			`### GUI usage from bitbar/xbar/swaybar/argos`
Initial commit 2020-12-17 18:22:15 +00:00
Bitbar support 2023-07-06 07:12:53 +00:00			Consult the `bitbar-openconnect` script for sudoers entries needed to run it. Add them to `/etc/sudoers`

			Symlink(!) the `bitbar-openconnect` script to your bitbar config folder:

			```
			`ln -s ~/Documents/git/always-on-openconnect-vpn.6s.sh ~/.config/argos/`
			```
Added Yubikey support 2020-12-18 00:46:55 +00:00
			`### Yubikey`

			Yubikey can be used for safe storage of TOTP seed. Configure TOTP in Yubikey Authenticator app or `ykman oath` if using command line. Then use `ykman oath list` to get the name of the entry and set that name in `OC_YUBIKEY` environment variable.

			`For example:`

			```
			`OC_YUBIKEY=VPN:organization sudo -E ./run-vpn.sh`
			```