2020-12-17 18:22:15 +00:00
|
|
|
#!/bin/bash
|
|
|
|
|
|
2020-12-17 23:40:20 +00:00
|
|
|
# Read from keychain on macOS by default
|
|
|
|
|
if [[ "$OSTYPE" == "darwin"* ]]; then
|
|
|
|
|
SERVER=$(security find-generic-password -l "Openconnect VPN Server" -w)
|
|
|
|
|
USERNAME=$(security find-generic-password -l "Openconnect Username" -w)
|
|
|
|
|
SEED=$(security find-generic-password -l "Openconnect TOTP Seed" -w)
|
|
|
|
|
PASSWORD=$(security find-generic-password -l "Openconnect Account Password" -w)
|
|
|
|
|
fi
|
|
|
|
|
|
2023-07-05 23:40:55 +00:00
|
|
|
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
|
|
|
|
|
|
|
|
|
|
mkdir -p /run/oc-secret
|
|
|
|
|
mount -t tmpfs -o size=1M,mode=700 tmpfs /run/oc-secret
|
|
|
|
|
|
|
|
|
|
SERVER=$(secret-tool lookup server openconnect | tr -d '\n')
|
|
|
|
|
USERNAME=$(secret-tool lookup username openconnect | tr -d '\n')
|
|
|
|
|
SEED=1
|
|
|
|
|
secret-tool lookup seed openconnect > /run/oc-secret/seed
|
|
|
|
|
PASSWORD=1
|
|
|
|
|
secret-tool lookup password openconnect | tr -d '\n' > /run/oc-secret/password
|
|
|
|
|
fi
|
|
|
|
|
|
2020-12-17 23:40:20 +00:00
|
|
|
# Allow reading from environment
|
|
|
|
|
if [[ -z "$OC_SERVER" ]]; then :; else
|
|
|
|
|
SERVER="$OC_SERVER"
|
|
|
|
|
fi
|
|
|
|
|
if [[ -z "$OC_USERNAME" ]]; then :; else
|
|
|
|
|
USERNAME="$OC_USERNAME"
|
|
|
|
|
fi
|
|
|
|
|
if [[ -z "$OC_SEED" ]]; then :; else
|
|
|
|
|
SEED="$OC_SEED"
|
|
|
|
|
fi
|
|
|
|
|
if [[ -z "$OC_PASSWORD" ]]; then :; else
|
|
|
|
|
PASSWORD="$OC_PASSWORD"
|
|
|
|
|
fi
|
2020-12-17 18:22:15 +00:00
|
|
|
|
2020-12-17 23:05:16 +00:00
|
|
|
SCRIPT=`realpath $0`
|
|
|
|
|
SCRIPTPATH=`dirname $SCRIPT`
|
|
|
|
|
ROUTE_FILE=routes.txt
|
|
|
|
|
|
2020-12-17 18:22:15 +00:00
|
|
|
# trap ctrl-c and call ctrl_c()
|
|
|
|
|
trap ctrl_c INT
|
|
|
|
|
|
|
|
|
|
function ctrl_c() {
|
2023-07-05 23:40:55 +00:00
|
|
|
killall -2 openconnect
|
2020-12-17 18:22:15 +00:00
|
|
|
echo "Bye!"
|
|
|
|
|
exit
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-17 23:05:16 +00:00
|
|
|
SCRIPT_INCLUDE=""
|
2023-07-05 23:40:55 +00:00
|
|
|
LOGIN=""
|
2020-12-17 23:05:16 +00:00
|
|
|
|
2023-06-16 00:35:15 +00:00
|
|
|
COMMON_PARAMS="--pid-file=PIDFILE --no-external-auth "
|
|
|
|
|
|
2023-07-06 07:12:53 +00:00
|
|
|
echo "Connecting to VPN"
|
2020-12-17 18:22:15 +00:00
|
|
|
|
2023-07-06 07:12:53 +00:00
|
|
|
if test -f "$ROUTE_FILE"; then
|
|
|
|
|
SCRIPT_INCLUDE="--script=\"$SCRIPTPATH/routing.sh\""
|
|
|
|
|
fi
|
2021-02-25 11:36:44 +00:00
|
|
|
|
2023-07-06 07:12:53 +00:00
|
|
|
# If yubikey is not used, use the TOTP seed
|
|
|
|
|
if [[ -z "$OC_YUBIKEY" ]]; then
|
|
|
|
|
|
|
|
|
|
if [[ -z "$SEED" ]]; then :; else
|
|
|
|
|
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
|
|
|
|
|
TOTP=$(oathtool --totp=sha1 -b - < /run/oc-secret/seed)
|
|
|
|
|
cat /run/oc-secret/password > /run/oc-secret/login && echo -e "\n$TOTP" >> /run/oc-secret/login
|
|
|
|
|
rm /run/oc-secret/password
|
|
|
|
|
rm /run/oc-secret/seed
|
|
|
|
|
LOGIN='find /run/oc-secret/login -exec cat {} \; -exec rm {} \; -exec umount /run/oc-secret \;'
|
|
|
|
|
else
|
|
|
|
|
TOTP=$(oathtool --totp=sha1 -b "$SEED")
|
2023-06-16 00:35:15 +00:00
|
|
|
LOGIN='echo -e "$PASSWORD\n$TOTP"'
|
2021-02-25 11:36:44 +00:00
|
|
|
fi
|
|
|
|
|
fi
|
2023-07-06 07:12:53 +00:00
|
|
|
else
|
|
|
|
|
YUBIKEY_TOTP="--token-mode=yubioath --token-secret=$OC_YUBIKEY"
|
|
|
|
|
fi
|
2020-12-17 18:22:15 +00:00
|
|
|
|
2023-06-16 00:35:15 +00:00
|
|
|
if [ -z "$SEED" ] && [ -z "$OC_YUBIKEY" ]; then
|
|
|
|
|
sudo openconnect \
|
|
|
|
|
$COMMON_PARAMS \
|
|
|
|
|
--csd-wrapper hostscan-bypass.sh \
|
|
|
|
|
--os=mac-intel \
|
|
|
|
|
$SCRIPT_INCLUDE \
|
|
|
|
|
-u $USERNAME \
|
|
|
|
|
$SERVER
|
|
|
|
|
|
|
|
|
|
else
|
|
|
|
|
|
|
|
|
|
eval $LOGIN | sudo openconnect \
|
|
|
|
|
$COMMON_PARAMS \
|
|
|
|
|
--csd-wrapper hostscan-bypass.sh \
|
|
|
|
|
--os=mac-intel \
|
|
|
|
|
$YUBIKEY_TOTP \
|
|
|
|
|
$SCRIPT_INCLUDE \
|
|
|
|
|
-u $USERNAME \
|
|
|
|
|
$SERVER
|
|
|
|
|
fi
|
