Initial commit

2020-12-17 20:22:15 +02:00
commit 2c734c7d28
4 changed files with 103 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,30 @@
+# Always on Openconnect VPN
+
+This script uses Openconnect to automatically connect to Cisco Anyconnect VPN server.
+
+Server address, username, password and 2fa seed is stored in macOS keychain. Feel free to remove them and ask for user input instead.
+
+Additionaly routing for only specific subnets can be set up in `routing.sh`
+
+## Setup
+
+```
+git clone this repo
+brew install openconnect
+```
+
+Add server address, username, password and 2fa seed in keychain with these names:
+* `Openconnect VPN Server`
+* `Openconnect Username`
+* `Openconnect Account Password`
+* `Openconnect TOTP Seed`
+
+_For ease of use you can allow automatic keychain access to some of the attributs, but_ **do not allow automatic access to password and especially the 2fa seed**. _It will keep it in memory as long as the script is running._
+
+## Usage
+
+```
+sudo ./run-vpn.sh
+```
+
+In case of disconnect, it will try reconnecting after 3 seconds. You can stop it by pressing `CTRL+C` or killing the script.
--- a/hostscan-bypass.sh
+++ b/hostscan-bypass.sh
@ -0,0 +1,40 @@
+#!/bin/bash
+# Initially generated by hostscan-bypass.go
+#
+# Github repo: https://github.com/Gilks/hostscan-bypass
+# Blog post: https://gilks.github.io/post/cisco-hostscan-bypass
+#
+# You can find a list of hostscan requirements here:
+# https://<VPN Page>/CACHE/sdesktop/data.xml
+function run_curl
+{
+    curl \
+        --insecure \
+        --user-agent "$useragent" \
+        --header "X-Transcend-Version: 1" \
+        --header "X-Aggregate-Auth: 1" \
+        --header "X-AnyConnect-Platform: $plat" \
+        --cookie "sdesktop=$token" \
+        --header "Accept: */*" \
+        --header "Accept-Encoding: identity" \
+        --header "Content-Type: text/xml" \
+        "$@"
+}
+set -e
+host=https://$CSD_HOSTNAME
+
+plat="mac-intel"
+useragent="AnyConnect Darwin_i386 4.9.03047"
+token=$CSD_TOKEN
+
+payload=$(curl --insecure --user-agent "$useragent" \
+  "$host/CACHE/sdesktop/data.xml" | \
+  sed -n 's/.*File.,.\(.*\).,.\(.*\)[\/\\]\(.*\).".*/endpoint.file["\1"]={};\
+endpoint.file["\1"].exists="true";\
+endpoint.file["\1"].path="\2\3";\
+endpoint.file["\1"].name="\3";\
+/p')
+
+run_curl --data-binary "$payload" "$host/+CSCOE+/sdesktop/scan.xml?reusebrowser=1"
+exit 0
+
--- a/routing.sh
+++ b/routing.sh
@ -0,0 +1 @@
+#!/bin/bash
--- a/run-vpn.sh
+++ b/run-vpn.sh
@ -0,0 +1,32 @@
+#!/bin/bash
+
+SERVER=$(security find-generic-password -l "Openconnect VPN Server" -w)
+USERNAME=$(security find-generic-password -l "Openconnect Username" -w)
+SEED=$(security find-generic-password -l "Openconnect TOTP Seed" -w)
+PASSWORD=$(security find-generic-password -l "Openconnect Account Password" -w)
+
+
+# trap ctrl-c and call ctrl_c()
+trap ctrl_c INT
+
+function ctrl_c() {
+  killall openconnect
+  echo "Bye!"
+  exit
+}
+
+while true; do
+  echo "Connecting to VPN"
+
+  echo $PASSWORD | sudo openconnect \
+    --csd-wrapper hostscan-bypass.sh \
+    --passwd-on-stdin \
+    --token-mode=totp \
+    --token-secret=sha1:base32:$SEED \
+    -u $USERNAME \
+    $SERVER
+
+  echo "Openconnect closed. Waiting 3 seconds."
+  sleep 3
+
+done