janhouse/always-on-openconnect-vpn
1
0
Fork 0
Code Issues Pull Requests Activity

Initial commit

Browse Source
This commit is contained in:
Jānis Jansons
2020-12-17 20:22:15 +02:00
commit 2c734c7d28
4 changed files with 103 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+30
View File
@@ -0,0 +1,30 @@
# Always on Openconnect VPN
This script uses Openconnect to automatically connect to Cisco Anyconnect VPN server.
Server address, username, password and 2fa seed is stored in macOS keychain. Feel free to remove them and ask for user input instead.
Additionaly routing for only specific subnets can be set up in `routing.sh`
## Setup
```
git clone this repo
brew install openconnect
```
Add server address, username, password and 2fa seed in keychain with these names:
* `Openconnect VPN Server`
* `Openconnect Username`
* `Openconnect Account Password`
* `Openconnect TOTP Seed`
_For ease of use you can allow automatic keychain access to some of the attributs, but_ **do not allow automatic access to password and especially the 2fa seed**. _It will keep it in memory as long as the script is running._
## Usage
```
sudo ./run-vpn.sh
```
In case of disconnect, it will try reconnecting after 3 seconds. You can stop it by pressing `CTRL+C` or killing the script.
hostscan-bypass.sh
Executable
+40
View File
@@ -0,0 +1,40 @@
#!/bin/bash
# Initially generated by hostscan-bypass.go
#
# Github repo: https://github.com/Gilks/hostscan-bypass
# Blog post: https://gilks.github.io/post/cisco-hostscan-bypass
#
# You can find a list of hostscan requirements here:
# https://<VPN Page>/CACHE/sdesktop/data.xml
function run_curl
{
curl \
--insecure \
--user-agent "$useragent" \
--header "X-Transcend-Version: 1" \
--header "X-Aggregate-Auth: 1" \
--header "X-AnyConnect-Platform: $plat" \
--cookie "sdesktop=$token" \
--header "Accept: */*" \
--header "Accept-Encoding: identity" \
--header "Content-Type: text/xml" \
"$@"
}
set -e
host=https://$CSD_HOSTNAME
plat="mac-intel"
useragent="AnyConnect Darwin_i386 4.9.03047"
token=$CSD_TOKEN
payload=$(curl --insecure --user-agent "$useragent" \
"$host/CACHE/sdesktop/data.xml" | \
sed -n 's/.*File.,.\(.*\).,.\(.*\)[\/\\]\(.*\).".*/endpoint.file["\1"]={};\
endpoint.file["\1"].exists="true";\
endpoint.file["\1"].path="\2\3";\
endpoint.file["\1"].name="\3";\
/p')
run_curl --data-binary "$payload" "$host/+CSCOE+/sdesktop/scan.xml?reusebrowser=1"
exit 0
routing.sh
+1
View File
@@ -0,0 +1 @@
#!/bin/bash
run-vpn.sh
Executable
+32
View File
@@ -0,0 +1,32 @@
#!/bin/bash
SERVER=$(security find-generic-password -l "Openconnect VPN Server" -w)
USERNAME=$(security find-generic-password -l "Openconnect Username" -w)
SEED=$(security find-generic-password -l "Openconnect TOTP Seed" -w)
PASSWORD=$(security find-generic-password -l "Openconnect Account Password" -w)
# trap ctrl-c and call ctrl_c()
trap ctrl_c INT
function ctrl_c() {
killall openconnect
echo "Bye!"
exit
}
while true; do
echo "Connecting to VPN"
echo $PASSWORD | sudo openconnect \
--csd-wrapper hostscan-bypass.sh \
--passwd-on-stdin \
--token-mode=totp \
--token-secret=sha1:base32:$SEED \
-u $USERNAME \
$SERVER
echo "Openconnect closed. Waiting 3 seconds."
sleep 3
done