From a66a28da08bbe483c36a7fd0e43d549cfd7b4fe8 Mon Sep 17 00:00:00 2001 From: Janis Jansons Date: Thu, 6 Jul 2023 10:12:53 +0300 Subject: [PATCH] Bitbar support --- README.md | 44 ++++++++-- ...openconnect.sh => bitbar-openconnect.6s.sh | 0 run-vpn.sh | 84 +++++++++---------- 3 files changed, 78 insertions(+), 50 deletions(-) rename bitbar-openconnect.sh => bitbar-openconnect.6s.sh (100%) diff --git a/README.md b/README.md index 5d93209..b9e22d6 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ This script uses Openconnect to automatically connect to Cisco Anyconnect VPN server. -Server address, username, password and 2fa seed is stored in macOS keychain. Feel free to remove them and ask for user input instead. +Server address, username, password and 2fa seed is retreived from macOS/Linux keychain. You can skip keychain and provide those details through environment or stdin instead. Additionaly routing for only specific subnets can be added in `routes.txt` @@ -17,23 +17,57 @@ brew install swiftbar brew install terminal-notifier ``` -Add server address, username, password and 2fa seed in keychain with these names: +On Macos add server address, username, password and 2fa seed in keychain with these names: * `Openconnect VPN Server` * `Openconnect Username` * `Openconnect Account Password` * `Openconnect TOTP Seed` -_For ease of use you can allow automatic keychain access to some of the attributs, but_ **do not allow automatic access to password and especially the 2fa seed**. _It will keep it in memory as long as the script is running._ +On Linux you can use keychain (gnome-keychain/seahorse), add following entries: +``` +secret-tool store --label='openconnect-server' server openconnect +secret-tool store --label='openconnect-username' username openconnect +secret-tool store --label='openconnect-password' password openconnect +secret-tool store --label='openconnect-seed' seed openconnect +``` + +### Security considerations +_For ease of use you can allow automatic keychain access to some of the attributs, but_ **you shouldn't allow automatic access to password and especially the 2fa seed** (but you can). + +On Macos secrets might be available in the environment of the vpn process. + +On Linux secrets will be shortly stored in tmpfs (memory) and deleted once they are passed to openconnect. + +After setting up, change the run-vpn.sh, routing.sh and hostscan-bypass.sh ownership to root: + +``` +chown root:root run-vpn.sh +chown root:root hostscan-bypass.sh +chown root:root routing.sh +``` + +## Defining routes Rename routes.txt.sample to routes.txt or create an empty routes.txt and add subnets to be routed through VPN there. + ## Usage +### Usage from terminal ``` -sudo -E ./run-vpn.sh +DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS sudo -E ./run-vpn.sh ``` +You can stop it by pressing `CTRL+C` or killing the process. -In case of disconnect, it will try reconnecting after 3 seconds. You can stop it by pressing `CTRL+C` or killing the script. +### GUI usage from bitbar/xbar/swaybar/argos + +Consult the `bitbar-openconnect` script for sudoers entries needed to run it. Add them to `/etc/sudoers` + +**Symlink**(!) the `bitbar-openconnect` script to your bitbar config folder: + +``` +ln -s ~/Documents/git/always-on-openconnect-vpn.6s.sh ~/.config/argos/ +``` ### Yubikey diff --git a/bitbar-openconnect.sh b/bitbar-openconnect.6s.sh similarity index 100% rename from bitbar-openconnect.sh rename to bitbar-openconnect.6s.sh diff --git a/run-vpn.sh b/run-vpn.sh index 43ff03e..f110db0 100755 --- a/run-vpn.sh +++ b/run-vpn.sh @@ -51,54 +51,48 @@ function ctrl_c() { SCRIPT_INCLUDE="" LOGIN="" -#while true; do - echo "Connecting to VPN" +echo "Connecting to VPN" - if test -f "$ROUTE_FILE"; then - SCRIPT_INCLUDE="--script=\"$SCRIPTPATH/routing.sh\"" - fi +if test -f "$ROUTE_FILE"; then + SCRIPT_INCLUDE="--script=\"$SCRIPTPATH/routing.sh\"" +fi - # If yubikey is not used, use the TOTP seed - if [[ -z "$OC_YUBIKEY" ]]; then +# If yubikey is not used, use the TOTP seed +if [[ -z "$OC_YUBIKEY" ]]; then - if [[ -z "$SEED" ]]; then :; else - if [[ "$OSTYPE" == "linux-gnu"* ]]; then - TOTP=$(oathtool --totp=sha1 -b - < /run/oc-secret/seed) - cat /run/oc-secret/password > /run/oc-secret/login && echo -e "\n$TOTP" >> /run/oc-secret/login - rm /run/oc-secret/password - rm /run/oc-secret/seed - LOGIN='find /run/oc-secret/login -exec cat {} \; -exec rm {} \; -exec umount /run/oc-secret \;' - else - TOTP=$(oathtool --totp=sha1 -b "$SEED") - LOGIN='echo -e "$PASSWORD\n$TOTP' - fi + if [[ -z "$SEED" ]]; then :; else + if [[ "$OSTYPE" == "linux-gnu"* ]]; then + TOTP=$(oathtool --totp=sha1 -b - < /run/oc-secret/seed) + cat /run/oc-secret/password > /run/oc-secret/login && echo -e "\n$TOTP" >> /run/oc-secret/login + rm /run/oc-secret/password + rm /run/oc-secret/seed + LOGIN='find /run/oc-secret/login -exec cat {} \; -exec rm {} \; -exec umount /run/oc-secret \;' + else + TOTP=$(oathtool --totp=sha1 -b "$SEED") + LOGIN='echo -e "$PASSWORD\n$TOTP' fi - else - YUBIKEY_TOTP="--token-mode=yubioath --token-secret=$OC_YUBIKEY" fi +else + YUBIKEY_TOTP="--token-mode=yubioath --token-secret=$OC_YUBIKEY" +fi - if [ -z "$SEED" ] && [ -z "$OC_YUBIKEY" ]; then - openconnect \ - --pid-file=PIDFILE \ - --csd-wrapper hostscan-bypass.sh \ - --os=mac-intel \ - --no-external-auth \ - $SCRIPT_INCLUDE \ - -u $USERNAME \ - $SERVER - else - eval $LOGIN | openconnect \ - --pid-file=PIDFILE \ - --csd-wrapper hostscan-bypass.sh \ - --os=mac-intel \ - --no-external-auth \ - $YUBIKEY_TOTP \ - $SCRIPT_INCLUDE \ - -u $USERNAME \ - $SERVER - fi - -# echo "Openconnect closed. Waiting 3 seconds." -# sleep 3 - -#done +if [ -z "$SEED" ] && [ -z "$OC_YUBIKEY" ]; then + openconnect \ + --pid-file=PIDFILE \ + --csd-wrapper hostscan-bypass.sh \ + --os=mac-intel \ + --no-external-auth \ + $SCRIPT_INCLUDE \ + -u $USERNAME \ + $SERVER +else + eval $LOGIN | openconnect \ + --pid-file=PIDFILE \ + --csd-wrapper hostscan-bypass.sh \ + --os=mac-intel \ + --no-external-auth \ + $YUBIKEY_TOTP \ + $SCRIPT_INCLUDE \ + -u $USERNAME \ + $SERVER +fi