Bitbar support
This commit is contained in:
parent
830c6e9979
commit
a66a28da08
44
README.md
44
README.md
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
This script uses Openconnect to automatically connect to Cisco Anyconnect VPN server.
|
This script uses Openconnect to automatically connect to Cisco Anyconnect VPN server.
|
||||||
|
|
||||||
Server address, username, password and 2fa seed is stored in macOS keychain. Feel free to remove them and ask for user input instead.
|
Server address, username, password and 2fa seed is retreived from macOS/Linux keychain. You can skip keychain and provide those details through environment or stdin instead.
|
||||||
|
|
||||||
Additionaly routing for only specific subnets can be added in `routes.txt`
|
Additionaly routing for only specific subnets can be added in `routes.txt`
|
||||||
|
|
||||||
@ -17,23 +17,57 @@ brew install swiftbar
|
|||||||
brew install terminal-notifier
|
brew install terminal-notifier
|
||||||
```
|
```
|
||||||
|
|
||||||
Add server address, username, password and 2fa seed in keychain with these names:
|
On Macos add server address, username, password and 2fa seed in keychain with these names:
|
||||||
* `Openconnect VPN Server`
|
* `Openconnect VPN Server`
|
||||||
* `Openconnect Username`
|
* `Openconnect Username`
|
||||||
* `Openconnect Account Password`
|
* `Openconnect Account Password`
|
||||||
* `Openconnect TOTP Seed`
|
* `Openconnect TOTP Seed`
|
||||||
|
|
||||||
_For ease of use you can allow automatic keychain access to some of the attributs, but_ **do not allow automatic access to password and especially the 2fa seed**. _It will keep it in memory as long as the script is running._
|
On Linux you can use keychain (gnome-keychain/seahorse), add following entries:
|
||||||
|
```
|
||||||
|
secret-tool store --label='openconnect-server' server openconnect
|
||||||
|
secret-tool store --label='openconnect-username' username openconnect
|
||||||
|
secret-tool store --label='openconnect-password' password openconnect
|
||||||
|
secret-tool store --label='openconnect-seed' seed openconnect
|
||||||
|
```
|
||||||
|
|
||||||
|
### Security considerations
|
||||||
|
_For ease of use you can allow automatic keychain access to some of the attributs, but_ **you shouldn't allow automatic access to password and especially the 2fa seed** (but you can).
|
||||||
|
|
||||||
|
On Macos secrets might be available in the environment of the vpn process.
|
||||||
|
|
||||||
|
On Linux secrets will be shortly stored in tmpfs (memory) and deleted once they are passed to openconnect.
|
||||||
|
|
||||||
|
After setting up, change the run-vpn.sh, routing.sh and hostscan-bypass.sh ownership to root:
|
||||||
|
|
||||||
|
```
|
||||||
|
chown root:root run-vpn.sh
|
||||||
|
chown root:root hostscan-bypass.sh
|
||||||
|
chown root:root routing.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
## Defining routes
|
||||||
|
|
||||||
Rename routes.txt.sample to routes.txt or create an empty routes.txt and add subnets to be routed through VPN there.
|
Rename routes.txt.sample to routes.txt or create an empty routes.txt and add subnets to be routed through VPN there.
|
||||||
|
|
||||||
|
|
||||||
## Usage
|
## Usage
|
||||||
|
|
||||||
|
### Usage from terminal
|
||||||
```
|
```
|
||||||
sudo -E ./run-vpn.sh
|
DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS sudo -E ./run-vpn.sh
|
||||||
```
|
```
|
||||||
|
You can stop it by pressing `CTRL+C` or killing the process.
|
||||||
|
|
||||||
In case of disconnect, it will try reconnecting after 3 seconds. You can stop it by pressing `CTRL+C` or killing the script.
|
### GUI usage from bitbar/xbar/swaybar/argos
|
||||||
|
|
||||||
|
Consult the `bitbar-openconnect` script for sudoers entries needed to run it. Add them to `/etc/sudoers`
|
||||||
|
|
||||||
|
**Symlink**(!) the `bitbar-openconnect` script to your bitbar config folder:
|
||||||
|
|
||||||
|
```
|
||||||
|
ln -s ~/Documents/git/always-on-openconnect-vpn.6s.sh ~/.config/argos/
|
||||||
|
```
|
||||||
|
|
||||||
### Yubikey
|
### Yubikey
|
||||||
|
|
||||||
|
26
run-vpn.sh
26
run-vpn.sh
@ -51,15 +51,14 @@ function ctrl_c() {
|
|||||||
SCRIPT_INCLUDE=""
|
SCRIPT_INCLUDE=""
|
||||||
LOGIN=""
|
LOGIN=""
|
||||||
|
|
||||||
#while true; do
|
echo "Connecting to VPN"
|
||||||
echo "Connecting to VPN"
|
|
||||||
|
|
||||||
if test -f "$ROUTE_FILE"; then
|
if test -f "$ROUTE_FILE"; then
|
||||||
SCRIPT_INCLUDE="--script=\"$SCRIPTPATH/routing.sh\""
|
SCRIPT_INCLUDE="--script=\"$SCRIPTPATH/routing.sh\""
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# If yubikey is not used, use the TOTP seed
|
# If yubikey is not used, use the TOTP seed
|
||||||
if [[ -z "$OC_YUBIKEY" ]]; then
|
if [[ -z "$OC_YUBIKEY" ]]; then
|
||||||
|
|
||||||
if [[ -z "$SEED" ]]; then :; else
|
if [[ -z "$SEED" ]]; then :; else
|
||||||
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
|
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
|
||||||
@ -73,11 +72,11 @@ LOGIN=""
|
|||||||
LOGIN='echo -e "$PASSWORD\n$TOTP'
|
LOGIN='echo -e "$PASSWORD\n$TOTP'
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
YUBIKEY_TOTP="--token-mode=yubioath --token-secret=$OC_YUBIKEY"
|
YUBIKEY_TOTP="--token-mode=yubioath --token-secret=$OC_YUBIKEY"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ -z "$SEED" ] && [ -z "$OC_YUBIKEY" ]; then
|
if [ -z "$SEED" ] && [ -z "$OC_YUBIKEY" ]; then
|
||||||
openconnect \
|
openconnect \
|
||||||
--pid-file=PIDFILE \
|
--pid-file=PIDFILE \
|
||||||
--csd-wrapper hostscan-bypass.sh \
|
--csd-wrapper hostscan-bypass.sh \
|
||||||
@ -86,7 +85,7 @@ LOGIN=""
|
|||||||
$SCRIPT_INCLUDE \
|
$SCRIPT_INCLUDE \
|
||||||
-u $USERNAME \
|
-u $USERNAME \
|
||||||
$SERVER
|
$SERVER
|
||||||
else
|
else
|
||||||
eval $LOGIN | openconnect \
|
eval $LOGIN | openconnect \
|
||||||
--pid-file=PIDFILE \
|
--pid-file=PIDFILE \
|
||||||
--csd-wrapper hostscan-bypass.sh \
|
--csd-wrapper hostscan-bypass.sh \
|
||||||
@ -96,9 +95,4 @@ LOGIN=""
|
|||||||
$SCRIPT_INCLUDE \
|
$SCRIPT_INCLUDE \
|
||||||
-u $USERNAME \
|
-u $USERNAME \
|
||||||
$SERVER
|
$SERVER
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# echo "Openconnect closed. Waiting 3 seconds."
|
|
||||||
# sleep 3
|
|
||||||
|
|
||||||
#done
|
|
||||||
|
Loading…
Reference in New Issue
Block a user