Bitbar support

This commit is contained in:
Janis Jansons 2023-07-06 10:12:53 +03:00
parent 830c6e9979
commit a66a28da08
3 changed files with 78 additions and 50 deletions

View File

@ -2,7 +2,7 @@
This script uses Openconnect to automatically connect to Cisco Anyconnect VPN server.
Server address, username, password and 2fa seed is stored in macOS keychain. Feel free to remove them and ask for user input instead.
Server address, username, password and 2fa seed is retreived from macOS/Linux keychain. You can skip keychain and provide those details through environment or stdin instead.
Additionaly routing for only specific subnets can be added in `routes.txt`
@ -17,23 +17,57 @@ brew install swiftbar
brew install terminal-notifier
```
Add server address, username, password and 2fa seed in keychain with these names:
On Macos add server address, username, password and 2fa seed in keychain with these names:
* `Openconnect VPN Server`
* `Openconnect Username`
* `Openconnect Account Password`
* `Openconnect TOTP Seed`
_For ease of use you can allow automatic keychain access to some of the attributs, but_ **do not allow automatic access to password and especially the 2fa seed**. _It will keep it in memory as long as the script is running._
On Linux you can use keychain (gnome-keychain/seahorse), add following entries:
```
secret-tool store --label='openconnect-server' server openconnect
secret-tool store --label='openconnect-username' username openconnect
secret-tool store --label='openconnect-password' password openconnect
secret-tool store --label='openconnect-seed' seed openconnect
```
### Security considerations
_For ease of use you can allow automatic keychain access to some of the attributs, but_ **you shouldn't allow automatic access to password and especially the 2fa seed** (but you can).
On Macos secrets might be available in the environment of the vpn process.
On Linux secrets will be shortly stored in tmpfs (memory) and deleted once they are passed to openconnect.
After setting up, change the run-vpn.sh, routing.sh and hostscan-bypass.sh ownership to root:
```
chown root:root run-vpn.sh
chown root:root hostscan-bypass.sh
chown root:root routing.sh
```
## Defining routes
Rename routes.txt.sample to routes.txt or create an empty routes.txt and add subnets to be routed through VPN there.
## Usage
### Usage from terminal
```
sudo -E ./run-vpn.sh
DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS sudo -E ./run-vpn.sh
```
You can stop it by pressing `CTRL+C` or killing the process.
In case of disconnect, it will try reconnecting after 3 seconds. You can stop it by pressing `CTRL+C` or killing the script.
### GUI usage from bitbar/xbar/swaybar/argos
Consult the `bitbar-openconnect` script for sudoers entries needed to run it. Add them to `/etc/sudoers`
**Symlink**(!) the `bitbar-openconnect` script to your bitbar config folder:
```
ln -s ~/Documents/git/always-on-openconnect-vpn.6s.sh ~/.config/argos/
```
### Yubikey

View File

@ -51,15 +51,14 @@ function ctrl_c() {
SCRIPT_INCLUDE=""
LOGIN=""
#while true; do
echo "Connecting to VPN"
echo "Connecting to VPN"
if test -f "$ROUTE_FILE"; then
if test -f "$ROUTE_FILE"; then
SCRIPT_INCLUDE="--script=\"$SCRIPTPATH/routing.sh\""
fi
fi
# If yubikey is not used, use the TOTP seed
if [[ -z "$OC_YUBIKEY" ]]; then
# If yubikey is not used, use the TOTP seed
if [[ -z "$OC_YUBIKEY" ]]; then
if [[ -z "$SEED" ]]; then :; else
if [[ "$OSTYPE" == "linux-gnu"* ]]; then
@ -73,11 +72,11 @@ LOGIN=""
LOGIN='echo -e "$PASSWORD\n$TOTP'
fi
fi
else
else
YUBIKEY_TOTP="--token-mode=yubioath --token-secret=$OC_YUBIKEY"
fi
fi
if [ -z "$SEED" ] && [ -z "$OC_YUBIKEY" ]; then
if [ -z "$SEED" ] && [ -z "$OC_YUBIKEY" ]; then
openconnect \
--pid-file=PIDFILE \
--csd-wrapper hostscan-bypass.sh \
@ -86,7 +85,7 @@ LOGIN=""
$SCRIPT_INCLUDE \
-u $USERNAME \
$SERVER
else
else
eval $LOGIN | openconnect \
--pid-file=PIDFILE \
--csd-wrapper hostscan-bypass.sh \
@ -96,9 +95,4 @@ LOGIN=""
$SCRIPT_INCLUDE \
-u $USERNAME \
$SERVER
fi
# echo "Openconnect closed. Waiting 3 seconds."
# sleep 3
#done
fi