Bitbar support

2023-07-06 10:12:53 +03:00 · 2023-07-06 10:12:53 +03:00 · a66a28da08
commit a66a28da08
parent 830c6e9979
3 changed files with 78 additions and 50 deletions
--- a/README.md
+++ b/README.md
@ -2,7 +2,7 @@

 This script uses Openconnect to automatically connect to Cisco Anyconnect VPN server.

-Server address, username, password and 2fa seed is stored in macOS keychain. Feel free to remove them and ask for user input instead.
+Server address, username, password and 2fa seed is retreived from macOS/Linux keychain. You can skip keychain and provide those details through environment or stdin instead.

 Additionaly routing for only specific subnets can be added in `routes.txt`

@ -17,23 +17,57 @@ brew install swiftbar
 brew install terminal-notifier
 ```

-Add server address, username, password and 2fa seed in keychain with these names:
+On Macos add server address, username, password and 2fa seed in keychain with these names:
 * `Openconnect VPN Server`
 * `Openconnect Username`
 * `Openconnect Account Password`
 * `Openconnect TOTP Seed`

-_For ease of use you can allow automatic keychain access to some of the attributs, but_ **do not allow automatic access to password and especially the 2fa seed**. _It will keep it in memory as long as the script is running._
+On Linux you can use keychain (gnome-keychain/seahorse), add following entries:
+```
+secret-tool store --label='openconnect-server' server openconnect
+secret-tool store --label='openconnect-username' username openconnect
+secret-tool store --label='openconnect-password' password openconnect
+secret-tool store --label='openconnect-seed' seed openconnect
+```
+
+### Security considerations
+_For ease of use you can allow automatic keychain access to some of the attributs, but_ **you shouldn't allow automatic access to password and especially the 2fa seed** (but you can).
+
+On Macos secrets might be available in the environment of the vpn process.
+
+On Linux secrets will be shortly stored in tmpfs (memory) and deleted once they are passed to openconnect.
+
+After setting up, change the run-vpn.sh, routing.sh and hostscan-bypass.sh ownership to root:
+
+```
+chown root:root run-vpn.sh
+chown root:root hostscan-bypass.sh
+chown root:root routing.sh
+```
+
+## Defining routes

 Rename routes.txt.sample to routes.txt or create an empty routes.txt and add subnets to be routed through VPN there.

+
 ## Usage

+### Usage from terminal
 ```
-sudo -E ./run-vpn.sh
+DBUS_SESSION_BUS_ADDRESS=$DBUS_SESSION_BUS_ADDRESS sudo -E ./run-vpn.sh
 ```
+You can stop it by pressing `CTRL+C` or killing the process.

-In case of disconnect, it will try reconnecting after 3 seconds. You can stop it by pressing `CTRL+C` or killing the script.
+### GUI usage from bitbar/xbar/swaybar/argos
+
+Consult the `bitbar-openconnect` script for sudoers entries needed to run it. Add them to `/etc/sudoers`
+
+**Symlink**(!) the `bitbar-openconnect` script to your bitbar config folder:
+
+```
+ln -s ~/Documents/git/always-on-openconnect-vpn.6s.sh ~/.config/argos/
+```

 ### Yubikey

--- a/bitbar-openconnect.6s.sh
+++ b/bitbar-openconnect.6s.sh
--- a/run-vpn.sh
+++ b/run-vpn.sh
@ -51,54 +51,48 @@ function ctrl_c() {
 SCRIPT_INCLUDE=""
 LOGIN=""

-#while true; do
-  echo "Connecting to VPN"
+echo "Connecting to VPN"

-  if test -f "$ROUTE_FILE"; then
-    SCRIPT_INCLUDE="--script=\"$SCRIPTPATH/routing.sh\""
-  fi
+if test -f "$ROUTE_FILE"; then
+  SCRIPT_INCLUDE="--script=\"$SCRIPTPATH/routing.sh\""
+fi

-  # If yubikey is not used, use the TOTP seed
-  if [[ -z "$OC_YUBIKEY" ]]; then
+# If yubikey is not used, use the TOTP seed
+if [[ -z "$OC_YUBIKEY" ]]; then

-    if [[ -z "$SEED" ]]; then :; else    
-      if [[ "$OSTYPE" == "linux-gnu"* ]]; then
-        TOTP=$(oathtool --totp=sha1 -b - < /run/oc-secret/seed)
-        cat /run/oc-secret/password > /run/oc-secret/login && echo -e "\n$TOTP" >> /run/oc-secret/login
-        rm /run/oc-secret/password
-        rm /run/oc-secret/seed
-        LOGIN='find /run/oc-secret/login -exec cat {} \; -exec rm {} \; -exec umount /run/oc-secret \;'
-      else
-        TOTP=$(oathtool --totp=sha1 -b "$SEED")
-        LOGIN='echo -e "$PASSWORD\n$TOTP'
-      fi
+  if [[ -z "$SEED" ]]; then :; else    
+    if [[ "$OSTYPE" == "linux-gnu"* ]]; then
+      TOTP=$(oathtool --totp=sha1 -b - < /run/oc-secret/seed)
+      cat /run/oc-secret/password > /run/oc-secret/login && echo -e "\n$TOTP" >> /run/oc-secret/login
+      rm /run/oc-secret/password
+      rm /run/oc-secret/seed
+      LOGIN='find /run/oc-secret/login -exec cat {} \; -exec rm {} \; -exec umount /run/oc-secret \;'
+    else
+      TOTP=$(oathtool --totp=sha1 -b "$SEED")
+      LOGIN='echo -e "$PASSWORD\n$TOTP'
    fi
-  else
-    YUBIKEY_TOTP="--token-mode=yubioath --token-secret=$OC_YUBIKEY"
  fi
+else
+  YUBIKEY_TOTP="--token-mode=yubioath --token-secret=$OC_YUBIKEY"
+fi

-  if [ -z "$SEED" ] && [ -z "$OC_YUBIKEY" ]; then
-      openconnect \
-      --pid-file=PIDFILE \
-      --csd-wrapper hostscan-bypass.sh \
-      --os=mac-intel \
-      --no-external-auth \
-      $SCRIPT_INCLUDE \
-      -u $USERNAME \
-      $SERVER
-  else
-    eval $LOGIN | openconnect \
-      --pid-file=PIDFILE \
-      --csd-wrapper hostscan-bypass.sh \
-      --os=mac-intel \
-      --no-external-auth \
-      $YUBIKEY_TOTP \
-      $SCRIPT_INCLUDE \
-      -u $USERNAME \
-      $SERVER
-  fi
-
-#  echo "Openconnect closed. Waiting 3 seconds."
-#  sleep 3
-
-#done
+if [ -z "$SEED" ] && [ -z "$OC_YUBIKEY" ]; then
+    openconnect \
+    --pid-file=PIDFILE \
+    --csd-wrapper hostscan-bypass.sh \
+    --os=mac-intel \
+    --no-external-auth \
+    $SCRIPT_INCLUDE \
+    -u $USERNAME \
+    $SERVER
+else
+  eval $LOGIN | openconnect \
+    --pid-file=PIDFILE \
+    --csd-wrapper hostscan-bypass.sh \
+    --os=mac-intel \
+    --no-external-auth \
+    $YUBIKEY_TOTP \
+    $SCRIPT_INCLUDE \
+    -u $USERNAME \
+    $SERVER
+fi