Go to file
2023-07-06 02:47:30 +03:00
.gitignore Added run.sh to gitignore 2020-12-18 02:16:54 +02:00
hostscan-bypass.sh Initial commit 2020-12-17 20:22:15 +02:00
README.md Added Yubikey support 2020-12-18 02:47:10 +02:00
routes.txt.sample Added subnet routing support 2020-12-18 01:05:16 +02:00
routing.sh Added subnet routing support 2020-12-18 01:05:16 +02:00
run-vpn.sh Clean up when not needed 2023-07-06 02:47:30 +03:00

Always on Openconnect VPN

This script uses Openconnect to automatically connect to Cisco Anyconnect VPN server.

Server address, username, password and 2fa seed is stored in macOS keychain. Feel free to remove them and ask for user input instead.

Additionaly routing for only specific subnets can be added in routes.txt

Setup

git clone this repo
brew install openconnect
brew install vpn-slice
brew install oath-toolkit

Add server address, username, password and 2fa seed in keychain with these names:

  • Openconnect VPN Server
  • Openconnect Username
  • Openconnect Account Password
  • Openconnect TOTP Seed

For ease of use you can allow automatic keychain access to some of the attributs, but do not allow automatic access to password and especially the 2fa seed. It will keep it in memory as long as the script is running.

Rename routes.txt.sample to routes.txt or create an empty routes.txt and add subnets to be routed through VPN there.

Usage

sudo -E ./run-vpn.sh

In case of disconnect, it will try reconnecting after 3 seconds. You can stop it by pressing CTRL+C or killing the script.

Yubikey

Yubikey can be used for safe storage of TOTP seed. Configure TOTP in Yubikey Authenticator app or ykman oath if using command line. Then use ykman oath list to get the name of the entry and set that name in OC_YUBIKEY environment variable.

For example:

OC_YUBIKEY=VPN:organization sudo -E ./run-vpn.sh