47 lines
1.5 KiB
Markdown
47 lines
1.5 KiB
Markdown
# Always on Openconnect VPN
|
|
|
|
This script uses Openconnect to automatically connect to Cisco Anyconnect VPN server.
|
|
|
|
Server address, username, password and 2fa seed is stored in macOS keychain. Feel free to remove them and ask for user input instead.
|
|
|
|
Additionaly routing for only specific subnets can be added in `routes.txt`
|
|
|
|
## Setup
|
|
|
|
```
|
|
git clone this repo
|
|
brew install openconnect
|
|
brew install vpn-slice
|
|
brew install oath-toolkit
|
|
brew install swiftbar
|
|
brew install terminal-notifier
|
|
```
|
|
|
|
Add server address, username, password and 2fa seed in keychain with these names:
|
|
* `Openconnect VPN Server`
|
|
* `Openconnect Username`
|
|
* `Openconnect Account Password`
|
|
* `Openconnect TOTP Seed`
|
|
|
|
_For ease of use you can allow automatic keychain access to some of the attributs, but_ **do not allow automatic access to password and especially the 2fa seed**. _It will keep it in memory as long as the script is running._
|
|
|
|
Rename routes.txt.sample to routes.txt or create an empty routes.txt and add subnets to be routed through VPN there.
|
|
|
|
## Usage
|
|
|
|
```
|
|
sudo -E ./run-vpn.sh
|
|
```
|
|
|
|
In case of disconnect, it will try reconnecting after 3 seconds. You can stop it by pressing `CTRL+C` or killing the script.
|
|
|
|
### Yubikey
|
|
|
|
Yubikey can be used for safe storage of TOTP seed. Configure TOTP in Yubikey Authenticator app or `ykman oath` if using command line. Then use `ykman oath list` to get the name of the entry and set that name in `OC_YUBIKEY` environment variable.
|
|
|
|
For example:
|
|
|
|
```
|
|
OC_YUBIKEY=VPN:organization sudo -E ./run-vpn.sh
|
|
```
|