always-on-openconnect-vpn/run-vpn.sh

#!/bin/bash

# Read from keychain on macOS by default
if [[ "$OSTYPE" == "darwin"* ]]; then
  SERVER=$(security find-generic-password -l "Openconnect VPN Server" -w)
  USERNAME=$(security find-generic-password -l "Openconnect Username" -w)
  SEED=$(security find-generic-password -l "Openconnect TOTP Seed" -w)
  PASSWORD=$(security find-generic-password -l "Openconnect Account Password" -w)
fi

if [[ "$OSTYPE" == "linux-gnu"* ]]; then

  mkdir -p /run/oc-secret
  mount -t tmpfs -o size=1M,mode=700 tmpfs /run/oc-secret

  SERVER=$(secret-tool lookup server openconnect | tr -d '\n')
  USERNAME=$(secret-tool lookup username openconnect | tr -d '\n')
  SEED=1
  secret-tool lookup seed openconnect > /run/oc-secret/seed
  PASSWORD=1
  secret-tool lookup password openconnect | tr -d '\n' > /run/oc-secret/password
fi

# Allow reading from environment
if [[ -z "$OC_SERVER" ]]; then :; else
  SERVER="$OC_SERVER"
fi
if [[ -z "$OC_USERNAME" ]]; then :; else
  USERNAME="$OC_USERNAME"
fi
if [[ -z "$OC_SEED" ]]; then :; else
  SEED="$OC_SEED"
fi
if [[ -z "$OC_PASSWORD" ]]; then :; else
  PASSWORD="$OC_PASSWORD"
fi

SCRIPT=`realpath $0`
SCRIPTPATH=`dirname $SCRIPT`
ROUTE_FILE=routes.txt

# trap ctrl-c and call ctrl_c()
trap ctrl_c INT

function ctrl_c() {
  killall -2 openconnect
  echo "Bye!"
  exit
}

SCRIPT_INCLUDE=""
LOGIN=""

COMMON_PARAMS="--pid-file=PIDFILE --no-external-auth --base-mtu=1200 "

echo "Connecting to VPN"

if test -f "$ROUTE_FILE"; then
  SCRIPT_INCLUDE="--script=\"$SCRIPTPATH/routing.sh\""
fi

# If yubikey is not used, use the TOTP seed
if [[ -z "$OC_YUBIKEY" ]]; then

  if [[ -z "$SEED" ]]; then :; else    
    if [[ "$OSTYPE" == "linux-gnu"* ]]; then
      TOTP=$(oathtool --totp=sha1 -b - < /run/oc-secret/seed)
      cat /run/oc-secret/password > /run/oc-secret/login && echo -e "\n$TOTP" >> /run/oc-secret/login
      rm /run/oc-secret/password
      rm /run/oc-secret/seed
      LOGIN='find /run/oc-secret/login -exec cat {} \; -exec rm {} \; -exec umount /run/oc-secret \;'
    else
      TOTP=$(oathtool --totp=sha1 -b "$SEED")
      LOGIN='echo -e "$PASSWORD\n$TOTP"'
    fi
  fi
else
  YUBIKEY_TOTP="--token-mode=yubioath --token-secret=$OC_YUBIKEY"
fi

  if [ -z "$SEED" ] && [ -z "$OC_YUBIKEY" ]; then
      sudo openconnect --useragent='AnyConnect Darwin_i386 5.0.05040' \
      $COMMON_PARAMS \
      --csd-wrapper hostscan-bypass.sh \
      --os=mac-intel \
      $SCRIPT_INCLUDE \
      -u $USERNAME \
      $SERVER

  else

    eval $LOGIN | sudo openconnect --useragent='AnyConnect Darwin_i386 5.0.05040' \
      $COMMON_PARAMS \
      --csd-wrapper hostscan-bypass.sh \
      --os=mac-intel \
      $YUBIKEY_TOTP \
      $SCRIPT_INCLUDE \
      -u $USERNAME \
      $SERVER
  fi