Skip to content

Instantly share code, notes, and snippets.

@retrography

retrography/openconnect.md

Forked from moklett/openconnect.md
Created January 14, 2016 20:35
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save retrography/0a59577e400c01b0dac1 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save retrography/0a59577e400c01b0dac1 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @moklett moklett created this gist Jul 24, 2012.
    39 changes: 39 additions & 0 deletions openconnect.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,39 @@
    Unfortunately, the Cisco AnyConnect client for Mac conflicts with [Pow](http://pow.cx/). And by "conflicts", I mean it causes a grey-screen-of-death kernel panic anytime you connect to the VPN and Pow is installed.

    As an alternative, there is [OpenConnect](http://www.infradead.org/openconnect/), a command-line client for Cisco's AnyConnect SSL VPN.

    Here's how to get it set up on Mac OS X:

    1. OpenConnect can be installed via [homebrew](http://mxcl.github.com/homebrew/):

    brew update
    brew install openconnect

    2. Install the [Mac OS X TUN/TAP](http://tuntaposx.sourceforge.net/) driver
    3. (Optional) Running openconnect requires sudo, presumably because it affects resolution of DNS. So, I added password-less sudo ability for the openconnect command.

    sudo visudo -f /etc/sudoers

    And added this line:

    %admin ALL=(ALL) NOPASSWD: /usr/local/bin/openconnect

    4. (Optional) When connecting to your SSL VPN, openconnect may complain about a "self-signed certificate" being in the chain and force you to explicitly accept it every time. The self-signed cert is actually the root certficate and (hopefully) is one with implicit trust (i.e. trusted by browsers), so we can safely trust it by specifying the CA file after exporting it from KeyChain:
    1. Determine the name your root certificate (i.e. visit your SSL VPN in Chrome, click the green lock, click "Certificate Information")
    ![Find Certificate Information](https://img.skitch.com/20120724-a38g9sby9naw28m39j2nakcnt.jpg)
    ![Observe Root Certificate](https://img.skitch.com/20120724-fiehbr89muyhmyk1x7setjbt4b.jpg)
    2. Open the Keychain Access App
    3. Search the "System Roots" keychain to find your root certificate and select it
    ![Keychain Access](https://img.skitch.com/20120724-8px6xhtbcpnhkkpr8ckx1rcp8.jpg)
    4. `File` > `Export Items...` the certificate as a `.pem` file somewhere on your hard drive (I put it in `~/.ssh/<certificate name>.pem`
    5. Connect!

    sudo openconnect --user=<VPN username> --cafile=<.pem file from step 4.3> <your vpn hostname>

    The only thing you should be prompted for is your VPN password. I added the command to my aliases file.

    6. To disconnect, just Ctrl-c in the window where you started the VPN connection.

    #### Note

    I had an incident after an unclean VPN exit where later the VPN hostname could not be found. I guess the DNS resolver was messed up. I was forced to reboot to fix it so I could reconnect to the VPN.